cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
459
Views
10
Helpful
15
Replies

UP-IDLE IPSEC Tunnel - Cannot return traffic trough VPN Tunnel

Hi, 

I have set a new tunnel on a Cisco C1800 router to one of our clients and it turns out that we have the same internet provider and they are using a public IP for their internal NAT. Phase 1 goes with no problem but when they initiate traffic I receive it through the VPN tunnel but the return goes to the public internet and get lost following our provider´s routes.

I need to force the traffic back to the tunnel. Here is part of the configuration and the crypto IPSec result. My public IP is a /30

Best regards end thank you.

FYI: The asteriscs mean that they have the same octate. Hope makes sense.

1 Accepted Solution

Accepted Solutions

@roberto.arellano-nunez.emilio OK, but if you've got nat configured, traffic may be unintentially translated.

Have you explicitly denied traffic from your local network to the vpn network?

View solution in original post

15 Replies 15

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@roberto.arellano-nunez.emilio you've no IPSec SA (no inbound/outbound esp SA), so the VPN is not fully established. Can you turn on isakmp/ipsec debugs and provide the output to determine wherer the issue is?

Can you provide your configuration or provide more information?

Do you have more than one outside interface?

Or do you only have one outside interface? If so the traffic to establish the tunnel and the interesting traffic to be encrypted should all go via the same interface.

Hi Rob, thank you for your reply.

I have isakmp/IPsec debugs active but I don't get any entry regarding this tunnel. This router has other tunnels configured with the same parameters with no issue, in fact, one of them is to another site from the same client, both with public IPs as NAT but different providers, and yes, there is only one outside interface. 

PHASE 1:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600

crypto isakmp key ########## address 1**.**.**.** no-xauth

crypto isakmp key ########## address **.**.**.154 no-xauth

*************************************************************************************

PHASE 2:

crypto ipsec transform-set TRSetMD5-2 esp-3des esp-md5-hmac

 

crypto map SHARED1 73 ipsec-isakmp
description VPN PRIMARY
set peer **.**.**.**
set transform-set TRSetMD5-2
match address 174

access-list 174 permit ip host 192.168.224.50 host 189.206.60.43
access-list 174 permit ip host 192.168.224.51 host 189.206.60.43
access-list 174 permit ip host 192.168.224.52 host 189.206.60.43


crypto map SHARED1 90 ipsec-isakmp
description VPN SECONDARY
set peer **.**.**.154
set transform-set TRSetMD5-2
match address 175

access-list 175 permit ip host 192.168.224.50 host 201.174.53.157
access-list 175 permit ip host 192.168.224.51 host 201.174.53.157
access-list 175 permit ip host 192.168.224.52 host 201.174.53.157


interface FastEthernet0
ip address 201.174.17.238 255.255.255.252
ip nat outside
ip virtual-reassembly
ip traffic-export apply capture
crypto map SHARED1

ip route 0.0.0.0 0.0.0.0 201.174.17.237

@roberto.arellano-nunez.emilio

If you say you aren't see debugs from this tunnel then those debugs are from another VPN tunnel?

Are you generating interesting traffic to establish the tunnel?

You've got nat configured on your Fa0 interface, is NAT correctly translating or not translating traffic? If NAT is not working correctly then traffic may not match the ACL 175 and not establish the tunnel.

Yes, the debugs were from another tunnel.

I did generate some traffic but did not register in the logging. I will ask them to do the same, but because of the time difference (MST and IST), I will get the result tomorrow. I will keep you posted.

As for the NAT, we are not translating traffic for this tunnel, that is being used for Interface Overload natting.

Regards.

@roberto.arellano-nunez.emilio OK, but if you've got nat configured, traffic may be unintentially translated.

Have you explicitly denied traffic from your local network to the vpn network?

Hi, Here is what I was able to catch on the logs, our client set a continuous ping and now the tunnel is UP-ACTIVE but still no reply from my end.

Interface: FastEthernet0
Session status: UP-ACTIVE
Peer: 201.174.53.154 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 201.174.53.154
Desc: (none)
IKE SA: local 201.174.17.238/500 remote 201.174.53.154/500 Active
Capabilities:(none) connid:2059 lifetime:00:18:50
IPSEC FLOW: permit ip host 192.168.224.51 host 201.174.53.157
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 77 drop 1 life (KB/Sec) 4387415/2414
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4387424/2414

 

@roberto.arellano-nunez.emilio you've not answered the last question about NAT. You are decrypting traffic but not encrypting traffic, this usually indicates a NAT or a routing issue on your end.

No, I don't have any deny ACLs, all I have is the ACL for traffic to be nated to outside interface and allow access to specific sites trough over the internet.

E.g:

ip nat inside source list 150 interface FastEthernet0 overload
!
access-list 150 permit ip 192.168.224.0 0.0.0.63 host 12.31.21.190

Regards.

MHM Cisco World
Advisor
Advisor

OMG, you already use different ACL. 
I notice it now. 

Hi, thank you, 

I can't rely on the counter because this is a single outside interface for multiple tunnels. I set an ICMP debug and ran a tracert directly from a server even though I know is not available on their side and I see that I do get to their peer IP but I get this error on the log. Haven't been able to configure a packet capture on the router.

C:\Documents and Settings\oper01>tracert 201.174.53.157

Tracing route to 201-174-53-157.transtelco.net [201.174.53.157]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 192.168.224.130
2 27 ms 34 ms 19 ms 201-174-17-237.transtelco.net [201.174.17.237]
3 10 ms 6 ms 8 ms 10.60.80.249
4 7 ms 26 ms 51 ms 201-174-252-156.transtelco.net [201.174.252.156]

5 2 ms 1 ms 1 ms 201-174-250-58.transtelco.net [201.174.250.58]
6 15 ms 15 ms 16 ms 201-174-250-167.transtelco.net [201.174.250.167]

7 31 ms 31 ms 31 ms 201-174-251-69.transtelco.net [201.174.251.69]
8 42 ms 45 ms 41 ms ustx-mca-pae.transtelco.net [201.174.254.210]
9 44 ms 44 ms 43 ms 201-174-250-184.transtelco.net [201.174.250.184]

10 58 ms 57 ms 58 ms 201-174-251-19.transtelco.net [201.174.251.19]
11 57 ms 57 ms 57 ms 201-174-53-154.transtelco.net [201.174.53.154]
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
16 * 201-174-53-154.transtelco.net [201.174.53.154] reports: Destination host unreachable.

Sep 23 17:34:45.497: No peer struct to get peer description
*Sep 23 17:34:45.913: No peer struct to get peer description

Regards.

MHM Cisco World
Advisor
Advisor

OMG, you already use different ACL, I see it now. 
My big mistake. 

Hi, 

Actually, there are three tunnels configured with this client, the 3 of them are located at different sites (country), each one in a different device, public NAT IP and ISP, and on my side different maps and ACLs over a single interface.

The only one I am having a problem with has the same provider as we do. I will ask our ISP if they have a static route for these and that is why is tacking the internet path and not the tunnel`s. Still, I will keep you posted

Regards