Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
467
Views
0
Helpful
0
Replies

VPN Traffic Issues ( Inbound / Outbound different behaviour)

MarceloCeoni
Level 1
Level 1

‎07-20-2017 02:36 PM

Hello Fellows,

I´ve been trying to do a SSH connection between 2 Linux machines (which are in different sites) behind a tunnel.

I did all the settings, and when I ping both ways answer, but I wasn´t able to make SSH work and I´m not sure if it´s a bad setting on my Cisco 2811 or what.

Considering:

Site A:
Srv_A (192.168.0.2)
    |__ (f0/1: 192.168.0.1) Cisco 2811 (fa0/0 dhcp: 177.32.abc.def)
                                                 |__ Cable Modem (Bridged) ------ Internet ---- Fibre Modem
Site B:                                                                                                                               |
                      (lan: 192.168.10.1) Fortinet Router (wan: 187.11.zxy.wvq) ________|
Srv_B (192.168.10.14) ___________|

The tunnel is showing up, and it works when I try to reach my Cisco router from any host on Site B.
It also works when I access Cisco CLI and then Srv_A (using any host on Site B).

And from Site A, I can reach any host on Site B, but not the opposite way. So I thought it could be
some ACL wrong, but actually it´s pretty simple, like described bellow:

crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp key 6 passwd address 187.11.zxy.wvq
crypto isakmp keepalive 10
!
crypto ipsec transform-set fase_2 esp-3des esp-md5-hmac
!
crypto map yamer_map 10 ipsec-isakmp
set peer 187.11.126.98
set transform-set fase_2
match address vpn-0

interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map yamer_map

interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

ip nat inside source list 100 interface FastEthernet0/0 overload

ip access-list extended vpn-0
permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255


access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any


When I try to dump the packets on hosts, thats what is shown (I wasn´t able to conclude anything with this)

Source - Srv_B on Site B:
[root@yamerhdp ~]# tcpdump -i ens32 host 192.168.0.2 -vv
tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size 65535 bytes
06:54:23.059735 IP (tos 0x0, ttl 64, id 8137, offset 0, flags [DF], proto TCP (6), length 60)
yamerhdp.60568 > 192.168.0.2.ssh: Flags [S], cksum 0xd703 (correct), seq 2876973622, win 29200, options [mss 1460,sackOK,TS val 2055486975 ecr 0,nop,wscale 7], length 0
06:54:24.060031 IP (tos 0x0, ttl 64, id 8138, offset 0, flags [DF], proto TCP (6), length 60)
yamerhdp.60568 > 192.168.0.2.ssh: Flags [S], cksum 0xd31a (correct), seq 2876973622, win 29200, options [mss 1460,sackOK,TS val 2055487976 ecr 0,nop,wscale 7], length 0
06:54:26.064032 IP (tos 0x0, ttl 64, id 8139, offset 0, flags [DF], proto TCP (6), length 60)
yamerhdp.60568 > 192.168.0.2.ssh: Flags [S], cksum 0xcb46 (correct), seq 2876973622, win 29200, options [mss 1460,sackOK,TS val 2055489980 ecr 0,nop,wscale 7], length 0
06:54:30.068050 IP (tos 0x0, ttl 64, id 8140, offset 0, flags [DF], proto TCP (6), length 60)
yamerhdp.60568 > 192.168.0.2.ssh: Flags [S], cksum 0xbba2 (correct), seq 2876973622, win 29200, options [mss 1460,sackOK,TS val 2055493984 ecr 0,nop,wscale 7], length 0
06:54:38.084035 IP (tos 0x0, ttl 64, id 8141, offset 0, flags [DF], proto TCP (6), length 60)
yamerhdp.60568 > 192.168.0.2.ssh: Flags [S], cksum 0x9c52 (correct), seq 2876973622, win 29200, options [mss 1460,sackOK,TS val 2055502000 ecr 0,nop,wscale 7], length 0
06:54:54.100033 IP (tos 0x0, ttl 64, id 8142, offset 0, flags [DF], proto TCP (6), length 60)
yamerhdp.60568 > 192.168.0.2.ssh: Flags [S], cksum 0x5dc2 (correct), seq 2876973622, win 29200, options [mss 1460,sackOK,TS val 2055518016 ecr 0,nop,wscale 7], length 0
06:55:26.164038 IP (tos 0x0, ttl 64, id 8143, offset 0, flags [DF], proto TCP (6), length 60)
yamerhdp.60568 > 192.168.0.2.ssh: Flags [S], cksum 0xe081 (correct), seq 2876973622, win 29200, options [mss 1460,sackOK,TS val 2055550080 ecr 0,nop,wscale 7], length 0

Target - Srv_A on Site A:

srv_a:/home/user # tcpdump host 192.168.10.14 -vv
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
06:54:42.464743 IP (tos 0x0, ttl 62, id 8137, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.14.60568 > srv_a.yamer.com.br.ssh: Flags [S], cksum 0xd741 (correct), seq 2876973622, win 29200, options [mss 1398,sackOK,TS val 2055486975 ecr 0,nop,wscale 7], length 0
06:54:42.464791 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0x6811), seq 2736353822, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355222893 ecr 2055486975,nop,wscale 7], length 0
06:54:43.460984 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0x6717), seq 2736353822, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355223143 ecr 2055486975,nop,wscale 7], length 0
06:54:43.464691 IP (tos 0x0, ttl 62, id 8138, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.14.60568 > srv_a.yamer.com.br.ssh: Flags [S], cksum 0xd358 (correct), seq 2876973622, win 29200, options [mss 1398,sackOK,TS val 2055487976 ecr 0,nop,wscale 7], length 0
06:54:43.464708 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0x6717), seq 2736353822, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355223143 ecr 2055486975,nop,wscale 7], length 0
06:54:45.461041 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0x6523), seq 2736353822, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355223643 ecr 2055486975,nop,wscale 7], length 0
06:54:45.468989 IP (tos 0x0, ttl 62, id 8139, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.14.60568 > srv_a.yamer.com.br.ssh: Flags [S], cksum 0xcb84 (correct), seq 2876973622, win 29200, options [mss 1398,sackOK,TS val 2055489980 ecr 0,nop,wscale 7], length 0
06:55:13.489058 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0x49c4), seq 2736353822, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355230650 ecr 2055486975,nop,wscale 7], length 0
06:55:13.504681 IP (tos 0x0, ttl 62, id 8142, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.14.60568 > srv_a.yamer.com.br.ssh: Flags [S], cksum 0x5e00 (correct), seq 2876973622, win 29200, options [mss 1398,sackOK,TS val 2055518016 ecr 0,nop,wscale 7], length 0
06:55:13.504701 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0x49c1), seq 2736353822, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355230653 ecr 2055486975,nop,wscale 7], length 0
06:55:45.568861 IP (tos 0x0, ttl 62, id 8143, offset 0, flags [DF], proto TCP (6), length 60)
192.168.10.14.60568 > srv_a.yamer.com.br.ssh: Flags [S], cksum 0xe0bf (correct), seq 2876973622, win 29200, options [mss 1398,sackOK,TS val 2055550080 ecr 0,nop,wscale 7], length 0
06:55:45.568888 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0xc853), seq 3722355444, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355238669 ecr 2055550080,nop,wscale 7], length 0
06:55:46.564981 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0xc759), seq 3722355444, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355238919 ecr 2055550080,nop,wscale 7], length 0
06:55:48.565019 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0xc565), seq 3722355444, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355239419 ecr 2055550080,nop,wscale 7], length 0
06:55:52.565033 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0xc17d), seq 3722355444, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355240419 ecr 2055550080,nop,wscale 7], length 0
06:56:00.565021 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0xb9ad), seq 3722355444, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355242419 ecr 2055550080,nop,wscale 7], length 0
06:56:16.565027 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
srv_a.yamer.com.br.ssh > 192.168.10.14.60568: Flags [S.], cksum 0x8c36 (incorrect -> 0xaa0d), seq 3722355444, ack 2876973623, win 28960, options [mss 1460,sackOK,TS val 355246419 ecr 2055550080,nop,wscale 7], length 0

Seems like it´s something wrong on the checksum ( I´m not sure if its ESP/IPSec validation or what )

And here goes the vpn state:

yamer-rt#sh crypto isak sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1001 177.32.abc.def 187.11.zxy.wvq ACTIVE des md5 psk 2 23:56:02 D
Engine-id:Conn-id = SW:1

IPv6 Crypto ISAKMP SA


yamer-rt#sh cryp ipsec sa det

interface: FastEthernet0/0
Crypto map tag: yamer_map, local addr 177.32.abc.def

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer 187.11.zxy.wvq port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 177.32.abc.def, remote crypto endpt.: 187.11.zxy.wvq
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer 187.11.zxy.wvq port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 32, #pkts decrypt: 32, #pkts verify: 32
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 177.32.abc.def, remote crypto endpt.: 187.11.zxy.wvq
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x140B0626(336266790)
PFS (Y/N): Y, DH group: group5

inbound esp sas:
spi: 0x8B11CB28(2333199144)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: NETGX:1, sibling_flags 80000046, crypto map: yamer_map
sa timing: remaining key lifetime (k/sec): (4425403/3492)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x140B0626(336266790)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: NETGX:2, sibling_flags 80000046, crypto map: yamer_map
sa timing: remaining key lifetime (k/sec): (4425405/3492)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
yamer-rt#


Anyone has any ideia whats happening ?

Also, when I try to debug crypto, the router doesn´t print anything on console.

Tks !!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents