cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2011
Views
0
Helpful
5
Replies

troubles re-configuring network with crypto tunnel

c.leighland
Level 1
Level 1

Hello all,

I'm hoping someone can help me out here.  I'll try starting from the beginning and provide as much detail as possible.

I have a 2621xm as my main router.  I've been using it for several years now and it's working excellently.  Recently I've set up a crypto map tunnel over the internet with a friend who also has a 2621xm.

The tunnel worked excellently, we've been sharing network resources for a while with no issues.  However, recently I've noticed that during copying through the tunnel to the other end, my 2621 crashes as its running at 99% CPU usage.  I decided to add a 2651 to my network as the crypto router, keeping my original 2621 as my gateway router (See attached image).

crypto_tunnel.jpg

I copied all pertinent crypto information to the new router (1.9) and added a route on my 2621(1.1) to forward all traffic for the other network to go through the new router (1.9)

Long story short, the crypto map is established:

Interface: FastEthernet0/0

Session status: UP-ACTIVE    

Peer: xx.xx.xx.xx port 4500

  IKE SA: local 192.168.1.9/4500 remote xx.xx.xx.xx/4500 Active

  IPSEC FLOW: permit ip 192.168.1.0/255.255.255.128 192.168.1.128/255.255.255.128

        Active SAs: 4, origin: crypto map

I am able to ping any device on my friends network from any device on my network with NO problem.  The issue is that my friend is unable to ping anything on my network.  I know it's a routing issue, but I can't figure out what?

I thought if I added the following to my gateway router it would help:

ip nat inside source static esp 192.168.1.9 int fa0/1

since esp is specifically for Tunnel mode support, but that didn't work.  What am I missing? 

Also, since the change - I've noticed I'm getting this error intermittently on my new crypto router:

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2005 local=192.168.1.9 remote=xx.xx.xx.xx spi=902CEA75 seqno=00000001

Any help would be appreciated.

If need be I can also attach my config files.

Thank you very much in advance!

Chris.

5 Replies 5

c.leighland
Level 1
Level 1

bump..

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Chris,

I would like to see both ends configurations and also the other site 2621XM config.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mudjain
Level 1
Level 1

also show crypto isakmp sa and show crypto ipsec sa from the two VPN ends.

Here is the config for my friends 2621 (192.168.1.129):

Current configuration : 6103 bytes

!

! Last configuration change at 19:54:11 MST Thu Feb 9 2012 by chris

! NVRAM config last updated at 18:55:32 MST Fri Feb 10 2012 by chris

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname NAT

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

clock timezone MST -7

clock summer-time MST recurring

no network-clock-participate slot 1

no network-clock-participate wic 0

no ip gratuitous-arps

ip cef

!

!

ip dhcp use vrf connected

ip dhcp binding cleanup interval 600

!

!

no ip bootp server

no ip domain lookup

!

ip multicast-routing

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username chris privilege 15 secret 5 $1$.3XL$ib4E47KrR4UxQDE4mFCp..

username darryl privilege 15 secret 5 $1$YXTI$OtPt6prgUBDfPGKdb4FdA.

!

!

!

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key letmein address xx.xx.xx.xx no-xauth

!

!

!

crypto ipsec transform-set STRONG esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set STRONG

reverse-route

!

!

crypto map NAT_to_Limbo client authentication list sdm_vpn_xauth_ml_1

crypto map NAT_to_Limbo isakmp authorization list sdm_vpn_group_ml_1

crypto map NAT_to_Limbo client configuration address respond

crypto map NAT_to_Limbo 10 ipsec-isakmp

set peer xx.xx.xx.xx

set transform-set STRONG

set pfs group2

match address 106

!

!

!

!

interface FastEthernet0/0

description ++++ INTERNAL NETWORK ++++

ip address 192.168.1.129 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim dense-mode

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description ++++ INTERNET INTERFACE ++++

ip address dhcp

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

speed auto

half-duplex

crypto map NAT_to_Limbo

crypto ipsec df-bit clear

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 72.53.31.1

!

!

ip http server

ip http authentication local

no ip http secure-server

ip nat inside source static tcp 192.168.1.146 25565 interface FastEthernet0/1 25565

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.1.129 23 interface FastEthernet0/1 23

ip nat inside source static tcp 192.168.1.129 22 interface FastEthernet0/1 22

!        

logging trap debugging

logging facility local2

access-list 1 remark SDM_ACL Category=16

access-list 1 deny   any log

access-list 1 permit any

access-list 100 remark SDM_ACL Category=2

access-list 100 deny   ip 192.168.1.128 0.0.0.127 192.168.1.0 0.0.0.127

access-list 100 permit ip any any

access-list 102 permit tcp host 75.155.57.38 any eq 25565

access-list 106 permit ip 192.168.1.128 0.0.0.127 192.168.1.0 0.0.0.127

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

speed 115200

line aux 0

line vty 0 4

!

ntp clock-period 17180147

ntp server 209.167.68.100

ntp server 216.234.161.11

ntp server 209.172.32.214

ntp server 205.189.158.228

Here's the results from the show crypto isakmp sa:

NAT#show crypto isakmp sa

dst             src             state          conn-id slot status

XX.XX.XX.XX     YY.YY.YY.YY   QM_IDLE              1    0 ACTIVE

Here's the results from the show crypto ipsec sa:

NAT#show crypto ipsec sa

interface: FastEthernet0/1

    Crypto map tag: NAT_to_Limbo, local addr XX.XX.XX.XX

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.128/255.255.255.128/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.128/0/0)

   current_peer 75.155.57.145 port 4500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 1466517, #pkts encrypt: 1466517, #pkts digest: 1466517

