Router 2811 IPsec VPN

Unanswered Question
Jul 22nd, 2010

Hi,

we are trying to establish the VPN between Cisco 2811 router (Version 12.4(13r)T ) and PIX 515 E 7.01 and 7.23

but we are able to get the VPN status UP but unable to ping the IP ( encrpt the IP on the router side )

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
XX.XX.202.161 XXX.XX.37.10    QM_IDLE           1023 ACTIVE

Sh cry ipsec sa on Router side :

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.148.0/255.255.252.0/0/0)
   remote ident (addr/mask/prot/port): (10.215.0.0/255.255.0.0/0/0)
   current_peer XXX.XX.37.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 1764, #pkts decrypt: 1764, #pkts verify: 1764
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: XXX.XXX.202.161, remote crypto endpt.: XXX.XXX.37.10
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x4D0B702(80787202)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3861D560(945935712)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2015, flow_id: NETGX:15, sibling_flags 80000046, crypto map: St
oS-VPN
        sa timing: remaining key lifetime (k/sec): (4438146/704)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4D0B702(80787202)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2016, flow_id: NETGX:16, sibling_flags 80000046, crypto map: St
oS-VPN
        sa timing: remaining key lifetime (k/sec): (4438204/704)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

kindly suggest us what might be the issue

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 07/22/2010 - 02:51

Base on the output of "show cry ipsec sa" on the router, traffic arrives in the router and getting decrypted, however, it doesn't get encrypted to be sent towards the PIX end.

You might want to check if NAT exemption has been configured on the router for traffic between 192.168.148.0/22 towards 10.215.0.0/16.

If you can share the router config, we might be able to spot something.

Hope that helps.

vinoth.kumar Thu, 07/22/2010 - 02:58

Thanks for your reply

router config:

Building configuration...

Current configuration : 3345 bytes

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption

boot-start-marker
boot-end-marker


no aaa new-model

dot11 syslog
ip source-route


ip cef


ip domain name yourdomain.com


multilink bundle-name authenticated


archive
log config
  hidekeys


crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

crypto isakmp policy 3
authentication pre-share
group 2

crypto isakmp policy 4
hash md5
authentication pre-share

crypto isakmp policy 5
encr 3des
authentication pre-share

crypto isakmp key XXXXXX address XXX.XX.37.10

crypto ipsec transform-set TEST_VPN esp-3des esp-md5-hmac

crypto map StoS-VPN 21 ipsec-isakmp
set peer XXX.XXX.37.10
set transform-set TEST_VPN
match address 116


interface FastEthernet0/1
  ip address XXX.XXX.202.161 255.255.255.240
ip nat outside
ip virtual-reassembly
load-interval 30
duplex full
speed 100
crypto map StoS-VPN

interface FastEthernet0/3/0
switchport access vlan 100

interface FastEthernet0/3/1

interface FastEthernet0/3/2

interface FastEthernet0/3/3

interface Vlan1
no ip address

interface Vlan100
ip address 192.168.151.3 255.255.255.0
ip nat inside
ip virtual-reassembly


ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXX.XXX.203.162
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000


ip nat pool TEST XXX.XXX.202.161 XXX.XXX.202.161 netmask 255.255.255.252
ip nat inside source route-map nonat pool TEST overload

logging 192.168.151.220


access-list 102 deny   ip 192.168.148.0 0.0.3.255 10.215.0.0 0.0.255.255
access-list 102 permit ip 192.168.148.0 0.0.3.255 any

access-list 116 permit ip 192.168.148.0 0.0.3.255 10.215.0.0 0.0.255.255

route-map nonat permit 10
match ip address 102

manish arora Thu, 07/22/2010 - 09:23

question :- why do you have the ip address of interface vlan 100 subnet mask as /24 instead of /22 ?

can you please post some debugs ( isakmp , ipsec ) and also sh ip route on this router ?

thanks

manish

vinoth.kumar Thu, 07/22/2010 - 21:27

HI

Thanks for your reply

We have L3 swicth from there we are routing remote subnet to the router

interface 192.168.151.3

routing table in L3 :

#sh ip route

===============================================================================

Ip Route

===============================================================================

DST MASK NEXT COST VLAN PORT PROT

TYPE

Jitendriya Athavale Thu, 07/22/2010 - 22:27

are you able to ping the vlan 100 ip

also just wondering if you will need a route for the 192.168.148 network point to the next hop on inside

also what we need to see is if the return traffic is actually coming to the router

can you apply this access-list on the vlan 100

ip access-list extended 199

10 permit ip 192.168.148.0 /22 10.x.x.x

20 permit ip any any

int vlan 100

ip access-group 199 in

lets see if we see any hit counts on the 199

please note the line 10 in 199 is the interesting traffic.

vinoth.kumar Fri, 07/23/2010 - 03:05

Hi,

please find the result after applied to interface

Extended IP access list 199

10 permit ip 192.168.148.0 0.0.3.255 10.215.0.0 0.0.255.255 (31 matches)

20 permit ip any any (780 matches)

#sh version

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version

12.4(24)T3,

RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2010 by Cisco Systems, Inc.

Compiled Tue 23-Mar-10 06:43 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

is there any issue with IOS platform

thanks

Vinu

On Fri, Jul 23, 2010 at 10:57 AM, jathaval <

Jitendriya Athavale Fri, 07/23/2010 - 04:33

can you take the debugs and attach it please

we would require both isakmp and ipsec debug if possible

vinoth.kumar Fri, 07/23/2010 - 06:59

HI

Can u pls find the below debug log

*Jul 23 14:01:16.895: ISAKMP:(1025):Old State = IKE_QM_SPI_STARVE New State

= I

KE_QM_R_QM2

*Jul 23 14:01:16.895: IPSEC(key_engine): got a queue event with 1 KMI

message(s)

*Jul 23 14:01:16.895: IPSEC(key_engine): got a queue event with 1 KMI

message(s)

*Jul 23 14:01:16.895: Crypto mapdb : proxy_match

src addr : 192.168.148.0

dst addr : 10.215.0.0

protocol : 0

src port : 0

dst port : 0

*Jul 23 14:01:16.899: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting

with

the same proxies and peer XXX.XXX.37.10

*Jul 23 14:01:16.899: IPSEC(policy_db_add_ident): src 192.168.148.0, dest

10.215

.0.0, dest_port 0

*Jul 23 14:01:16.899: IPSEC(create_sa): sa created,

(sa) sa_dest= XXX.XXX.202.161, sa_proto= 50,

sa_spi= 0x802AB1AF(2150281647),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2077

sa_lifetime(k/sec)= (4576146/3600)

*Jul 23 14:01:16.899: IPSEC(create_sa): sa created,

(sa) sa_dest= XXX.XXX.37.10, sa_proto= 50,

sa_spi= 0x9319ECF9(2467949817),

sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2078

sa_lifetime(k/sec)= (4576146/3600)

*Jul 23 14:01:17.115: ISAKMP (1025): received packet from XXX.XXX.37.10

dport 500

sport 500 Global (R) QM_IDLE

*Jul 23 14:01:17.119: ISAKMP:(1025):deleting node 1232130872 error FALSE

reason

"QM done (await)"

*Jul 23 14:01:17.119: ISAKMP:(1025):Node 1232130872, Input =

IKE_MESG_FROM_PEER,

IKE_QM_EXCH

*Jul 23 14:01:17.119: ISAKMP:(1025):Old State = IKE_QM_R_QM2 New State =

IKE_QM

PHASE2COMPLETE

*Jul 23 14:01:17.119: IPSEC(key_engine): got a queue event with 1 KMI

message(s)

*Jul 23 14:01:17.119: IPSEC(key_engine_enable_outbound): rec'd enable notify

fro

m ISAKMP

*Jul 23 14:01:17.119: IPSEC(key_engine_enable_outbound): enable SA with spi

2467

949817/50

*Jul 23 14:01:17.119: IPSEC(update_current_outbound_sa): updated peer

XXX.XXX.37.

10 current outbound sa to SPI 9319ECF9

*Jul 23 14:01:36.091: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet

dropp

ed because cryptomap is currently being created

*Jul 23 14:01:36.091: IPSEC(crypto_map_check_encrypt_core): CRYPTO: Packet

dropp

ed because cryptomap is currently being created

*Jul 23 14:01:36.095: IPSEC(crypto_map_check_decrypt_core): CRYPTO: Packet

dropp

ed because cryptomap si currently being created

*Jul 23 14:01:36.095: IPSEC(crypto_map_check_decrypt_core): CRYPTO: Packet

dropp

ed because cryptomap si currently being created

Thanks

Vinu

On Fri, Jul 23, 2010 at 5:03 PM, jathaval <

manish arora Fri, 07/23/2010 - 10:30

Try adjusting  the MTU on both sides PIX as well as your router. It appears that the packets are coming in DF bit set to 1. try using extended ping with diffrent MTU and debug ip icmp. post config of both sides router & PIX. also make sure if you are running remote vpn access on any side , its crypto map is higher than L2L.

I am more than confident that it is a MTU issue + DF set  do not fragment, as the phase 1 and phase 2 are completed as per the debug on router side.

thanks

Manish

Jitendriya Athavale Fri, 07/23/2010 - 11:09

sometimes we see crypto map being still applied message due to mis match in crypto identities

can you please paste the config on the other end as weel

looks like crypto acl mismatch can you please confirm again that the phase 2 config is matching on both end, i am particular worried about 192.168.148 network bcoz that has /23 mask and in the identitied it looks like it might have /24

can yo uplease confirm that

vinoth.kumar Mon, 07/26/2010 - 00:14

HI,

i have small quey that whether the router required any activation key

somthing like to encry and decrpty the traffic

kinldy advice

On Fri, Jul 23, 2010 at 11:40 PM, jathaval <

vinoth.kumar Mon, 07/26/2010 - 00:14

HI,

i have small quey that whether the router required any activation key

somthing like to encry and decrpty the traffic

kinldy advice

On Fri, Jul 23, 2010 at 11:00 PM, manisharora111 <

Jitendriya Athavale Mon, 07/26/2010 - 05:19

i dont think so u need anytihng of tht sort, it depends on image and probably if you didnt have the right image it wouldnt let u enter the commands in the first place

it looks like a config issue in phase 2

can you please paste the config on both ends

vinoth.kumar Mon, 07/26/2010 - 05:39

Hi,

Pls find the below config

Router config

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

!

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

!

no aaa new-model

!

dot11 syslog

ip source-route

!

!

ip cef

!

!

ip domain name yourdomain.com

!

multilink bundle-name authenticated

!

!

!

!

!

!

archive

log config

hidekeys

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

authentication pre-share

group 2

!

crypto isakmp policy 3

authentication pre-share

group 2

!

crypto isakmp policy 4

hash md5

authentication pre-share

!

crypto isakmp policy 5

encr 3des

authentication pre-share

crypto isakmp key XXXXXX address XXX.XXX.37.10

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set XXXXX-VPN esp-3des esp-md5-hmac

!

crypto map StoS-VPN 21 ipsec-isakmp

set peer XX.XX.37.10

set transform-set XXXXX-VPN

match address 116

!

!

!

!

!

!

interface FastEthernet0/0

description PTP TO ISP

ip address XXX.XXX.203.161 255.255.255.252

load-interval 30

duplex auto

speed 100

!

interface FastEthernet0/1

description WAN_INTERFACE

ip address XXX.XXX.202.161 255.255.255.240

ip nat outside

ip virtual-reassembly

load-interval 30

duplex full

speed 100

crypto map StoS-VPN

!

interface FastEthernet0/3/0

switchport access vlan 100

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Vlan1

no ip address

!

interface Vlan100

ip address 192.168.151.3 255.255.255.0

ip nat inside

ip virtual-reassembly

!

router bgp 17488

no synchronization

bgp log-neighbor-changes

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 XXX.XXX.203.162

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat pool TEST XXX.XXX.202.161 XXX.XXX.202.161 netmask 255.255.255.252

ip nat inside source route-map nonat pool TEST overload

!

logging 192.168.151.220

access-list 102 deny ip 192.168.151.0 0.0.0.255 10.215.0.0 0.0.255.255

access-list 102 permit ip 192.168.151.0 0.0.0.255 any

access-list 116 permit ip 192.168.151.0 0.0.0.255 10.215.0.0 0.0.255.255

!

