07-17-2002 02:36 AM - edited 02-21-2020 11:56 AM
An IPSec VPN is established between two routers with the following parameters applied:
encr 3des
hash md5
authentication pre-share
crypto ipsec transform-set <name> esp-3des ah-md5-hmac
mode transport
Checks already performed:
- ACL mirroring -> no prob
- Peer address mismatch -> no prob
- Transform set mismatch -> no prob
- IKE policy mismatch -> no prob
The VPN encrypted path "seems" to work fine: echo and reply flows through the VPN with no errors but IP services like telnet, FTP or HTTP does not work properly.
FTP: I can connect the remote host and performing the authentication but if I try with an 'ls -al' the connection hangs. On the contrary 'ls' commend works fine.
Telnet: as above.
HTTP: it simply does not work.
"debug crypto ipsec" on the remote router give the following error:
Jul 17 12:04:39 UTC+2: IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail
The same debug command on the local router does not give errors.
I've lost mysef... any suggestion?
thanks
Andrea
07-17-2002 03:03 AM
Sounds like a MTU issue. What is the IOS version you are using ?
If you are using 12.2.8T ( latest is 12.2.8T4), there is command can clear DF-bit to resovle the MTU issue: (Global configuration mode)
"crypto ipsec df-bit clear"
Please give a try and see how things going.
If it is still not working ,please upload the two routers config and we will have a look.
Best Regards,
07-17-2002 05:59 AM
Some details about routers and IOS.
Remote router (vpn-r): 3640 with IOS 12.2.6 (C3640-JK9O3S-M)
Local router (netlab-r0: 3660 with IOS 12.2.6 (C3660-JK9O3S-M)
I cannot perform the IOS upgrade because IOS 12.2.8T4 requires 32MB of flash. I have just 16.
Hereafter the running confs.
Bests
Andrea
=========== VPN-R ===========
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn-r
!
enable password **********
!
ip subnet-zero
!
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
ip accounting-threshold 4096
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key
crypto isakmp keepalive 60 5
!
crypto ipsec transform-set TS-ESRIN-SAP ah-md5-hmac esp-3des
!
crypto map CM-ESRIN-SAP local-address FastEthernet0/0
crypto map CM-ESRIN-SAP 1 ipsec-isakmp
set peer 193.204.104.1
set transform-set TS-ESRIN-SAP
match address 107
!
call rsvp-sync
!
fax interface-type modem
mta receive maximum-recipients 0
!
interface FastEthernet0/0
ip address 10.66.66.2 255.255.255.0
duplex auto
speed auto
crypto map CM-ESRIN-SAP
!
interface FastEthernet0/1
ip address 193.204.106.11 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet1/0
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.66.66.1
ip http server
ip pim bidir-enable
!
access-list 107 permit ip host 193.204.106.10 host 192.171.5.10
!
dial-peer cor custom
!
line con 0
speed 115200
line aux 0
line vty 0 4
exec-timeout 0 0
password ************
login
!
end
=========== NETLAB-R0 ===========
!
version 12.2
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service linenumber
!
hostname NETLAB-R0
!
logging buffered 65535 debugging
aaa new-model
aaa authentication login default local
aaa authentication ppp default local
enable secret 5 ************
!
username ************password 7 ************
clock timezone UTC+2 2
ip subnet-zero
no ip source-route
!
!
ip ftp username ************
ip ftp password 7 ************
ip domain-name esrin.esa.int
ip name-server 192.171.5.18
ip name-server 192.171.5.19
no ip dhcp conflict logging
ip dhcp excluded-address 193.204.104.1 193.204.104.99
ip dhcp excluded-address 193.204.104.111 193.204.104.255
ip dhcp excluded-address 193.204.231.1 193.204.231.10
ip dhcp excluded-address 193.204.231.211 193.204.231.255
!
ip dhcp pool GARRB_144.100-110
network 193.204.104.0 255.255.255.0
default-router 193.204.104.1
dns-server 192.171.5.18
domain-name esrin.esa.it
lease 0 12
!
ip dhcp pool DATAGRIDdhcp
network 193.204.231.0 255.255.255.0
default-router 193.204.231.250
dns-server 192.171.5.18 192.171.5.19
domain-name esrin.esa.int
lease 0 12
!
ip multicast-routing
ip sap cache-timeout 30
ip cef
ip audit notify log
ip audit po max-events 100
ip audit smtp spam 20
ip ssh time-out 120
ip ssh authentication-retries 5
ip accounting-threshold 4096
!
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*x.ida*"
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*/../*"
!
!
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key
crypto isakmp keepalive 60 5
!
!
crypto ipsec transform-set TS-ESRIN-SAP ah-md5-hmac esp-3des
!
crypto map CM-ESRIN-SAP local-address FastEthernet2/0
crypto map CM-ESRIN-SAP 1 ipsec-isakmp
set peer 10.66.66.2
set transform-set TS-ESRIN-SAP
match address 107
!
isdn switch-type basic-net3
call rsvp-sync
!
[snip]
!
interface FastEthernet2/0
description NETLAB-LAN1 193.204.104.0
ip address 193.204.104.1 255.255.255.0
ip access-group 168 out
ip pim sparse-mode
ip sap listen
duplex auto
speed auto
service-policy input mark-inbound-http-hacks
crypto map CM-ESRIN-SAP
!
interface FastEthernet2/0.1
description VideoConference Project (Operational)
encapsulation dot1Q 2
ip address ************ 255.255.255.224
ip access-group 160 out
ip policy route-map VideoSTA
!
interface FastEthernet2/0.2
description E-ISOLAN #1#
encapsulation dot1Q 3
ip address ************ 255.255.255.240
!
interface FastEthernet3/0
description WANSLAN
ip address 192.171.5.13 255.255.255.240
no ip redirects
no ip unreachables
ip pim sparse-mode
ip sap listen
duplex auto
speed auto
service-policy input mark-inbound-http-hacks
!
[snip]
!
router eigrp 350
[snip]
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.171.5.8
ip route 10.66.66.0 255.255.255.0 193.204.104.11
[snip]
no ip http server
ip pim bidir-enable
ip pim rp-address 193.204.216.254
ip pim accept-rp 193.204.216.254
!
[snip]
!
access-list 107 permit ip host 192.171.5.10 host 193.204.106.10
[snip]
access-list 168 permit ip any any
[snip]
end
07-17-2002 10:17 PM
What about IOS release 12.2.10a ? Is the command you suggest included there in this rel?
thansk again
Andrea
01-27-2003 07:37 PM
Did you ever get this solved? Having similar issues running IOS 12.2(13).
IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide