cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10389
Views
0
Helpful
9
Replies

VPN can decap but no encaps

arwanadesign
Beginner
Beginner

Pulling my hair out on this one. I think it is something fairly simple but damned if I can see it. Site to Site VPN, IPSec, Cisco 881 to a Watchguard. On the Cisco end, the tunnel is up, phase 1 and 2 active, I can see packets being decrypted but none encrypted. Which sounds like a routing issue but I believe I have ticked all the right boxen. maybe someone out there can see what I cant :(

 

/* usual intro stuff cut */
!
ip domain name boogle
ip name-server 192.168.1.254
ip cef
ipv6 unicast-routing
no ipv6 cef
!
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO881-SEC-K9 sn ***********
!
!
username bozo privilege 15 secret 5 $1$6/zl$iYfxXXTI076LYSS.BQWDX/
!
ip tcp synwait-time 10
ip ssh port 8899 rotary 88
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address REMOTE_ROUTER_IP
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto map toperth 1 ipsec-isakmp
description tunnel_to_perth
set peer REMOTE_ROUTER_IP
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set vpn
match address 100
reverse-route
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description "WAN Interface"
ip address LOCAL_IP 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map toperth
!
interface Vlan1
description "default subnet Boogle"
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.254
ip flow ingress
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no ip nat service sip udp port 5060
ip nat pool PAT_POOL1 192.168.1.254 192.168.1.254 netmask 255.255.255.0 type rotary
ip nat inside source list NAT_ACL interface FastEthernet4 overload
ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload
ip nat inside destination list PORT_FORWARDING_1 pool PAT_POOL1
ip route 0.0.0.0 0.0.0.0 ISP_GATEWAY
!
ip access-list extended INSIDE_ACCESS_IN
remark ** Permit all other traffic **
permit ip any any
!
ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended PORT_FORWARDING_1
permit tcp any any eq 8849
!
ip access-list extended nonat_nat
remark ** NAT local network to Internet **
permit ip 192.168.1.0 0.0.0.255 any
!
logging trap debugging
!
route-map NONAT_NAT permit 1
match ip address nonat_nat
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.2
!
!
/* usual tail stuff cut */

1 Accepted Solution

Accepted Solutions

Please change the ACL as follows (order matter):-

ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

 

Also, test by changing to "transport" mode on both sides.

 

HTH,

Meheretab

HTH,
Meheretab

View solution in original post

9 Replies 9

Meheretab Mengistu
Rising star
Rising star

Hi,

 

I do not see why you need this command:
ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload

 

It is a kind of duplicate which does not do any good. Please remove it and test again. 

 

HTH,
Meheretab

HTH,
Meheretab

Agreed. In a weird bit of synchronicity, I just pulled it out as I received your mail.
Still no encaps:
interface: FastEthernet4
Crypto map tag: toperth, local addr LOCAL_IP

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer REMOTE_IP port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 61, #pkts decrypt: 61, #pkts verify: 61
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Could you also test by changing it to "transport mode"?

 

crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode transport
!

 

HTH,

Meheretab

HTH,
Meheretab

Is this line intentional?

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.2

 

Or, were you planning to run as follows:

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

 

HTH,

Meheretab

HTH,
Meheretab

 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255 is correct - just a typo as I was cleaning up the config for publication.

To make it a bit more readable, I changed the access-lists and so on to NAMES rather than numbers. Cleaned code is below (besides the obvious cleansings, it is the current live version)

ip domain name bongle
ip name-server 192.168.1.254
ip cef
ipv6 unicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO881-SEC-K9 sn FHK145076PK
!
username bozo privilege 15 secret 5 ********************
!
ip tcp synwait-time 10
ip ssh port 8899 rotary 88
ip ssh version 2
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address REMOTE_IP
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set VPN_SET esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map toperth 1 ipsec-isakmp
description tunnel_to_perth
set peer REMOTE_IP
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set VPN_SET
match address VPN_LAN
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport mode trunk
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description "WAN Interface"
ip address LOCAL_IP 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map toperth
!
interface Vlan1
description "default subnet bongle"
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.254
ip flow ingress
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no ip nat service sip udp port 5060
ip nat pool PAT_POOL1 192.168.1.254 192.168.1.254 netmask 255.255.255.0 type rotary
ip nat inside source list NAT_ACL interface FastEthernet4 overload
ip nat inside destination list PORT_FORWARDING_1 pool PAT_POOL1
ip route 0.0.0.0 0.0.0.0 ISP_GATEWAY
!
ip access-list extended NAT_ACL
permit ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
ip access-list extended PORT_FORWARDING_1
permit tcp any any eq 8849
ip access-list extended VPN_LAN
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

Please change the ACL as follows (order matter):-

ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

 

Also, test by changing to "transport" mode on both sides.

 

HTH,

Meheretab

HTH,
Meheretab

reordering the NAT_ACL was the solution. Well done and thank you. I will now go outside and hide in a corner.

 

Thanks again my friend. Yes, order does matter

You are very welcome : )
I'm glad to help!

HTH,
Meheretab

 

Changed mode from tunnel to transport, cleared the cry sessions and pushed some interesting traffic across

:(


interface: FastEthernet4
    Crypto map tag: toperth, local addr LOCAL_IP

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
   current_peer REMOTE_IP port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: LOCAL_IP, remote crypto endpt.: REMOTE_IP
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x9E8F054C(2660173132)
     PFS (Y/N): N, DH group: none

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: