Solved: VPN can decap but no encaps

arwanadesign · ‎10-25-2017

Pulling my hair out on this one. I think it is something fairly simple but damned if I can see it. Site to Site VPN, IPSec, Cisco 881 to a Watchguard. On the Cisco end, the tunnel is up, phase 1 and 2 active, I can see packets being decrypted but none encrypted. Which sounds like a routing issue but I believe I have ticked all the right boxen. maybe someone out there can see what I cant :(

/* usual intro stuff cut */
!
ip domain name boogle
ip name-server 192.168.1.254
ip cef
ipv6 unicast-routing
no ipv6 cef
!
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO881-SEC-K9 sn ***********
!
!
username bozo privilege 15 secret 5 $1$6/zl$iYfxXXTI076LYSS.BQWDX/
!
ip tcp synwait-time 10
ip ssh port 8899 rotary 88
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address REMOTE_ROUTER_IP
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto map toperth 1 ipsec-isakmp
description tunnel_to_perth
set peer REMOTE_ROUTER_IP
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set vpn
match address 100
reverse-route
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description "WAN Interface"
ip address LOCAL_IP 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map toperth
!
interface Vlan1
description "default subnet Boogle"
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.254
ip flow ingress
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no ip nat service sip udp port 5060
ip nat pool PAT_POOL1 192.168.1.254 192.168.1.254 netmask 255.255.255.0 type rotary
ip nat inside source list NAT_ACL interface FastEthernet4 overload
ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload
ip nat inside destination list PORT_FORWARDING_1 pool PAT_POOL1
ip route 0.0.0.0 0.0.0.0 ISP_GATEWAY
!
ip access-list extended INSIDE_ACCESS_IN
remark ** Permit all other traffic **
permit ip any any
!
ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended PORT_FORWARDING_1
permit tcp any any eq 8849
!
ip access-list extended nonat_nat
remark ** NAT local network to Internet **
permit ip 192.168.1.0 0.0.0.255 any
!
logging trap debugging
!
route-map NONAT_NAT permit 1
match ip address nonat_nat
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.2
!
!
/* usual tail stuff cut */

Meheretab Mengistu · ‎10-26-2017

Please change the ACL as follows (order matter):-

ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

Also, test by changing to "transport" mode on both sides.

HTH,

Meheretab

HTH,
Meheretab

View solution in original post

Meheretab Mengistu · ‎10-25-2017

Hi,

I do not see why you need this command:
ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload

It is a kind of duplicate which does not do any good. Please remove it and test again.

HTH,
Meheretab

arwanadesign · ‎10-26-2017

Agreed. In a weird bit of synchronicity, I just pulled it out as I received your mail.
Still no encaps:
interface: FastEthernet4
Crypto map tag: toperth, local addr LOCAL_IP

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
current_peer REMOTE_IP port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 61, #pkts decrypt: 61, #pkts verify: 61
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

Meheretab Mengistu · ‎10-26-2017

Could you also test by changing it to "transport mode"?

crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode transport
!

HTH,

Meheretab

HTH,
Meheretab

Meheretab Mengistu · ‎10-26-2017

Is this line intentional?

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.2

Or, were you planning to run as follows:

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

HTH,

Meheretab

HTH,
Meheretab

arwanadesign · ‎10-26-2017

permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255 is correct - just a typo as I was cleaning up the config for publication.

To make it a bit more readable, I changed the access-lists and so on to NAMES rather than numbers. Cleaned code is below (besides the obvious cleansings, it is the current live version)

ip domain name bongle
ip name-server 192.168.1.254
ip cef
ipv6 unicast-routing
no ipv6 cef
!
multilink bundle-name authenticated
cts logging verbose
license udi pid CISCO881-SEC-K9 sn FHK145076PK
!
username bozo privilege 15 secret 5 ********************
!
ip tcp synwait-time 10
ip ssh port 8899 rotary 88
ip ssh version 2
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ********** address REMOTE_IP
crypto isakmp invalid-spi-recovery
!
crypto ipsec transform-set VPN_SET esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map toperth 1 ipsec-isakmp
description tunnel_to_perth
set peer REMOTE_IP
set security-association lifetime kilobytes 1280000
set security-association lifetime seconds 86400
set transform-set VPN_SET
match address VPN_LAN
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport mode trunk
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description "WAN Interface"
ip address LOCAL_IP 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map toperth
!
interface Vlan1
description "default subnet bongle"
ip address 192.168.1.1 255.255.255.0
ip helper-address 192.168.1.254
ip flow ingress
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no ip nat service sip udp port 5060
ip nat pool PAT_POOL1 192.168.1.254 192.168.1.254 netmask 255.255.255.0 type rotary
ip nat inside source list NAT_ACL interface FastEthernet4 overload
ip nat inside destination list PORT_FORWARDING_1 pool PAT_POOL1
ip route 0.0.0.0 0.0.0.0 ISP_GATEWAY
!
ip access-list extended NAT_ACL
permit ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
ip access-list extended PORT_FORWARDING_1
permit tcp any any eq 8849
ip access-list extended VPN_LAN
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

Meheretab Mengistu · ‎10-26-2017

Please change the ACL as follows (order matter):-

ip access-list extended NAT_ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

Also, test by changing to "transport" mode on both sides.

HTH,

Meheretab

HTH,
Meheretab

arwanadesign · ‎10-26-2017

reordering the NAT_ACL was the solution. Well done and thank you. I will now go outside and hide in a corner.

Thanks again my friend. Yes, order does matter

Meheretab Mengistu · ‎10-26-2017

You are very welcome : )
I'm glad to help!

HTH,
Meheretab

arwanadesign · ‎10-26-2017

Changed mode from tunnel to transport, cleared the cry sessions and pushed some interesting traffic across

:(

interface: FastEthernet4
    Crypto map tag: toperth, local addr LOCAL_IP

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
   current_peer REMOTE_IP port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: LOCAL_IP, remote crypto endpt.: REMOTE_IP
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x9E8F054C(2660173132)
     PFS (Y/N): N, DH group: none