cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7865
Views
0
Helpful
8
Replies

Want to see traffic going over the tunnel

I have a ikev2 definition that looks like it is working. I have line/protocol up.

I am on my router where my tunnel to google is. The tunnel is also there. I can ping google from there but I am unsure its going out the tunnel and not just the internet connection. I do not see any counters increasing on my router. How can i make sure the packets are traveling down the tunnel?

8 Replies 8

joseph.williams@atos.net 

Run the command "show crypto ipsec sa" and check first of all you have IPSec SAs formed and then check the encaps|decaps counters are increasing. If you have both then the traffic is going over the VPN tunnel.

 

HTH

i do not see the encaps increasing when I ping the other end of the tunnel

 

 

interface: Tunnel90
Crypto map tag: Tunnel90-head-0, local addr 192.90.181.201

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 35.236.234.135 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.90.181.201, remote crypto endpt.: 35.236.234.135
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xF7614EF(259396847)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x7D1E6C6E(2099145838)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4060, flow_id: ESG:2060, sibling_flags FFFFFFFF80000048, crypto map: Tunnel90-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2256)
IV size: 16 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xF7614EF(259396847)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4059, flow_id: ESG:2059, sibling_flags FFFFFFFF80000048, crypto map: Tunnel90-head-0
sa timing: remaining key lifetime (k/sec): (4608000/2256)
IV size: 16 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

i do not see the encaps increasing when I ping the other end of the tunnel

So this is a route based VPN?....do you have a static route(s) pointing to the tunnel interface for the networks to be sent over the VPN?

I am currently just looking at the router to router traffic. Is that wrong?

ping google not meaning the traffic pass through the tunnel.

can we see config ?


az05oescsec>en
Password:
az05oescsec#sh run
Building configuration...


