cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4272
Views
0
Helpful
1
Replies

VPN on ASR 1002

Jean-Marc Tetu
Level 1
Level 1

Hello

  1. Excuse my very bad english.
  2. I try to configure a VPN IPsec with dVTI on an ASR 1002 (ios image: asr1000rp1-adventerprisek9.02.06.02.122-33.XNF2.bin)
  3. my client is a Cisco VPN client version 5 (on Xp)

my configuration:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key xxxx
dns xx.xx.xx.xx
pool vpnpool
acl 130
save-password
crypto isakmp profile red
   match identity group xxxx
   client authentication list local_auth
   isakmp authorization list groupauthor
   client configuration address respond
   virtual-template 3
!        
!        
crypto ipsec transform-set myset esp-aes 256 esp-md5-hmac comp-lzs
crypto ipsec transform-set myset2 esp-aes 256 esp-md5-hmac
no crypto ipsec default transform-set
!        
crypto ipsec profile nvp0
set transform-set myset2

interface GigabitEthernet0/0/2.809
description Vlan Interco_xxx
encapsulation dot1Q 809
ip address ip_interface_asr 255.255.255.240
ip nat outside
ip flow ingress
ip flow egress
ip virtual-reassembly
zone-member security Internet
no ip route-cache

interface Loopback0
  ip address 192.168.10.1 255.255.255.255

interface Virtual-Template3 type tunnel
ip unnumbered Loopback0
ip virtual-reassembly
zone-member security Salsa
tunnel mode ipsec ipv4
tunnel protection ipsec profile nvp0


ip local pool vpnpool 192.168.10.2 192.168.10.30


access-list 130 permit ip 10.99.0.0 0.0.255.255 192.168.10.0 0.0.0.255

access-list 130 ....



Well, i try with a real interface (an not a loopback) in first.

I have the same (not exactly the same, but very similar) config on a 7200, and is work fine for this model.

As you can see, we use the zone-based firewall.....

Now, somme little results of show commands

asr1002#show crypto engine brief

        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  7xxx
       crypto engine state:  installed
     crypto engine in slot:  N/A

I connect my client:

asr1002#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
ip_interface_asr  ip_pc_client  QM_IDLE          22053 ACTIVE

IPv6 Crypto ISAKMP SA

asr1002#show crypto engine connections active
Crypto Engine Connection

   ID Interface       Type  Algorithm           Encrypt  Decrypt IP-Address
2105 Gi0/0/2.809     IPsec AES256+MD5                0        0 ip_interface_asr
2106 Gi0/0/2.809     IPsec AES256+MD5                0        0 ip_interface_asr
22053 Gi0/0/2.809     IKE   SHA+AES256                0        0 ip_interface_asr

==> it seems good.

asr1002#show crypto ipsec sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr ip_interface_asr

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.19/255.255.255.255/0/0)
   current_peer ip_pc_client port 1040
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: ip_interface_asr, remote crypto endpt.: ip_pc_client
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/2.809
     current outbound spi: 0x82E3AD79(2195959161)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x68466ADD(1749445341)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2105, flow_id: :105, sibling_flags 80000040, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4598649/3372)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x82E3AD79(2195959161)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2106, flow_id: :106, sibling_flags 80000040, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4598649/3372)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

asr1002#show ip route 192.168.10.19
Routing entry for 192.168.10.19/32
  Known via "static", distance 1, metric 0
  Routing Descriptor Blocks:
  * ip_pc_client, via Virtual-Access2
      Route metric is 0, traffic share count is 1

asr1002#show running-config interface Virtual-Access2
Building configuration...

Current configuration : 248 bytes
!
interface Virtual-Access2
ip virtual-reassembly
zone-member security Salsa
tunnel source ip_interface_asr
tunnel mode ipsec ipv4
tunnel destination ip_pc_client
tunnel protection ipsec profile nvp0
no tunnel protection ipsec initiate
end


==> it seems very good!

But, my traffic in the tunnel ipsec is intercepted. If i do a ping from the pc, a wireshark intercept some response, but with ip source the loopback0 (192.168.10.1) with info: Destination unreachable (Communication administrative filtered)

The statsitc of vpn client give a good result for the Encrypt/Decrypt counters.

But, the "show crypto engine connections active" give always  0 for the Encrypt or Decrypt.... 

If i ping from the asr the ip give to the vpn client (192.168.10.19), the client pc receive the packets. But:


asr1002#ping 192.168.10.15                   

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.15, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

A last show command:

show crypto mib ipsec flowmib tunnel

....

....

Index:                       53       
  Local address:               ip_asr_interface
  Remote address:             ip_pc_client
  IPSEC keying:                IKE
  Encapsulation mode:          1        
  Lifetime (KB):               4608000  
  Lifetime (Sec):              3600     
  Active time:                 00:18:45
  Lifetime threshold (KB):     64       
  Lifetime threshold (Sec):    10       
  Total number of refreshes:   0        
  Expired SA instances:        0        
  Current SA instances:        2        
  In SA DH group:              1
  In sa encrypt algorithm:     None
  In SA AH auth algorithm:     None
  In SA ESP auth algo:         ESP_HMAC_MD5
  In SA uncompress algorithm:  None
  Out SA DH group:             1
  Out SA encryption algorithm: None
  Out SA auth algorithm:       None
  Out SA ESP auth algorithm:   ESP_HMAC_MD5
  Out SA uncompress algorithm: None
  In octets:                   960
  Decompressed octets:         960
  In packets:                  16       
  In drops:                    0        
  In replay drops:             0        
  In authentications:          16       
  In authentication failures:  0        
  In decrypts:                 16       
  In decrypt failures:         0        
  Out octets:                  1896
  Out uncompressed octets:     1896
  Out packets:                 26       
  Out drops:                   0        
  Out authentications:         26       
  Out authentication failures: 0        
  Out encryptions:             26       
  Out encryption failures:     0        
  Compressed octets:           0
  Decompressed octets:         0
  Out uncompressed octets:     0

==> now, my question: somebody have any idea? No?

Thanks for your interest!

JMT

1 Reply 1

Jean-Marc Tetu
Level 1
Level 1

I do some progress:

When i suppress the split tunnelling (erase this line in my config: acl 130),  it's very better.

Well, now, the question: it's possible to do split tunnelling on ASR (IOS 12.2-33.XNF2)?????