!

!

route-map nonat permit 10

match ip address 102

!

!

snmp-server community public RW

snmp-server enable traps snmp authentication linkdown linkup coldstart

warmstart

snmp-server enable traps cpu threshold

snmp-server host 10.89.2.10 public

!

control-plane

!

!

line con 0

line aux 0

!

scheduler allocate 20000 1000

PIX Config

: Saved

:

PIX Version 8.0(4)

!

hostname PRI-PIX-FW-SYD1

domain-name SYD-GS

enable password MSV2FjMCpOHCDb7R encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0

description PIX WAN INTERFACE

nameif outside

security-level 0

ip address XXX.XXX.37.10 255.255.255.224

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.215.1.10 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

security-level 80

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

description STATE Failover Interface

speed 100

duplex full

!

ftp mode passive

dns server-group DefaultDNS

access-list VPN-XXX extended permit ip 10.215.0.0 255.255.0.0 192.168.151.0

255.255.255.0

access-list NO_NAT extended permit ip 10.215.0.0 255.255.0.0 192.168.151.0

255.255.255.0

pager lines 24

logging enable

mtu outside 1500

mtu inside 1500

ip local pool RemoteVPNpool 10.215.254.241-10.215.254.246

failover

failover link state Ethernet5

failover interface ip state 172.16.50.1 255.255.255.0 standby 172.16.50.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image flash:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 XXX.XXX.37.6

nat (inside) 0 access-list NO_NAT

access-group Outside_inside in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.37.1 1

route inside 10.215.10.0 255.255.255.0 10.215.1.1 1

route inside 10.215.11.0 255.255.255.0 10.215.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat

0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect

0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set XXXXXXX-set esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VPN_IPSEC 5 match address VPN-XXX

crypto map VPN_IPSEC 5 set peer XXX.XXX.202.161

crypto map VPN_IPSEC 5 set transform-set XXXXXXX-set

crypto map VPN_IPSEC 5 set security-association lifetime seconds 28800

crypto map VPN_IPSEC 5 set security-association lifetime kilobytes 4608000

crypto map VPN_IPSEC interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 9

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 11

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 13

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 15

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto isakmp policy 16

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 28800

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet 192.168.0.0 255.255.255.0 inside

telnet 10.0.0.0 255.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group XXX.XXX.202.161 type ipsec-l2l

tunnel-group XXX.XXX.202.161 ipsec-attributes

pre-shared-key X

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

thanks

Vinu

On Mon, Jul 26, 2010 at 5:49 PM, jathaval <

manish arora Mon, 07/26/2010 - 08:48

Can you please issue this command on the PIX :-

crypto ipsec df-bit clear-df outside

thanks

Manish

vinoth.kumar Mon, 07/26/2010 - 09:01

No luck

its same as before

On Mon, Jul 26, 2010 at 9:18 PM, manisharora111 <

Jitendriya Athavale Mon, 07/26/2010 - 10:00

can you try clearing the tunnel and establish again

plz try the following

clear cry sa

clear crypto sessions

remove crypto map from the interface

reapply it

and then try to bring the tunnel up

manish arora Mon, 07/26/2010 - 15:54

Did clearing the crypto map helped at all ?

If not , then can yu please make the following changes  on the router side :-

1> remove the non default "crypto isakmp invaild-spi-recovery" command.

2> place the match statement before the set statements in the crypto map configuration.

3> do isakmp , ipsec and engine debugs  + system logs from both router and pix  for more research on the matter.

thanks

Manish

Actions

This Discussion