Current configuration : 14613 bytes
!
! Last configuration change at 22:07:28 UTC Thu Mar 4 2021 by jwilliams
! NVRAM config last updated at 21:48:28 UTC Thu Mar 4 2021 by jwilliams
!
version 16.9
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec show-timezone
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname az05oescsec
!
boot-start-marker
boot system flash bootflash:isr4300-universalk9.16.09.05.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 64000 informational
enable secret 5
!
aaa new-model
!
!
aaa authentication login default group tacacs+ line enable
aaa accounting exec default
action-type start-stop
group tacacs+
!
!
!
!
!
!
!
aaa session-id common
no ip source-route
!
no ip bootp server
no ip domain lookup
ip domain name us.bull.com
!
!
!
login block-for 15 attempts 4 within 20
login on-failure log every 4
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
flow record FLW-RECORD
match ipv4 tos
match ipv4 protocol
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match interface input
collect transport icmp ipv4 code
collect transport icmp ipv4 type
collect transport tcp flags
collect interface output
collect counter bytes
!
!
flow monitor FLW-MON
cache timeout active 120
cache entries 20000
record FLW-RECORD
!
!
!
!
crypto pki trustpoint TP-self-signed-3730741338
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3730741338
revocation-check none
rsakeypair TP-self-signed-3730741338
!
!
crypto pki certificate chain TP-self-signed-3730741338
certificate self-signed 01
30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373330 37343133 3338301E 170D3130 31323133 32333335
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37333037
34313333 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B78A E1826028 3629937A 0FD4E395 44253B28 F6C45980 EAF741B2 205BC9AE
5B3D8321 5541E8F7 61F3754C 1D10E313 37A8E5D2 A2EC078A C7CD4DAD 4C68572F
17441DFC D8C67CB1 957411F4 697F71DE DC809E01 0664EABE A70E4DCE 089FE80B
7E671CC8 B924EAC2 36FEA3ED 29326B7C 246AE3F7 E6F0F48C 1EBE3C31 93387E72
60050203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
551D1104 1F301D82 1B617A30 3567656E 63313934 312E796F 7572646F 6D61696E
2E636F6D 301F0603 551D2304 18301680 14B057FC 788344B0 28A64860 487706C4
3148ECD4 E8301D06 03551D0E 04160414 B057FC78 8344B028 A6486048 7706C431
48ECD4E8 300D0609 2A864886 F70D0101 04050003 81810089 8525782E A7EB7CAC
B66F5852 C52F6568 B75662F1 64DB76D8 AFFFBEED DC56A52A 0C8A0986 D6D7C699
5501598B BBA1E0BD 310EC82B 920D643D DDF51D02 F52873AA 1A0949E1 36BBAB05
9F11D8BB 9A960570 E5E262F1 0D0BBF62 6E79C7DF C2A3FCF4 823BE9FC 0F90DF82
FCBEB6D3 7A777765 1F6D44B3 C77BC992 E0F8A863 0CD789
quit
!
license udi pid ISR4331/K9 sn FDO19460B8D
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
archive
log config
hidekeys
!
!
!
username i secret 5
username a secret 5
!
redundancy
mode none
!
crypto ikev2 proposal GOOGLE_PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256
group 16
!
crypto ikev2 policy GOOGLE_POLICY
proposal GOOGLE_PROPOSAL
!
crypto ikev2 keyring GOOGLE_KEY
peer GCP1
address 35.236.234.135
pre-shared-key Ep0VKKznqz3oabpjxobrhX8kZfWVbnXq
!
!
!
crypto ikev2 profile GOOGLE_PROFILE
match address local interface GigabitEthernet0/0/1
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local GOOGLE_KEY
lifetime 36000
dpd 60 5 periodic
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 192
authentication pre-share
group 5
lifetime 67000
!
crypto isakmp policy 20
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
lifetime 36600
crypto isakmp key oesc2bull20160204 address 204.87.88.6
crypto isakmp key oescGOOGLE20210211 address 35.236.234.135
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set TUN-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set ESP-AES192-SHA esp-aes 192 esp-sha-hmac
mode tunnel
crypto ipsec transform-set AES-128 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set GOOGLE_TS esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile GOOGLE_VTI
set transform-set GOOGLE_TS
set pfs group16
set ikev2-profile GOOGLE_PROFILE
!
!
!
!
crypto map RMTIPSEC 10 ipsec-isakmp
set peer 204.87.88.6
set security-association lifetime seconds 28800
set transform-set ESP-AES192-SHA
set pfs group2
match address GRE-TUN24
crypto map RMTIPSEC 11 ipsec-isakmp
set peer 35.236.234.135
set security-association lifetime seconds 28800
set transform-set AES-128
set pfs group2
match address GRE-TUN90
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.18.124.239 255.255.255.255
!
interface Tunnel24
description Tunnel to Oklahoma
bandwidth 1536
ip address 172.19.24.2 255.255.255.252
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 10 3
tunnel source GigabitEthernet0/0/1
tunnel destination 204.87.88.6
ip virtual-reassembly
!
interface Tunnel90
description Tunnel to GOOGLE
ip address 172.19.24.5 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0/1
tunnel mode ipsec ipv4
tunnel destination 35.236.234.135
tunnel protection ipsec profile GOOGLE_VTI
!
interface GigabitEthernet0/0/0
description LAN interface - VLAN 902
ip flow monitor FLW-MON unicast input
ip flow monitor FLW-MON unicast output
ip address 192.90.178.70 255.255.255.240
standby 1 ip 192.90.178.68
standby 1 priority 85
ip ospf cost 20
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/1
description Internet connection - 192.90.181.201/24
ip flow monitor FLW-MON unicast input
ip flow monitor FLW-MON unicast output
ip address 192.90.181.201 255.255.255.0
ip access-group ACL-FROM-G01 in
negotiation auto
crypto map RMTIPSEC
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description to az05oescpri
no ip address
no ip proxy-arp
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description to az05oescpri
switchport access vlan 168
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan168
description to az05oescpri
ip flow monitor FLW-MON unicast input
ip flow monitor FLW-MON unicast output
ip address 192.168.2.6 255.255.255.252
no ip proxy-arp
!
router ospf 100
router-id 172.18.124.239
log-adjacency-changes detail
redistribute connected metric-type 1 subnets route-map CONNECTED->OSPF
redistribute static metric-type 1 subnets route-map STATIC->OSPF
network 172.19.24.0 0.0.0.3 area 100
network 192.90.178.64 0.0.0.15 area 100
network 192.168.2.4 0.0.0.3 area 100
!
no ip forward-protocol nd
ip telnet source-interface Tunnel24
no ip http server
no ip http secure-server
ip tftp source-interface Loopback0
ip route 0.0.0.0 0.0.0.0 192.90.181.254
ip route 10.189.81.3 255.255.255.255 Tunnel90 10
ip route 172.18.124.0 255.255.255.0 192.90.178.65
ip route 192.5.20.0 255.255.255.0 192.90.178.65
ip route 192.5.32.0 255.255.255.0 192.90.178.65
ip route 192.90.162.8 255.255.255.255 192.90.178.65
ip route 192.90.184.0 255.255.255.0 192.90.178.65
ip route 192.90.191.96 255.255.255.224 192.90.178.65
ip route 192.90.191.96 255.255.255.224 192.168.2.5
ip route 204.87.88.6 255.255.255.255 192.90.181.254
ip tacacs source-interface Loopback0
!
ip ssh time-out 60
ip ssh source-interface Loopback0
ip ssh logging events
ip ssh version 2
!
!
ip prefix-list STATIC->OSPF seq 10 permit 192.5.20.0/24
ip prefix-list STATIC->OSPF seq 15 permit 192.5.32.0/24
ip prefix-list STATIC->OSPF seq 30 permit 192.90.0.0/16 le 32
!
ip access-list standard VTY-ACCESS-20100804
permit 192.5.32.0 0.0.0.255
permit 192.5.20.0 0.0.0.255
permit 192.90.172.0 0.0.0.255
permit 192.168.2.12 0.0.0.3
permit 192.168.2.4 0.0.0.3
permit 192.168.2.0 0.0.0.15
ip access-list standard VTY-ACCESS-IN-A
permit 192.5.32.0 0.0.0.255
permit 192.5.20.0 0.0.0.255
ip access-list standard VTY_ACCESS
permit 192.5.20.0 0.0.0.255
permit 192.5.32.0 0.0.0.255
permit 192.90.172.0 0.0.0.255
deny any log
!
ip access-list extended ACL-FROM-G01
permit esp any any
permit udp host 35.236.234.135 host 192.90.181.201
permit udp host 204.87.88.6 host 192.90.181.201
permit icmp host 192.90.159.18 any
remark **** Bull US Management Networks
permit tcp 192.90.172.0 0.0.0.255 any range ftp-data 22
permit icmp 192.90.172.0 0.0.0.255 any
remark **** Good ICMP
permit icmp any any unreachable
permit icmp 192.5.32.0 0.0.0.255 any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any source-quench
permit icmp any any traceroute
remark **** RFC 1918 - Source of private address space
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark **** RCF 3330 - Source special use address space
deny ip host 255.255.255.255 any
deny ip 0.0.0.0 0.255.255.255 any
remark *** Deny host loopback
deny ip 127.0.0.0 0.255.255.255 any
remark *** 3330 - Deny Reserved addresses
remark ** 3330 - "link local" block
deny ip 169.254.0.0 0.0.255.255 any
remark ** 3330 - "TEST-NET"
deny ip 192.0.2.0 0.0.0.255 any
remark ** 3330 - Multicast
deny ip 224.0.0.0 15.255.255.255 any
remark ** 3330 - Class "E" and broadcast
deny ip 240.0.0.0 15.255.255.255 any
deny ip any any log
ip access-list extended GRE-TUN24
permit gre host 192.90.181.201 host 204.87.88.6
ip access-list extended GRE-TUN90
permit gre host 192.90.181.201 host 35.236.234.135
ip access-list extended az052oesc
permit ip 192.90.191.96 0.0.0.31 192.90.22.0 0.0.0.255
permit ip 192.90.184.0 0.0.0.255 192.90.22.0 0.0.0.255
permit ip 192.5.32.0 0.0.1.255 192.90.22.0 0.0.0.255
permit ip 192.5.20.0 0.0.0.255 192.90.22.0 0.0.0.255
permit ip 192.5.32.0 0.0.1.255 host 172.18.124.241
permit ip 192.5.20.0 0.0.0.255 host 172.18.124.241
permit ip 192.5.32.0 0.0.1.255 host 172.18.124.240
permit ip 192.5.20.0 0.0.0.255 host 172.18.124.240
permit ip 172.18.124.0 0.0.0.255 host 172.18.124.241
permit ip 192.90.191.96 0.0.0.31 host 172.18.124.241
permit ip host 192.90.162.8 host 172.18.124.241
permit ip host 192.90.175.9 host 172.18.124.241
permit icmp 192.90.191.96 0.0.0.31 192.90.22.0 0.0.0.255
permit icmp 192.90.184.0 0.0.0.255 192.90.22.0 0.0.0.255
permit icmp 192.5.32.0 0.0.1.255 192.90.22.0 0.0.0.255
permit icmp 192.5.20.0 0.0.0.255 192.90.22.0 0.0.0.255
permit icmp 192.5.32.0 0.0.1.255 host 172.18.124.241
permit icmp 192.5.20.0 0.0.0.255 host 172.18.124.241
permit icmp 192.90.191.96 0.0.0.31 host 172.18.124.241
permit icmp 192.90.184.0 0.0.0.255 host 172.18.124.241
permit icmp 172.18.124.0 0.0.0.255 host 172.18.124.241
permit icmp host 192.90.162.8 host 172.18.124.241
permit icmp host 192.90.175.9 host 172.18.124.241
logging trap warnings
logging source-interface Loopback0
logging host 192.5.32.138
access-list 3 permit 192.5.20.0 0.0.0.255
access-list 3 permit 192.5.32.0 0.0.0.255
access-list 7 permit 192.5.20.0 0.0.0.255
access-list 7 permit 192.5.32.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
!
!
route-map STATIC->OSPF permit 10
match ip address prefix-list STATIC->OSPF
!
route-map CONNECTED->OSPF permit 10
match interface Loopback0 GigabitEthernet0/0/0
!
snmp-server engineID local 00000009020000500F0E0B61
snmp-server community ripcord RO 3
snmp-server community bullvox RW 7
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server packetsize 8192
snmp-server location 1-104 computer room, Phoenix AZ 85029
snmp-server contact AZ05 LAN/WAN Group
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps config
snmp-server host 192.5.32.152 version 2c ripcord
tacacs-server host 192.5.32.134
tacacs-server host 192.5.32.146
tacacs-server host 192.5.32.147
tacacs-server directed-request
tacacs-server key 7 144043180907382E30
!
!
!
!
control-plane
!
banner login ^CC

