Solved: Problem with VPN. Router doesn't encrypt but does decrypt

pperez1900 · ‎03-08-2013

Hello, I have a problem in my IPSec tunnel. One of the routers (Cisco 861) doesn't encrypt the packets but does decrypt the incoming ones from the remote peer (RV042). In the access-list for the wan interface I deny the traffic between the subnets and in the vpn access-list I permit the traffic. Could anyone give me some help or advice. Thanks.

jj27 · ‎03-09-2013

Hi,

The problem is with access-list 102. That is your NAT access list. You see that you are permitting 172.16.2.0 to any before you are denying, so all traffic is getting translated to your public IP address before attempting to go across the VPN. You will always want to DENY traffic before you do any permits in an access-list because they process from top to bottom on first match.

Try the following commands:

no ip nat inside source list 102 interface FastEthernet4 overload

no access-list 102

access-list 102 deny ip 172.26.2.0 0.0.0.255 172.26.3.0 0.0.0.255

access-list 102 permit ip 172.26.2.0 0.0.0.255 any

ip nat inside source list 102 interface FastEthernet4 overload

View solution in original post

jj27 · ‎03-08-2013

Can you post your configuration?

pperez1900 · ‎03-09-2013

Here's my vpn configuration in th 861 side. I can't ping 172.26.3.1.

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key mykey address ip_remote

!

crypto ipsec transform-set cobts esp-3des esp-md5-hmac

!

crypto map CMAP1 1 ipsec-isakmp

set peer ip_remote

set security-association lifetime seconds 190

set transform-set cobts

match address vpn2

!

interface FastEthernet4

description ***

ip address wan_ip wan_mask

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CMAP1

!

interface Vlan1

description ***

ip address 172.26.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 ip_gateway

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat inside source list 102 interface FastEthernet4 overload

!

ip access-list extended vpn2

permit ip 172.26.2.0 0.0.0.255 172.26.3.0 0.0.0.255

permit icmp 172.26.2.0 0.0.0.255 172.26.3.0 0.0.0.255

!

logging trap debugging

access-list 102 permit ip 172.26.2.0 0.0.0.255 any

access-list 102 deny ip 172.26.2.0 0.0.0.255 172.26.3.0 0.0.0.255

no cdp run

!

Thanks for the help.

jj27 · ‎03-09-2013

Hi,

The problem is with access-list 102. That is your NAT access list. You see that you are permitting 172.16.2.0 to any before you are denying, so all traffic is getting translated to your public IP address before attempting to go across the VPN. You will always want to DENY traffic before you do any permits in an access-list because they process from top to bottom on first match.

Try the following commands:

no ip nat inside source list 102 interface FastEthernet4 overload

no access-list 102

access-list 102 deny ip 172.26.2.0 0.0.0.255 172.26.3.0 0.0.0.255

access-list 102 permit ip 172.26.2.0 0.0.0.255 any

ip nat inside source list 102 interface FastEthernet4 overload

pperez1900 · ‎03-11-2013

That was the problem. I didn't know the order matters. Thank you very mucho for your help.