- Cisco Community
- Technology and Support
- Security
- VPN
- Hi Phil, We may need to debug
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Two Cisco 2811 routers can only ping through VPN tunnel - no TCP traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2015 02:59 PM
I have two laptops, two Cisco 2811 routers and a simple Netgear switch between the two routers. (I did not have a crossover cable so i inserted the switch to allow the two routers to communicate) My application on one laptop sends packets with various DSCP codes to the other laptop. This works fine when everything is unencrypted. I have issues when I introducing IPsec using VPN tunneling.
My first laptop sends data to Router A. Router A sends it to the switch, then Router B and to the second laptop. Here is the Router A setup:
class-map match-all HIGH <== set up for my DSCP codes
match dscp ef
class-map match-all LOW
match any
class-map match-any encr-traffic
match access-group 122
!
!
policy-map outbound
class HIGH
shape average 512000 256000 0 <== "46" traffic needs to get the vast majority of my "bandwidth"
class LOW
shape average 16000 1000 0
policy-map output
class encr-traffic
bandwidth 256
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXX address 1.1.1.2
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map routerA_to_routerB 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set myset
match address 101
!
!
interface FastEthernet0/0
ip address 205.100.200.1 255.255.255.0
ip access-group 101 in
duplex half
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map routerA_to_routerB
ip route 205.10.20.0 255.255.255.0 1.1.1.2
!
access-list 101 permit ip any any
access-list 101 permit ip 205.10.20.0 0.0.0.255 205.100.200.0 0.0.0.255
In Router B I did the following:
class-map match-any encr-traffic
match access-group 122
!
!
policy-map output
class encr-traffic
bandwidth 256
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key xxxxxx address 1.1.1.1
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map routerB_to_routerA 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set myset
match address 101
!
interface FastEthernet0/0
ip address 205.10.20.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 1.1.1.2 255.255.255.0
duplex auto
speed auto
crypto map routerB_to_routerA
service-policy output output
ip route 205.100.200.0 255.255.255.0 1.1.1.1
!
access-list 101 permit ip 205.10.20.0 0.0.0.255 205.100.200.0 0.0.0.255
access-list 101 permit ip any any
access-list 101 permit ip 205.100.200.0 0.0.0.255 205.10.20.0 0.0.0.255
access-list 122 permit esp any any
After I set up router A and router B I was able to successfully ping from 205.100.200.100 <--> 205.10.20.100. (both ways) These are both my PCs. At this point I figured I had done everything correctly. I even entered show crypto session to verify my security associations and they seemed fine. However no TCP traffic flows between my PCs. Before I was able to send packets with DSCP codes with no problems, but now nothing gets through.
This is confusing to me because I figured all the encryption was done between the two routers. I would have expected the traffic coming out of Router B to be unencrypted and exactly the way it was before it entered Router A.
Any insight into my problem would be appreciated by this network newbie.
Thanks
Phil
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-05-2015 10:41 PM
Hi Phil,
Do you see any change on encap/decap counters when you try to send the TCP traffic on the output of
show crypto ipsec sa peer <peer IP>
and also include following option under the crypto map configuration and test?
qos pre-classify
Regards,
Abaji.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2015 06:54 AM
Hi Abaji,
Thank you for your response.
1. Before I entered "qos pre-classify" I entered the command show crypto ipsec sa peer 1.1.1.2 from my sending box, right before I sent my traffic and right after I sent my traffic. The encap counters went up by 3, but the decaps did not move. Here are the results:
********************************************************
BEFORE my tcp traffic is sent
********************************************************
Router#show crypto ipsec sa peer 1.1.1.2
interface: FastEthernet0/1
Crypto map tag: routerA_to_routerB, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 232442, #pkts encrypt: 232442, #pkts digest: 232442
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (205.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (205.100.200.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
********************************************************
AFTER my tcp traffic is sent
********************************************************
show crypto ipsec sa peer 1.1.1.2
interface: FastEthernet0/1
Crypto map tag: routerA_to_routerB, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 232445, #pkts encrypt: 232445, #pkts digest: 232445
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x70459FA6(1883611046)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDDF9083A(3724085306)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2231, flow_id: NETGX:231, sibling_flags 80000046, crypto map: r
outerA_to_routerB
sa timing: remaining key lifetime (k/sec): (4519924/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x70459FA6(1883611046)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2232, flow_id: NETGX:232, sibling_flags 80000046, crypto map: r
outerA_to_routerB
sa timing: remaining key lifetime (k/sec): (4519923/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (205.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (205.100.200.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
2. I sent 100 individual packets so I would have expected that number to go up by 100. (I did no get the packets at the receiving computer.) Not 100% sure why it went up only by 3 - maybe this is because of retries or something similar.
3. I then added qos pre-classify to my crypto map on the sending router. I did not do the receiving router. I then entered show crypto ipsec sa peer 1.1.1.2. The numbers were still as they were when I last issued the command.
4. I then sent 100 packets of information. I did not get the packets at the receiving computer. Here are the encaps and decaps:
#pkts encaps: 232449, #pkts encrypt: 232449, #pkts digest: 232449
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
I see no discernible difference right now. Do I need to do anything on the receiving router?
Thanks
Phil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2015 07:58 AM
Hi Phil,
We may need to debug this further with a TAC case, could you open one, with show tech-support from the routers?
Regards,
Abaji.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2015 01:40 PM
Abaji,
I have figured out what was wrong and it was something unrelated to the setup of the two routers. My sending box was an Ubuntu box and my receiving box was a Windows 7 box. The Windows PC is a company computer and had some firewall policies that were blocking the traffic. When I replaced the PC with an old Windows XP box that had no company firewall policies, my program worked just fine. I guess this was just a newbie mistake. Thank you for taking the time to help me. It is much appreciated.
Phil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2015 01:44 PM
Abaji,
I have figured out what was wrong and it was something unrelated to the setup of the two routers. My sending box was an Ubuntu box and my receiving box was a Windows 7 box. The Windows PC is a company computer and had some firewall policies that were blocking the traffic. When I replaced the PC with an old Windows XP box that had no company firewall policies, my program worked just fine. I guess this was just a newbie mistake. Thank you for taking the time to help me. It is much appreciated.
Phil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2015 06:55 AM
Hi Abaji,
Thank you for your response.
1. Before I entered "qos pre-classify" I entered the command show crypto ipsec sa peer 1.1.1.2 from my sending box, right before I sent my traffic and right after I sent my traffic. The encap counters went up by 3, but the decaps did not move. Here are the results:
********************************************************
BEFORE my tcp traffic is sent
********************************************************
Router#show crypto ipsec sa peer 1.1.1.2
interface: FastEthernet0/1
Crypto map tag: routerA_to_routerB, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 232442, #pkts encrypt: 232442, #pkts digest: 232442
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (205.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (205.100.200.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
********************************************************
AFTER my tcp traffic is sent
********************************************************
show crypto ipsec sa peer 1.1.1.2
interface: FastEthernet0/1
Crypto map tag: routerA_to_routerB, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 232445, #pkts encrypt: 232445, #pkts digest: 232445
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x70459FA6(1883611046)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDDF9083A(3724085306)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2231, flow_id: NETGX:231, sibling_flags 80000046, crypto map: r
outerA_to_routerB
sa timing: remaining key lifetime (k/sec): (4519924/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x70459FA6(1883611046)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2232, flow_id: NETGX:232, sibling_flags 80000046, crypto map: r
outerA_to_routerB
sa timing: remaining key lifetime (k/sec): (4519923/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (205.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (205.100.200.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
2. I sent 100 individual packets so I would have expected that number to go up by 100. (I did no get the packets at the receiving computer.) Not 100% sure why it went up only by 3 - maybe this is because of retries or something similar.
3. I then added qos pre-classify to my crypto map on the sending router. I did not do the receiving router. I then entered show crypto ipsec sa peer 1.1.1.2. The numbers were still as they were when I last issued the command.
4. I then sent 100 packets of information. I did not get the packets at the receiving computer. Here are the encaps and decaps:
#pkts encaps: 232449, #pkts encrypt: 232449, #pkts digest: 232449
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
I see no discernible difference right now. Do I need to do anything on the receiving router?
Thanks
Phil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2015 06:55 AM
Hi Abaji,
Thank you for your response.
