01-12-2006 11:04 PM
Hi All,
I configured VPN between H.O(P.Q.0.0/16 , 172.29.32.0/24) and B.O(172.29.08.0/24).
The VPN got established, ping from H.O(P.Q.0.0/16) segments to B.O(172.29.08.0/24), ping reply is OK, but ping from H.O(172.29.32.0/24) to B.O(172.29.08.0/24) ping reply is bad.
My H.O VPN box is watchguard Firebox III/1000 and B.O VPN box is Cisco ISR 1841 with IOS 12.3(8)T9 ADVSEC-K9.
I have attached the cisco config and ipsec details and access-list counters.
Can you please check and tell what I have missed.
01-13-2006 12:04 AM
Hi
Can you revert where both P.Q.0.0/16 and 172.29.32.0/24 has been assiged in the HO router ?
Is it something like primary,secondary Subnet assignments there in the Firebox or inside/outside ip assignment in the firebox ?
regds
01-13-2006 01:40 AM
Hi
My H.O Firebox LAN segment is 172.29.32.0/24 which is connected to a Router(fa0/0) and Router fa0/1) is P.Q.0.0/16.
Topology is:
INTERNET
||
Firebox
|| 172.29.32.0/24
Router
|| P.Q.0.0/16
LAN
01-13-2006 11:21 PM
Hi
current outbound spi: 0
Why is it 0? inbound esp sas: and outbound esp sas: is blank, why is it so? is there any config mismatch?
RT#show cry ipse sa details
interface: FastEthernet0/1
Crypto map tag: SDM_CMAP_1, local addr. A.B.C.221
protected vrf:
local ident (addr/mask/prot/port): (172.29.08.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.29.32.0/255.255.255.0/0/0)
current_peer: X.Y.Z.34:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 5, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: A.B.C.221, remote crypto endpt.: X.Y.Z.34
path mtu 1500, media mtu 1500
current outbound spi: 0 <<<==============================================????????
inbound esp sas: <<<==============================================????????
inbound ah sas:
inbound pcp sas:
outbound esp sas: <<<==============================================????????
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (172.29.08.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (P.Q.0.0/255.255.0.0/0/0)
current_peer: X.Y.Z.34:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 558, #pkts encrypt: 558, #pkts digest: 558
#pkts decaps: 867, #pkts decrypt: 867, #pkts verify: 867
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: A.B.C.221, remote crypto endpt.: X.Y.Z.34
path mtu 1500, media mtu 1500
current outbound spi: D04DC07
inbound esp sas:
spi: 0xB3180750(3004696400)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5135, flow_id: 15, crypto map: SDM_CMAP_1
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (7845/18360)
ike_cookies: 8F94B16A 3D3FEA1F 4DB5E41F B4C9E1FE
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD04DC07(218422279)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5136, flow_id: 16, crypto map: SDM_CMAP_1
crypto engine type: Hardware, engine_id: 2
sa timing: remaining key lifetime (k/sec): (7914/18354)
ike_cookies: 8F94B16A 3D3FEA1F 4DB5E41F B4C9E1FE
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
RT#
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: