Troubles with IPSec over FR

begemoth · ‎04-16-2002

There are 2610 (c2600-is56i-mz.121-14.bin) & 3661 (c3660-io3s56i-mz.121-14.bin), connected by FR channel. IPSec configured on both side to secure transport layers (TCP & UDP) and at present allow transparent access from LAN behind 3661 to 2610 (tested with telnet, ftp, tftp, rsh, rcp). There is host connected to 2610 on Async 33 by PPP encryption. And traffic from this host incoming to 3610 is NOT encrypted (see log below), although permited in access-list referenced from crypto map. Problem resolved after "no crypto map" && "crypto map ..." on sub-interfaces on both routers. But reload bring that kind of troubles again :(

fragments of running-config on 2610:

crypto isakmp policy 10

authentication rsa-encr

group 2

lifetime 3600

!

crypto isakmp keepalive 30 10

!

crypto ipsec security-association lifetime kilobytes 44000000

!

crypto ipsec transform-set tsCrypt ah-sha-hmac esp-des esp-md5-hmac comp-lzs

mode transport

!

crypto key pubkey-chain rsa

addressed-key 10.8.27.29 signature

address 10.8.27.29

key-string

x

quit

addressed-key 10.8.27.29 encryption

address 10.8.27.29

key-string

x

quit

!

crypto map cmCrypt local-address Serial0/0.640

crypto map cmCrypt 10 ipsec-isakmp

set peer 10.8.27.29

set transform-set tsCrypt

set pfs group2

match address aclIntraCrypt

!

interface Serial0/0.640 point-to-point

ip address 10.8.27.30 255.255.255.252

no arp frame-relay

no cdp enable

frame-relay interface-dlci 640 IETF protocol ip 10.8.27.29

class mc_64-64

crypto map cmCrypt

!

interface Async33

ip unnumbered Serial0/0.640

encapsulation ppp

no ip route-cache same-interface

no ip mroute-cache

async mode dedicated

peer default ip address 10.8.27.128

no fair-queue

no cdp enable

ppp authentication chap

!

ip classless

ip route 10.0.0.0 255.0.0.0 Serial0/0.640

ip route 10.0.0.0 255.0.0.0 Null0 254

ip route 10.8.27.128 255.255.255.240 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

!

ip access-list extended aclIntraCrypt

permit udp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

deny tcp 10.0.0.0 0.255.255.255 eq 22 10.0.0.0 0.255.255.255

deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 22

deny tcp 10.0.0.0 0.255.255.255 eq www 10.0.0.0 0.255.255.255

deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq www

deny tcp 10.0.0.0 0.255.255.255 eq 443 10.0.0.0 0.255.255.255

deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 443

permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

!

end

fragments of running-config on 3661:

crypto isakmp policy 10

authentication rsa-encr

group 2

lifetime 3600

!

crypto isakmp keepalive 30 10

!

crypto ipsec security-association lifetime kilobytes 44000000

!

crypto ipsec transform-set tsCrypt ah-sha-hmac esp-des esp-md5-hmac comp-lzs

mode transport

!

crypto key pubkey-chain rsa

addressed-key 10.8.27.30 signature

address 10.8.27.30

key-string

x

quit

addressed-key 10.8.27.30 encryption

address 10.8.27.30

key-string

x

quit

!

crypto map cmCrypt_30 local-address Serial1/3.707

crypto map cmCrypt_30 10 ipsec-isakmp

set peer 10.8.27.30

set transform-set tsCrypt

set pfs group2

match address aclIntraCrypt

!

interface Serial1/3.707 point-to-point

ip address 10.8.27.29 255.255.255.252

no ip mroute-cache

no arp frame-relay

no cdp enable

frame-relay interface-dlci 707 IETF protocol ip 10.8.27.30

class mc_64-64

crypto map cmCrypt_30

!

ip classless

ip route 10.8.27.128 255.255.255.240 Serial1/3.707

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

!

ip access-list extended aclIntraCrypt

permit udp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

deny tcp 10.0.0.0 0.255.255.255 eq 22 10.0.0.0 0.255.255.255

deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 22

deny tcp 10.0.0.0 0.255.255.255 eq www 10.0.0.0 0.255.255.255

deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq www

deny tcp 10.0.0.0 0.255.255.255 eq 443 10.0.0.0 0.255.255.255

deny tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 eq 443

permit tcp 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

!

end

---

003130: Apr 16 11:57:56.013: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) dest_addr= 10.8.1.30, src_addr= 10.8.27.128, prot= 6

003165: Apr 16 13:37:40.164: CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) dest_addr= 10.1.12.185, src_addr= 10.8.27.128, prot= 6

---

I can't understand anymore :(

Please, help with advice.

Thanks.

cjacinto · ‎04-16-2002

On the 2610 ,serial int (FR link that has the crypto map) try turning off fast-switching with:

no ip route-cache

also you mode should be tunnel mode and not transport, as the routers are

actually proxying for the subnets behind it.

begemoth · ‎04-17-2002

Thank you Cris!

"no ip route-cache" on s0/0 resolve my troubles - I just verify and it works :)

I consider using tunnel mode, but I think fast-switching must remain turned off.

brad · ‎04-18-2002

I have not studied the provided configs, so I do not claim to understand the enviroment or the nature of this problem, but I do have something to add.

I use the command 'ip route-cache' in several of my VPN configs. In particular, I have found this command usefull when using policy based routing. The 'ip route-cache' command allows the router to make policy routing decisions without having to process the entire policy for every packet.

The point of my post is that by nature, IPSec VPNs and 'ip route-cache' work fine with each other in some environments. I can not speak for this particular case.

begemoth · ‎04-19-2002

Do you use "ip route-cache" on main interface of Frame Relay link, one of which subinterfaces participate as IPSec peer?