Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
0
Helpful
4
Replies

IPSec VPN - encapsulation error

adalessa
Level 1
Level 1

‎07-17-2002 02:36 AM - edited ‎02-21-2020 11:56 AM

An IPSec VPN is established between two routers with the following parameters applied:

encr 3des

hash md5

authentication pre-share

crypto ipsec transform-set <name> esp-3des ah-md5-hmac

mode transport

Checks already performed:

- ACL mirroring -> no prob

- Peer address mismatch -> no prob

- Transform set mismatch -> no prob

- IKE policy mismatch -> no prob

The VPN encrypted path "seems" to work fine: echo and reply flows through the VPN with no errors but IP services like telnet, FTP or HTTP does not work properly.

FTP: I can connect the remote host and performing the authentication but if I try with an 'ls -al' the connection hangs. On the contrary 'ls' commend works fine.

Telnet: as above.

HTTP: it simply does not work.

"debug crypto ipsec" on the remote router give the following error:

Jul 17 12:04:39 UTC+2: IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail

The same debug command on the local router does not give errors.

I've lost mysef... any suggestion?

thanks

Andrea

Labels:
0 Helpful
4 Replies 4

paqiu
Level 1
Level 1

‎07-17-2002 03:03 AM

Sounds like a MTU issue. What is the IOS version you are using ?

If you are using 12.2.8T ( latest is 12.2.8T4), there is command can clear DF-bit to resovle the MTU issue: (Global configuration mode)

"crypto ipsec df-bit clear"

Please give a try and see how things going.

If it is still not working ,please upload the two routers config and we will have a look.

Best Regards,

0 Helpful

adalessa
Level 1
Level 1
In response to paqiu

‎07-17-2002 05:59 AM

Some details about routers and IOS.

Remote router (vpn-r): 3640 with IOS 12.2.6 (C3640-JK9O3S-M)

Local router (netlab-r0: 3660 with IOS 12.2.6 (C3660-JK9O3S-M)

I cannot perform the IOS upgrade because IOS 12.2.8T4 requires 32MB of flash. I have just 16.

Hereafter the running confs.

Bests

Andrea

=========== VPN-R ===========

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname vpn-r

!

enable password **********

!

ip subnet-zero

!

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

ip accounting-threshold 4096

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key address 193.204.104.1

crypto isakmp keepalive 60 5

!

crypto ipsec transform-set TS-ESRIN-SAP ah-md5-hmac esp-3des

!

crypto map CM-ESRIN-SAP local-address FastEthernet0/0

crypto map CM-ESRIN-SAP 1 ipsec-isakmp

set peer 193.204.104.1

set transform-set TS-ESRIN-SAP

match address 107

!

call rsvp-sync

!

fax interface-type modem

mta receive maximum-recipients 0

!

interface FastEthernet0/0

ip address 10.66.66.2 255.255.255.0

duplex auto

speed auto

crypto map CM-ESRIN-SAP

!

interface FastEthernet0/1

ip address 193.204.106.11 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.66.66.1

ip http server

ip pim bidir-enable

!

access-list 107 permit ip host 193.204.106.10 host 192.171.5.10

!

dial-peer cor custom

!

line con 0

speed 115200

line aux 0

line vty 0 4

exec-timeout 0 0

password ************

login

!

end

=========== NETLAB-R0 ===========

!

version 12.2

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service linenumber

!

hostname NETLAB-R0

!

logging buffered 65535 debugging

aaa new-model

aaa authentication login default local

aaa authentication ppp default local

enable secret 5 ************

!

username ************password 7 ************

clock timezone UTC+2 2

ip subnet-zero

no ip source-route

!

!

ip ftp username ************

ip ftp password 7 ************

ip domain-name esrin.esa.int

ip name-server 192.171.5.18

ip name-server 192.171.5.19

no ip dhcp conflict logging

ip dhcp excluded-address 193.204.104.1 193.204.104.99

ip dhcp excluded-address 193.204.104.111 193.204.104.255

ip dhcp excluded-address 193.204.231.1 193.204.231.10

ip dhcp excluded-address 193.204.231.211 193.204.231.255

!

ip dhcp pool GARRB_144.100-110

network 193.204.104.0 255.255.255.0

default-router 193.204.104.1

dns-server 192.171.5.18

domain-name esrin.esa.it

lease 0 12

!

ip dhcp pool DATAGRIDdhcp

network 193.204.231.0 255.255.255.0

default-router 193.204.231.250

dns-server 192.171.5.18 192.171.5.19

domain-name esrin.esa.int

lease 0 12

!

ip multicast-routing

ip sap cache-timeout 30

ip cef

ip audit notify log

ip audit po max-events 100

ip audit smtp spam 20

ip ssh time-out 120

ip ssh authentication-retries 5

ip accounting-threshold 4096

!

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*/../*"

!

!

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key address 10.66.66.2

crypto isakmp keepalive 60 5

!

!

crypto ipsec transform-set TS-ESRIN-SAP ah-md5-hmac esp-3des

!

crypto map CM-ESRIN-SAP local-address FastEthernet2/0

crypto map CM-ESRIN-SAP 1 ipsec-isakmp

set peer 10.66.66.2

set transform-set TS-ESRIN-SAP

match address 107

!

isdn switch-type basic-net3

call rsvp-sync

!

[snip]

!

interface FastEthernet2/0

description NETLAB-LAN1 193.204.104.0

ip address 193.204.104.1 255.255.255.0

ip access-group 168 out

ip pim sparse-mode

ip sap listen

duplex auto

speed auto

service-policy input mark-inbound-http-hacks

crypto map CM-ESRIN-SAP

!

interface FastEthernet2/0.1

description VideoConference Project (Operational)

encapsulation dot1Q 2

ip address ************ 255.255.255.224

ip access-group 160 out

ip policy route-map VideoSTA

!

interface FastEthernet2/0.2

description E-ISOLAN #1#

encapsulation dot1Q 3

ip address ************ 255.255.255.240

!

interface FastEthernet3/0

description WANSLAN

ip address 192.171.5.13 255.255.255.240

no ip redirects

no ip unreachables

ip pim sparse-mode

ip sap listen

duplex auto

speed auto

service-policy input mark-inbound-http-hacks

!

[snip]

!

router eigrp 350

[snip]

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.171.5.8

ip route 10.66.66.0 255.255.255.0 193.204.104.11

[snip]

no ip http server

ip pim bidir-enable

ip pim rp-address 193.204.216.254

ip pim accept-rp 193.204.216.254

!

[snip]

!

access-list 107 permit ip host 192.171.5.10 host 193.204.106.10

[snip]

access-list 168 permit ip any any

[snip]

end

0 Helpful

adalessa
Level 1
Level 1
In response to adalessa

‎07-17-2002 10:17 PM

What about IOS release 12.2.10a ? Is the command you suggest included there in this rel?

thansk again

Andrea

0 Helpful

b.s
Level 1
Level 1

‎01-27-2003 07:37 PM

Did you ever get this solved? Having similar issues running IOS 12.2(13).

IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail

0 Helpful
Customers Also Viewed These Support Documents