    #pkts decaps: 1982091, #pkts decrypt: 1982091, #pkts verify: 1982091

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 26, #recv errors 9

     local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: YY.YY.YY.YY

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

     current outbound spi: 0xA5C9A9FA(2781456890)

     inbound esp sas:

      spi: 0x64B9681E(1689872414)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2006, flow_id: SW:6, crypto map: NAT_to_Limbo

        sa timing: remaining key lifetime (k/sec): (4403163/3420)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xA5C9A9FA(2781456890)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2001, flow_id: SW:1, crypto map: NAT_to_Limbo

        sa timing: remaining key lifetime (k/sec): (4403164/3420)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Here is my gateway config (192.168.1.1):

Current configuration : 3005 bytes

!

! Last configuration change at 19:27:26 MST Fri Feb 10 2012 by chris

! NVRAM config last updated at 18:55:28 MST Fri Feb 10 2012 by chris

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Limbo

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

clock timezone MST -7

clock summer-time MST recurring

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

no ip bootp server

ip multicast-routing

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!        

!

username user privilege 15 secret 5 $1$a2z4$vohhcY7hnS2ZrU04avNa3.

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

speed 100

full-duplex

no cdp enable

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

description ++++ INTERNET CONNECTION ++++

ip address dhcp

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 75.155.56.1

ip route 192.168.1.128 255.255.255.128 192.168.1.9

!

!

no ip http server

ip http authentication local

ip http secure-server

!

logging trap debugging

logging facility local2

access-list 1 permit any

access-list 1 remark SDM_ACL Category=16

access-list 1 deny   any log

access-list 100 permit ip any any

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

speed 115200

line aux 0

line vty 0 4

!

ntp clock-period 17180235

ntp server 209.167.68.100

ntp server 216.234.161.11

ntp server 209.172.32.214

ntp server 205.189.158.228

!

end

Here's the config for my new crypto router (192.168.1.9):

Current configuration : 2451 bytes

!

! Last configuration change at 19:30:29 MST Fri Feb 10 2012 by chris

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Crypto

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

clock timezone MST -7

clock summer-time MST recurring

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username user privilege 15 secret 5 $1$a2z4$vohhcY7hnS2ZrU04avNa3.

!

!

!

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2 

lifetime 28800

crypto isakmp key letmein address XX.XX.XX.XX no-xauth

!

!

crypto ipsec transform-set STRONG esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set STRONG

reverse-route

!

!

crypto map Limbo_to_NAT client authentication list sdm_vpn_xauth_ml_1

crypto map Limbo_to_NAT isakmp authorization list sdm_vpn_group_ml_1

crypto map Limbo_to_NAT client configuration address respond

crypto map Limbo_to_NAT 10 ipsec-isakmp

set peer XX.XX.XX.XX

set transform-set STRONG

set pfs group2

match address 106

!

!

!

!

interface FastEthernet0/0

ip address 192.168.1.9 255.255.255.128

duplex auto

speed auto

crypto map Limbo_to_NAT

crypto ipsec df-bit clear

!

interface Serial0/0

ip address 10.10.10.2 255.255.255.252

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

interface Serial0/2

no ip address

shutdown

!

interface Serial0/3

no ip address

shutdown

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.1

ip route 192.168.1.128 255.255.255.128 192.168.1.129

!

!

ip http server

ip http authentication local

no ip http secure-server

!

access-list 1 permit any

access-list 1 remark SDM_ACL Category=16

access-list 1 deny   any log

access-list 100 permit ip any any

access-list 100 remark SDM_ACL Category=2

access-list 100 deny   ip 192.168.1.0 0.0.0.127 192.168.1.128 0.0.0.127

access-list 106 permit ip 192.168.1.0 0.0.0.127 192.168.1.128 0.0.0.127

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

speed 115200

line aux 0

line vty 0 4

!

ntp clock-period 17208398

ntp server 64.250.229.100

!

end

Show crypto isakmp  sa:

Crypto#show crypto isakmp sa

dst             src             state          conn-id slot status

YY.YY.YY.YY     XX.XX.XX.XX     QM_IDLE              1    0 ACTIVE

Show crypto ipsec sa:

interface: FastEthernet0/0

    Crypto map tag: Limbo_to_NAT, local addr 192.168.1.9

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.128/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.128/255.255.255.128/0/0)

   current_peer XX.XX.XX.XX port 4500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 1320704, #pkts encrypt: 1320704, #pkts digest: 1320704

    #pkts decaps: 966373, #pkts decrypt: 966373, #pkts verify: 966373

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 192.168.1.9, remote crypto endpt.: XX.XX.XX.XX

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x64B9681E(1689872414)

     inbound esp sas:

      spi: 0xA5C9A9FA(2781456890)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2006, flow_id: SW:6, crypto map: Limbo_to_NAT

        sa timing: remaining key lifetime (k/sec): (4501525/1633)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x64B9681E(1689872414)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2001, flow_id: SW:1, crypto map: Limbo_to_NAT

        sa timing: remaining key lifetime (k/sec): (4501520/1631)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Hopefully this has everything you need.  Let me know if you need anything else!  All config files are at the minimum that worked.  I've removed all access-lists and any non important information.

Thanks in advance, Mudit!

Akhtar Samo
Level 1
Level 1

Hi Chris,

Were you able to fix the MAC ERR problem ? I am also facing the same issue.

%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed

Regards,

Akhtar

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: