Packets disapearing after getting unencrypted on IPSEC VPN

Unanswered Question
Dec 12th, 2008

I am currently having a problem with a VPN that i am setting up and traffic seems to disappear after it is unencrypted. when I ping the from one side of the tunnel to the other and do a show crypto ipsec sa I can see that both of esp SAs are active and that 5 packets have been decrypted. I have also checked the tunnel interface and it shows that no packets have been recieved and when i do traffic export on that interface I not see any traffic coming in. I have setup traffic export on the physical interface to make sure the traffic coming in makes it to the router and I can see ESP packets with the proper SPI coming in. I am not sure what else I can check to view where these packets are getting stopped any ideas?

###### Router 1 ######

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6 removed address 1.1.1.2

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

mode transport

crypto map MYMAP 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set MYSET

match address 101

interface Tunnel11

ip address 2.2.2.2 255.255.255.0

tunnel source fastEthernet0

tunnel destination 1.1.1.2

interface Fa0

ip address 1.1.1.1 255.255.255.0

crypto map MYMAP

access-list 101 permit gre host 1.1.1.1 host 1.1.1.2

###### Router 2 ######

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key 6 removed address 1.1.1.1

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

mode transport

crypto map MYMAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set MYSET

match address 101

interface Tunnel11

ip address 2.2.2.1 255.255.255.0

tunnel source fastEthernet0

tunnel destination 1.1.1.1

interface Fa0

ip address 1.1.1.2 255.255.255.0

crypto map MYMAP

access-list 101 permit gre host 1.1.1.2 host 1.1.1.1

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
celiocarreto Tue, 12/16/2008 - 04:30

Hi!

I don't know your IOS Version.

But try such a config (new type of GRE Tunnel):

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

crypto isakmp key test address 1.1.1.1

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

crypto ipsec profile MYVTI

set transform-set MYSET

interface Tunnel0

ip address 2.2.2.1 255.255.255.0

tunnel source fastEthernet0

tunnel destination 1.1.1.1

tunnel mode ipsec ipv4

tunnel protection ipsec profile MYVTI

interface Fa0

ip address 1.1.1.2 255.255.255.0

Maybe it helps.

pjeunelot Tue, 12/16/2008 - 06:33

I solved this problem. It turned out that the GRE endpoint was assigned to the wrong interface on the second router. I have two inputs to each router and I had the destination of one of the tunnels on an interface that wasn't setup for the VPN. So the packets didn't know where to go after they got decrypted.

Actions

This Discussion