Site-to-Site IPSec VPN only passes traffic one-way...mostly

Unanswered Question
Apr 9th, 2008
User Badges:

I have a odd problem with a new VPN we setup. Its a 2851 <--> Openswan Linux box. They tunnel comes up just fine. On the 2851 side we have a /24 and on the Openswan side we have a /19 and a /26. You can ping from any device in these ranges to any other. Even adjusting the ping to 1500 bytes it all works. Now the first thing we tried to do after this was SSH. We can ssh from the /19 (site b, behind the Openswan) to the /24 (site a, 2851) all day long without issue. We can also do the opposite (site a to site b /19). We also can SSH from the 2851 /24 to the Openswan /26. However the /26 at site b can not ssh to the 2851 /24. Watching the logs and such we can see the ssh packet gets to the box and the box sends a response just the 2851 does not sends the reply down the tunnel. It just seems to ignore it. I can not seem to find why 2851 will not send an ssh session initiated from b /26 back to it when it will send a session initiated from a /24 down to the b /26.


Both the /19 and /26 are in the same ACL, just the /26 is not working fully.


Used the SDM to setup the tunnel.


That make sense? Need configs?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sundar.palaniappan Wed, 04/09/2008 - 09:41
User Badges:
  • Green, 3000 points or more

Can you post the crypto ACL that you have configured on both ends?

sdrossen2 Wed, 04/09/2008 - 10:09
User Badges:

Forgot to mention I have two tunnels, one is working fine, the other is 3/4 way working. crypto map SDM_CMAP_1 2 with ACL 110 is the problem one.


10.1.7.0 is site a, behind 2851

10.8.0.0 is site b (working)

10.2.3.0 is site b (not fully working, can ping to/from but only ssh from site a, not to this range at site b)

10.3.5.0 is site c (working, not being discussed now)




class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 104

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-all sdm-cls-VPNOutsideToInside-3

match access-group 107

class-map type inspect match-all sdm-cls-VPNOutsideToInside-2

match access-group 106

class-map type inspect match-all sdm-cls-VPNOutsideToInside-5

match access-group 109

class-map type inspect match-all sdm-cls-VPNOutsideToInside-4

match access-group 108

class-map type inspect match-all sdm-cls-VPNOutsideToInside-7

match access-group 112

class-map type inspect match-all sdm-cls-VPNOutsideToInside-6

match access-group 111

class-map type inspect match-all sdm-cls-VPNOutsideToInside-9

match access-group 114

class-map type inspect match-all sdm-cls-VPNOutsideToInside-8

match access-group 113

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 103

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-cls-sdm-inspect-1

match access-group name any

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-invalid-src

match access-group 100

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect sdm-cls-VPNOutsideToInside-2

pass

class type inspect sdm-cls-VPNOutsideToInside-3

pass

class type inspect sdm-cls-VPNOutsideToInside-4

pass

class type inspect sdm-cls-VPNOutsideToInside-5

pass

class type inspect sdm-cls-VPNOutsideToInside-6

inspect

class type inspect sdm-cls-VPNOutsideToInside-7

pass

class type inspect sdm-cls-VPNOutsideToInside-8

pass

class type inspect sdm-cls-VPNOutsideToInside-9

inspect

class class-default

drop log

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-cls-sdm-inspect-1

inspect

class class-default

drop log

policy-map type inspect sdm-permit

class type inspect SDM_VPN_PT

pass

class type inspect sdm-access

inspect

class class-default

drop log

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

!


sdrossen2 Wed, 04/09/2008 - 10:10
User Badges:

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key address

crypto isakmp key address

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to

set peer

set security-association lifetime seconds 86400

set transform-set ESP-3DES-SHA

set pfs group2

match address 102

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to

set peer

set transform-set ESP-3DES-SHA1

set pfs group2

match address 110

!


!

interface GigabitEthernet0/1

description $FW_OUTSIDE$$ETH-WAN$

ip address 255.255.255.248

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed 100

no cdp enable

standby 2 ip

standby 2 timers 5 15

standby 2 priority 200

standby 2 preempt

standby 2 track GigabitEthernet1/0 150

no mop enabled

crypto map SDM_CMAP_1

!


!

interface Vlan1

description $FW_INSIDE$

ip address 255.255.255.192

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

standby 1 ip

standby 1 timers 5 15

standby 1 priority 200

standby 1 preempt

standby 1 track GigabitEthernet0/1 150

!

ip route 0.0.0.0 0.0.0.0

!


!

ip access-list extended SDM_AH

remark SDM_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark SDM_ACL Category=1

permit esp any any

ip access-list extended SDM_HTTPS

remark SDM_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark SDM_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark SDM_ACL Category=1

permit tcp any any eq 22

ip access-list extended any

remark SDM_ACL Category=128

permit ip 10.1.7.0 0.0.0.63 any

!

sdrossen2 Wed, 04/09/2008 - 10:11
User Badges:


access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.1.7.0 0.0.0.63

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 69.90.79.24 0.0.0.7 any

access-list 101 remark SDM_ACL Category=128

access-list 101 permit ip 0.0.0.255 any

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.1.7.0 0.0.0.63 10.3.5.0 0.0.0.255

access-list 103 remark SDM_ACL Category=128

access-list 103 permit ip host any

access-list 103 permit ip host any

access-list 104 remark SDM_ACL Category=0

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 105 remark SDM_ACL Category=2

access-list 105 remark IPSec Rule

access-list 105 deny ip 10.1.7.0 0.0.0.63 10.2.3.0 0.0.0.127

access-list 105 remark IPSec Rule

access-list 105 deny ip 10.1.7.0 0.0.0.63 10.8.0.0 0.0.31.255

access-list 105 remark IPSec Rule

access-list 105 deny ip 10.1.7.0 0.0.0.63 10.3.50 0.0.0.255

access-list 105 permit ip 10.1.7.0 0.0.0.63 any

access-list 106 remark SDM_ACL Category=0

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 107 remark SDM_ACL Category=0

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 108 remark SDM_ACL Category=0

access-list 108 remark IPSec Rule

access-list 108 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 108 remark IPSec Rule

access-list 108 permit ip 10.8.31.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 109 remark SDM_ACL Category=0

access-list 109 remark IPSec Rule

access-list 109 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 110 remark SDM_ACL Category=4

access-list 110 remark IPSec Rule

access-list 110 permit ip 10.1.7.0 0.0.0.63 10.8.0.0 0.0.31.255

access-list 110 remark IPSec Rule

access-list 110 permit ip 10.1.7.0 0.0.0.63 10.2.3.0 0.0.0.127

access-list 111 remark SDM_ACL Category=0

access-list 111 remark IPSec Rule

access-list 111 permit ip 10.8.0.0 0.0.31.255 10.1.7.0 0.0.0.63

access-list 111 remark IPSec Rule

access-list 111 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 112 remark SDM_ACL Category=0

access-list 112 remark IPSec Rule

access-list 112 permit ip 10.8.0.0 0.0.31.255 10.1.7.0 0.0.0.63

access-list 112 remark IPSec Rule

access-list 112 permit ip 10.2.3.0 0.0.0.127 10.1.7.0 0.0.0.63

access-list 112 remark IPSec Rule

access-list 112 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 113 remark SDM_ACL Category=0

access-list 113 remark IPSec Rule

access-list 113 permit ip 10.8.0.0 0.0.31.255 10.1.7.0 0.0.0.63

access-list 113 remark IPSec Rule

access-list 113 permit ip 10.2.3.0 0.0.0.127 10.1.7.0 0.0.0.63

access-list 113 remark IPSec Rule

access-list 113 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

access-list 114 remark SDM_ACL Category=0

access-list 114 remark IPSec Rule

access-list 114 permit ip 10.8.0.0 0.0.31.255 10.1.7.0 0.0.0.63

access-list 114 remark IPSec Rule

access-list 114 permit ip 10.2.3.0 0.0.0.127 10.1.7.0 0.0.0.63

access-list 114 remark IPSec Rule

access-list 114 permit ip 10.3.5.0 0.0.0.255 10.1.7.0 0.0.0.63

sundar.palaniappan Wed, 04/09/2008 - 10:23
User Badges:
  • Green, 3000 points or more

access-list 110 remark IPSec Rule

access-list 110 permit ip 10.1.7.0 0.0.0.63 10.2.3.0 0.0.0.127


Shouldn't this be (based on the /24 and /26 mentioned in your original posting):


access-list 110 permit ip 10.1.7.0 0.0.0.255 10.2.3.0 0.0.0.192

sundar.palaniappan Wed, 04/09/2008 - 10:27
User Badges:
  • Green, 3000 points or more

oops, sorry about the typo. Shouldn't it be:


access-list 110 permit ip 10.1.7.0 0.0.0.255 10.2.3.0 0.0.0.63



sdrossen2 Wed, 04/09/2008 - 10:40
User Badges:

Looks like I described it wrong. I have checked and its a /25

sundar.palaniappan Wed, 04/09/2008 - 10:54
User Badges:
  • Green, 3000 points or more

The traffic that needs to be encrypted has to match on both sides. The symptom you are describing points to a problem with that. If you have checked that part and still are having problems can you capture the output of the following commands when you are having the problem.


debug crypto ipsec

debug crypto isakmp

sdrossen2 Wed, 04/09/2008 - 12:01
User Badges:

Debug is not showing anything. I did term mon and logging console debug.


10.1.7.0 to 10.8.0.0 works 100%

10.8.0.0 to 10.1.7.0 works 100%


10.1.7.0 to 10.2.3.0 works 100%

10.2.3.0 to 10.1.7.0 I see the traffic come in the tunnel and hit a box in 10.2.3.0/24 and I see traffic leave the host in 10.2.3.0/24 but the router does not put the traffic in the tunnel and I can't get the logs/debug to show anything at all.

sundar.palaniappan Wed, 04/09/2008 - 12:13
User Badges:
  • Green, 3000 points or more

Am I understanding this correct? The host that you aren't able to SSH to but you are able ping. If that indeed is the case can you try to SSH to a different box in the same subnet as that wouldn't have anything to do with Crypto configuration in the 2811.

sdrossen2 Wed, 04/09/2008 - 12:57
User Badges:

I can SSH from 10.1.7.0 to 10.8.0.0, I can ssh from 10.8.0.0 to 10.1.70.0. I can SSH from 10.1.7.0 to 10.2.3.0 but if I try to SSH from 10.2.3.0 that does not work. The packet makes it though the tunnel to the host, the host sends the response but the 2851 will not encode the reply packet even though it will encode new sessions and decrypted the incoming packet.


I don't have another hose on 10.1.7.0 but I can ssh to/from it from multiple subnets. I can also ssh to it from the 2851 itself.

sundar.palaniappan Wed, 04/09/2008 - 14:36
User Badges:
  • Green, 3000 points or more

Is it just not SSH to the host 10.1.7.x not working or you can't ping the host from the 10.2.3.0 subnet? If you can ping but not SSH you may have to do a sniffer capture on the LAN behind the 2811 to see if the host's response indeed get to the 2811. One other thing you can try is configure the command 'ip tcp adjust-mss 1440' under the LAN facing interface on the 2811 to rule out any MTU problems.

sdrossen2 Thu, 04/10/2008 - 12:56
User Badges:

I can ping and ssh from 10.1.7.x to 10.2.3.x. I can ping but NOT ssh from 10.2.3.x to 10.1.7.x.


I ran that command (as well as adjusting the size on the nic's of the hosts) but the result is the same.


A tcpdump shows the packets from 10.2.3.x get to the hosts on 10.1.7.x and the host sends a response but the router seems to just ignore it.

sdrossen2 Mon, 04/14/2008 - 07:10
User Badges:

Found the issue. It was with ACL 111. The SDM created it so not sure why it did not add all the IP ranges but I still should have caught it much earlier.

sundar.palaniappan Mon, 04/14/2008 - 07:12
User Badges:
  • Green, 3000 points or more

Glad to hear you got it to work :-)


It really didn't make sense before that the router would just not encrypt SSH traffic from that host.


You got to feel very relieved now!!





Actions

This Discussion