Packets disapearing after getting unencrypted on IPSEC VPN

Unanswered Question
Dec 12th, 2008
User Badges:

I am currently having a problem with a VPN that i am setting up and traffic seems to disappear after it is unencrypted. when I ping the from one side of the tunnel to the other and do a show crypto ipsec sa I can see that both of esp SAs are active and that 5 packets have been decrypted. I have also checked the tunnel interface and it shows that no packets have been recieved and when i do traffic export on that interface I not see any traffic coming in. I have setup traffic export on the physical interface to make sure the traffic coming in makes it to the router and I can see ESP packets with the proper SPI coming in. I am not sure what else I can check to view where these packets are getting stopped any ideas?


###### Router 1 ######



crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6 removed address 1.1.1.2


crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

mode transport


crypto map MYMAP 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set MYSET

match address 101


interface Tunnel11

ip address 2.2.2.2 255.255.255.0

tunnel source fastEthernet0

tunnel destination 1.1.1.2

interface Fa0

ip address 1.1.1.1 255.255.255.0

crypto map MYMAP

access-list 101 permit gre host 1.1.1.1 host 1.1.1.2



###### Router 2 ######




crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6 removed address 1.1.1.1


crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

mode transport


crypto map MYMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address 101


interface Tunnel11

ip address 2.2.2.1 255.255.255.0

tunnel source fastEthernet0

tunnel destination 1.1.1.1

interface Fa0

ip address 1.1.1.2 255.255.255.0

crypto map MYMAP

access-list 101 permit gre host 1.1.1.2 host 1.1.1.1





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
celiocarreto Tue, 12/16/2008 - 04:30
User Badges:

Hi!


I don't know your IOS Version.


But try such a config (new type of GRE Tunnel):


crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2


crypto isakmp key test address 1.1.1.1


crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac


crypto ipsec profile MYVTI

set transform-set MYSET


interface Tunnel0

ip address 2.2.2.1 255.255.255.0

tunnel source fastEthernet0

tunnel destination 1.1.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile MYVTI


interface Fa0

ip address 1.1.1.2 255.255.255.0


Maybe it helps.

pjeunelot Tue, 12/16/2008 - 06:33
User Badges:

I solved this problem. It turned out that the GRE endpoint was assigned to the wrong interface on the second router. I have two inputs to each router and I had the destination of one of the tunnels on an interface that wasn't setup for the VPN. So the packets didn't know where to go after they got decrypted.

Actions

This Discussion