IPSEC connection to foreign system trouble

Answered Question
Jul 21st, 2010

Hello!

I am doing a IPSEC to an astaro V7 at a customers site

origin is a UC540 with IOS 15

I see the Tunnel "green" on the astaro .... so its ok, but no packets are going through:

UC540#show crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: CISCO, local addr x.x.x.202

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.49.0/255.255.255.0/0/0)

   current_peer x.x.x.8 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 39, #pkts encrypt: 39, #pkts digest: 39

    #pkts decaps: 40, #pkts decrypt: 40, #pkts verify: 40

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xABA3137B(2879591291)

     PFS (Y/N): Y, DH group: group2

     inbound esp sas:

      spi: 0x349B38CE(882587854)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 18, flow_id: Onboard VPN:18, sibling_flags 80000046, crypto map: CISCO

        sa timing: remaining key lifetime (k/sec): (4586494/835)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xABA3137B(2879591291)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 19, flow_id: Onboard VPN:19, sibling_flags 80000046, crypto map: CISCO

        sa timing: remaining key lifetime (k/sec): (4586494/835)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

UC540#

UC540#ping 192.168.49.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

UC540#ping

Protocol [ip]:

Target IP address: 192.168.49.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

.....

Success rate is 0 percent (0/5)

UC540#

Any idea?
I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 6 months ago

If you have ACL assigned to the interface, you would be able to just remove the ACL from the interface. Alternatively, if you are using ZBFW, you can take the zone member out of all interfaces (pls make sure that you take it out from all interfaces, otherwise, your traffic will not pass through the router between some interfaces, plus if you have ZBFW, remove the zone member by consoling to the router as you might be locked out of the router if you remove some of the zone member first while telneting or SSH into the router).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Wed, 07/21/2010 - 08:55

Base on the ipsec sa output, there are traffic being encrypted and decrypted, which means VPN tunnel is actually up and running.

I would check to see if you have ACL or Zone base firewall configured on the UC500 router that might be blocking the ICMP Reply.

kmmehlkmmehl Wed, 07/21/2010 - 09:41

hi

actually i disabled all "denys" for testing in my acl -> i am testing now the other side.

any way to complete disable that for testing?

Correct Answer
Jennifer Halim Wed, 07/21/2010 - 10:05

If you have ACL assigned to the interface, you would be able to just remove the ACL from the interface. Alternatively, if you are using ZBFW, you can take the zone member out of all interfaces (pls make sure that you take it out from all interfaces, otherwise, your traffic will not pass through the router between some interfaces, plus if you have ZBFW, remove the zone member by consoling to the router as you might be locked out of the router if you remove some of the zone member first while telneting or SSH into the router).

kmmehlkmmehl Wed, 07/21/2010 - 16:45

thanks mate

that was it .. it was missing in the ACL for route map to nat int

now it works!

awesome!

Actions

This Discussion