1. Before I entered "qos pre-classify" I entered the command show crypto ipsec sa peer 1.1.1.2 from my sending box, right before I sent my traffic and right after I sent my traffic. The encap counters went up by 3, but the decaps did not move. Here are the results:
********************************************************
BEFORE my tcp traffic is sent
********************************************************
Router#show crypto ipsec sa peer 1.1.1.2
interface: FastEthernet0/1
Crypto map tag: routerA_to_routerB, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 232442, #pkts encrypt: 232442, #pkts digest: 232442
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (205.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (205.100.200.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
********************************************************
AFTER my tcp traffic is sent
********************************************************
show crypto ipsec sa peer 1.1.1.2
interface: FastEthernet0/1
Crypto map tag: routerA_to_routerB, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 232445, #pkts encrypt: 232445, #pkts digest: 232445
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x70459FA6(1883611046)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDDF9083A(3724085306)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2231, flow_id: NETGX:231, sibling_flags 80000046, crypto map: r
outerA_to_routerB
sa timing: remaining key lifetime (k/sec): (4519924/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x70459FA6(1883611046)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2232, flow_id: NETGX:232, sibling_flags 80000046, crypto map: r
outerA_to_routerB
sa timing: remaining key lifetime (k/sec): (4519923/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (205.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (205.100.200.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
2. I sent 100 individual packets so I would have expected that number to go up by 100. (I did no get the packets at the receiving computer.) Not 100% sure why it went up only by 3 - maybe this is because of retries or something similar.
3. I then added qos pre-classify to my crypto map on the sending router. I did not do the receiving router. I then entered show crypto ipsec sa peer 1.1.1.2. The numbers were still as they were when I last issued the command.
4. I then sent 100 packets of information. I did not get the packets at the receiving computer. Here are the encaps and decaps:
#pkts encaps: 232449, #pkts encrypt: 232449, #pkts digest: 232449
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
I see no discernible difference right now. Do I need to do anything on the receiving router?
Thanks
Phil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2015 06:56 AM
Hi Abaji,
Thank you for your response.
1. Before I entered "qos pre-classify" I entered the command show crypto ipsec sa peer 1.1.1.2 from my sending box, right before I sent my traffic and right after I sent my traffic. The encap counters went up by 3, but the decaps did not move. Here are the results:
********************************************************
BEFORE my tcp traffic is sent
********************************************************
Router#show crypto ipsec sa peer 1.1.1.2
interface: FastEthernet0/1
Crypto map tag: routerA_to_routerB, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 232442, #pkts encrypt: 232442, #pkts digest: 232442
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (205.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (205.100.200.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
********************************************************
AFTER my tcp traffic is sent
********************************************************
show crypto ipsec sa peer 1.1.1.2
interface: FastEthernet0/1
Crypto map tag: routerA_to_routerB, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 232445, #pkts encrypt: 232445, #pkts digest: 232445
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x70459FA6(1883611046)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDDF9083A(3724085306)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2231, flow_id: NETGX:231, sibling_flags 80000046, crypto map: r
outerA_to_routerB
sa timing: remaining key lifetime (k/sec): (4519924/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x70459FA6(1883611046)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2232, flow_id: NETGX:232, sibling_flags 80000046, crypto map: r
outerA_to_routerB
sa timing: remaining key lifetime (k/sec): (4519923/3582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (205.10.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (205.100.200.0/255.255.255.0/0/0)
current_peer 1.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 1.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
2. I sent 100 individual packets so I would have expected that number to go up by 100. (I did no get the packets at the receiving computer.) Not 100% sure why it went up only by 3 - maybe this is because of retries or something similar.
3. I then added qos pre-classify to my crypto map on the sending router. I did not do the receiving router. I then entered show crypto ipsec sa peer 1.1.1.2. The numbers were still as they were when I last issued the command.
4. I then sent 100 packets of information. I did not get the packets at the receiving computer. Here are the encaps and decaps:
#pkts encaps: 232449, #pkts encrypt: 232449, #pkts digest: 232449
#pkts decaps: 43, #pkts decrypt: 43, #pkts verify: 43
I see no discernible difference right now. Do I need to do anything on the receiving router?
Thanks
Phil
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: