cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1026
Views
0
Helpful
14
Replies

Site-to-Site using Crypto Map

Not applicable

           I have a hub router (R1) connected to two spoke router (R2 & R3) via two different physical interfaces, applying the attched configuration am able from R1 to ping int lo0 of R2 and R3, but encryption is not working when issue show cry isa sa (there is no QM IDLE) and issue sh cry ipsec sa (encrypt and decrept packets are 0). Please advice.......

R1 (HUB):

crypto isakmp policy 10

enc 3des

hash md5

authentication pre-share

gr 2

crypto isakmp key Key123@nEw address 10.2.222.5

!

crypto isakmp key Key123@nEw address 10.2.111.5

!

crypto ipsec transform-set tset esp-3des esp-md5-hmac

!

crypto map b1 1 ipsec-isakmp

set peer 10.2.222.5

set transform-set tset

match address 115

!

crypto map b2 1 ipsec-isakmp

set peer 10.2.111.5

set transform-set tset

match address 125

!

interface Loopback0

ip address 10.10.10.1 255.255.255.255

!

interface FastEthernet1/1

no shut

ip address 10.2.111.6 255.255.255.252

speed 100

duplex full

crypto map b2

!

interface FastEthernet1/0

no shut

ip address 10.2.222.6 255.255.255.252

speed 100

duplex full

crypto map b1

!

ip route 10.10.10.2 255.255.255.255 10.2.222.5

!

ip route 10.10.10.3 255.255.255.255 10.2.111.5

!

access-list 115 permit ip host 10.10.10.1 host 10.10.10.2 log

access-list 125 permit ip host 10.10.10.1 host 10.10.10.3 log

!

=========

R2 (SPOKE):

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key Key123@nEw address 10.2.222.6

!

crypto ipsec transform-set tset esp-3des esp-md5-hmac

!

crypto map b1 1 ipsec-isakmp

set peer 10.2.222.6

set transform-set tset

match address 115

!

interface Loopback0

ip address 10.10.10.2 255.255.255.255

!

interface FastEthernet1/0

no shut

ip address 10.2.222.5 255.255.255.252

speed 100

duplex full

crypto map b1

!

ip route 10.10.10.1 255.255.255.255 10.2.222.6

!

access-list 115 permit ip host 10.10.10.2 host 10.10.10.1 log

===========

R3(SPOKE):

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key Key123@nEw address 10.2.111.6

!

crypto ipsec transform-set tset esp-3des esp-md5-hmac

!

crypto map b2 1 ipsec-isakmp

set peer 10.2.111.6

set transform-set tset

match address 125

!

interface Loopback0

ip address 10.10.10.3 255.255.255.255

!

interface FastEthernet1/1

no shut

ip address 10.2.111.5 255.255.255.252

speed 100

duplex full

crypto map b2

!

ip route 10.10.10.1 255.255.255.255 10.2.111.6

!

access-list 125 permit ip host 10.10.10.3 host 10.10.10.1 log

14 Replies 14

Richard Burts
Hall of Fame
Hall of Fame

Have you sent traffic from 10.10.10.1 to 10.10.10.2 and to 10.10.10.3? These are the only addresses that are mentioned in your crypto ACL. So until there is traffic from 10.10.10.1 to the other 2 addresses the crypto negotiation will not take place and the count of encrypted and deencrypted will remain 0.

HTH

Rick

HTH

Rick

From R1: ping 10.10.10.2 source IP 10.10.10.1, isakmp is ok, but still there is an issue with ipsec.

.....
Success rate is 0 percent (0/5)
R1#
*Oct  2 09:27:37.067: %SEC-6-IPACCESSLOGDP: list 115 permitted icmp 10.10.10.1 -> 10.10.10.2 (8/0), 1 packet
R1#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.2.222.5      10.2.222.6      QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