 

 

 

**********************************************
* Please be advised that unauthorized access *
* to this equipment is strictly prohibited. *
* ANY UNAUTHORIZED ACCESS BEYOND THIS POINT *
* WILL LEAD TO PROSECUTION !!! *
**********************************************

 

 

 

^C
banner motd ^CC

 

 

**********************************************
* Please be advised that unauthorized access *
* to this equipment is strictly prohibited. *
* ANY UNAUTHORIZED ACCESS BEYOND THIS POINT *
* WILL LEAD TO PROSECUTION !!! *
**********************************************

 


^C
!
line con 0
exec-timeout 15 5
password 7
transport input none
stopbits 1
line aux 0
exec-timeout 10 15
password 7
modem Dialin
modem autoconfigure type usr_sportster
transport preferred none
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line vty 0
access-class VTY-ACCESS-IN-A in
exec-timeout 30 30
password 7
length 26
width 83
transport preferred none
transport input ssh
line vty 1 4
access-class VTY-ACCESS-IN-A in
exec-timeout 30 30
password 7
transport preferred none
transport input ssh
line vty 5 15
access-class VTY-ACCESS-IN-A in
exec-timeout 30 30
password 7
transport input ssh
!
ntp source Loopback0
ntp server 192.90.162.8
ntp server 192.5.32.138
!
!
!
!
!
end

If you are using a tunnel interface, which you are (Tunnel90) then you need a static route for each of the remote networks, to be sent via the peer tunnel ip address.

 

Router example - "ip route 192.168.0.0 255.255.0.0 172.16.2.1"

Where 192.168.0.0/255.255.0.0 is the remote network and 172.16.2.1 is the remote peer tunnel IP address (the next hop).

 

Define static routes on your router or confirm they are correct.

 

If you were using a policy based VPN (which you don't appear to be) with crypto map ACL then you'd rely on the default route, which would encrypt the traffic of egress - no specific static route required.

IPSec over GRE is route-based VPN <-this no need ACL it need static route toward tunnel and IPSec not config under WAN interface but config under Tunnel Interface.
IPSec is policy-based VPN <-this need ACL and IPSec config under the WAN interface