R1#sh cry ips sa

interface: FastEthernet1/0
    Crypto map tag: bsf1, local addr 10.2.222.6

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.2/255.255.255.255/0/0)
   current_peer 10.2.222.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 10.2.222.6, remote crypto endpt.: 10.2.222.5
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 10.2.222.6, remote crypto endpt.: 10.2.222.5
     path mtu 1500, ip mtu 1500
     current outbound spi: 0xE8E3A985(3907234181)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x7A2081DB(2048950747)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: 5, sibling flags 80000040,  crypto map: bsf1
        sa timing: remaining key lifetime (k/sec): (4515149/3548)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0xF34E785B(4082006107)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 7, flow_id: 7, sibling flags 80000040,  crypto map: bsf1
        sa timing: remaining key lifetime (k/sec): (4465775/3578)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x814A7ED8(2169143000)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: 6, sibling flags 80000040,  crypto map: bsf1
        sa timing: remaining key lifetime (k/sec): (4515148/3548)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0xE8E3A985(3907234181)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 8, flow_id: 8, sibling flags 80000040,  crypto map: bsf1
        sa timing: remaining key lifetime (k/sec): (4465775/3578)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Not applicable

Enablng debug crypto ipsec

give me:

R1#ping
Protocol [ip]:
Target IP address: 10.10.10.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.10.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1

*Oct  2 10:56:19.635: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.2.222.6, remote= 10.2.222.5,
    local_proxy= 10.10.10.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.10.10.2/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct  2 10:56:19.995: IPSEC(validate_proposal_request): proposal part #1
*Oct  2 10:56:19.995: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 10.2.222.6, remote= 10.2.222.5,
    local_proxy= 10.10.10.1/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.10.10.2/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct  2 10:56:19.999: Crypto mapdb : proxy_match
        src addr     : 10.10.10.1
        dst addr     : 10.10.10.2
        protocol     : 0
        src port     : 0
        dst port     : 0
*Oct  2 10:56:20.011: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  2 10:56:20.011: Crypto mapdb : proxy_match
        src addr     : 10.10.10.1
        dst addr     : 10.10.10.2
        protocol     : 0
        src port     : 0
        dst port     : 0
*Oct  2 10:56:20.015: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.2.222.5
*Oct  2 10:56:20.015: IPSEC(crypto_ipsec_sa_find_ident_head): added peer 10.2.222.5
*Oct  2 10:56:20.015: IPSEC(policy_db_add_ident): src 10.10.10.1, dest 10.10.10.2, dest_port 0

*Oct  2 10:56:20.019: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.2.222.6, sa_proto= 50,
    sa_spi= 0x86EC5BD6(2263636950),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 3
*Oct  2 10:56:20.019: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.2.222.5, sa_proto= 50,
    sa_spi= 0xF105D130(4043690288),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 4
*Oct  2 10:56:20.023: IPSEC(update_current_outbound_sa): updated. peer 10.2.222.5 current outbound sa to SPI F105D130....
Success rate is 0 percent (0/5)

Not applicable

Any Advice .........

Thanks for the additional information. I do not see anything in what you have posted that identifies what is the problem from the prospective of R1. Can you post the equivalent outputs from R2? Perhaps that will show us the issue.

HTH

Rick

HTH

Rick

Please find equivalent outputs from R2:

R2#
*Oct  2 15:53:40.687: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  2 15:53:40.731: IPSEC(validate_proposal_request): proposal part #1
*Oct  2 15:53:40.735: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 10.2.222.5, remote= 10.2.222.6,
    local_proxy= 10.10.10.2/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.10.10.1/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Oct  2 15:53:40.743: Crypto mapdb : proxy_match
        src addr     : 10.10.10.2
        dst addr     : 10.10.10.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Oct  2 15:53:40.767: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  2 15:53:40.771: Crypto mapdb : proxy_match
        src addr     : 10.10.10.2
        dst addr     : 10.10.10.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Oct  2 15:53:40.775: IPSEC
R2#(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.2.222.6
*Oct  2 15:53:40.779: IPSEC(crypto_ipsec_sa_find_ident_head): added peer 10.2.222.6
*Oct  2 15:53:40.779: IPSEC(policy_db_add_ident): src 10.10.10.2, dest 10.10.10.1, dest_port 0

*Oct  2 15:53:40.779: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.2.222.5, sa_proto= 50,
    sa_spi= 0x29BF1DD8(700390872),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 1
*Oct  2 15:53:40.779: IPSEC(create_sa): sa created,
  (sa) sa_dest= 10.2.222.6, sa_proto= 50,
    sa_spi= 0x8A2B4AEA(2318093034),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2
*Oct  2 15:53:40.815: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  2 15:53:40.815: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Oct  2 15:53:40.819: IPSEC(key_engine_enable_outbound): enable SA with spi 2318093034/50
*Oct  2 15:53:40.823: IPSEC(update_current_outbound_sa): updated peer 10.2.222.6 current
R2# outbound sa to SPI 8A2B4AEA
R2#
R2#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
10.2.222.5      10.2.222.6      QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R2#
R2#sh cry ips
R2#sh cry ipsec sa

interface: FastEthernet1/0
    Crypto map tag: bsf1, local addr 10.2.222.5

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.10.2/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
   current_peer 10.2.222.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.2.222.5, remote crypto endpt.: 10.2.222.6
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 10.2.222.5, remote crypto endpt.: 10.2.222.6
     path mtu 1500, ip mtu 1500
     current outbound spi: 0x8A2B4AEA(2318093034)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x29BF1DD8(700390872)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: 1, sibling flags 80000040,  crypto map: bsf1
        sa timing: remaining key lifetime (k/sec): (4480847/3570)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x8A2B4AEA(2318093034)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: 2, sibling flags 80000040,  crypto map: bsf1
        sa timing: remaining key lifetime (k/sec): (4480848/3569)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Thanks for the additional information. It is a bit puzzling. The negotiation seems to be successful on both routers with no errors that I see and IPSec SAs are established. But R2 reports decrypted but not encrypted traffic.

Can you post the output of show ip interface brief from R2 and perhaps the complete configuration of that router?

HTH

Rick

HTH

Rick

Please find R2 info:

R2#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
FastEthernet0/0        unassigned      YES NVRAM  administratively down down
FastEthernet1/0        10.2.222.5      YES NVRAM  up                    up
FastEthernet1/1        unassigned      YES NVRAM  administratively down down
Loopback0              10.10.10.2      YES NVRAM  up                    up
R2#
R2#sh run
Building configuration...

Current configuration : 1348 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip source-route
no ip icmp rate-limit unreachable
!
!
!
!
ip cef
no ip domain lookup
!
!
multilink bundle-name authenticated
!
!
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key BsfKey9@nEw address 10.2.222.6
!
!
crypto ipsec transform-set bsfset esp-des esp-md5-hmac
!
crypto map bsf1 1 ipsec-isakmp
set peer 10.2.222.6
set transform-set bsfset
match address 115
!
!
!
!
!
interface Loopback0
ip address 10.10.10.2 255.255.255.255
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface FastEthernet1/0
ip address 10.2.222.5 255.255.255.252
speed auto
duplex auto
crypto map bsf1
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
ip classless
ip route 10.10.10.1 255.255.255.255 10.2.222.6
!
!
no ip http server
no ip http secure-server
!
access-list 115 permit ip host 10.10.10.2 host 10.10.10.1 log
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
end

Thank you for the information from R2. Other than the fact that the pre shared key for ISAKMP is different from what was in your original post I do not see any particular issue here.

I do have a couple of suggestions:

- turn on the debug and then do a ping to destination 10.10.10.1 from source 10.10.10.2

- revise the crypto access lists and remove the log option from each of the ACL used for crypto.

- test again and see if removing the log option makes any difference.

HTH

Rick

HTH

Rick

I removed the log option for ACL, preshared key is ok now, but still the same issue.For your information I am using GNS3 lab. not a real devicesis this differ?

Thanks for testing with the log option removed from the access list. I was not sure if that would be a factor but thought that it was worth investigating. Good to know that it does not seem to make any difference.

f you do the ping from 10.10.10.2 to 10.10.10.1 does it result in the same issue where the router shows encap counter is increasing but the decrypt counter remains 0?

HTH

Rick

HTH

Rick

Yes, ping from 10.10.10.2 to 10.10.10.1 gives the same result encap counter is increasing but the decrypt counter remains 0.

Not applicable

Is this issue related to GNS3 virtual lab ??

Thanks for confirming that you get the same symptoms when you do the ping from R2.

I am assuming that the issue is related to GNS3. I am not expert in GNS3 but since the configurations look ok I believe that it is much more likely to be an issue about GNS3 than to be some type of configuration issue.

HTH

Rick

HTH

Rick