Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec VPN - encapsulation error

An IPSec VPN is established between two routers with the following parameters applied:

encr 3des

hash md5

authentication pre-share

crypto ipsec transform-set <name> esp-3des ah-md5-hmac

mode transport

Checks already performed:

- ACL mirroring -> no prob

- Peer address mismatch -> no prob

- Transform set mismatch -> no prob

- IKE policy mismatch -> no prob

The VPN encrypted path "seems" to work fine: echo and reply flows through the VPN with no errors but IP services like telnet, FTP or HTTP does not work properly.

FTP: I can connect the remote host and performing the authentication but if I try with an 'ls -al' the connection hangs. On the contrary 'ls' commend works fine.

Telnet: as above.

HTTP: it simply does not work.

"debug crypto ipsec" on the remote router give the following error:

Jul 17 12:04:39 UTC+2: IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail

The same debug command on the local router does not give errors.

I've lost mysef... any suggestion?

thanks

Andrea

4 REPLIES
New Member

Re: IPSec VPN - encapsulation error

Sounds like a MTU issue. What is the IOS version you are using ?

If you are using 12.2.8T ( latest is 12.2.8T4), there is command can clear DF-bit to resovle the MTU issue: (Global configuration mode)

"crypto ipsec df-bit clear"

Please give a try and see how things going.

If it is still not working ,please upload the two routers config and we will have a look.

Best Regards,

New Member

Re: IPSec VPN - encapsulation error

Some details about routers and IOS.

Remote router (vpn-r): 3640 with IOS 12.2.6 (C3640-JK9O3S-M)

Local router (netlab-r0: 3660 with IOS 12.2.6 (C3660-JK9O3S-M)

I cannot perform the IOS upgrade because IOS 12.2.8T4 requires 32MB of flash. I have just 16.

Hereafter the running confs.

Bests

Andrea

=========== VPN-R ===========

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname vpn-r

!

enable password **********

!

ip subnet-zero

!

ip cef

ip audit notify log

ip audit po max-events 100

ip ssh time-out 120

ip ssh authentication-retries 3

ip accounting-threshold 4096

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key address 193.204.104.1

crypto isakmp keepalive 60 5

!

crypto ipsec transform-set TS-ESRIN-SAP ah-md5-hmac esp-3des

!

crypto map CM-ESRIN-SAP local-address FastEthernet0/0

crypto map CM-ESRIN-SAP 1 ipsec-isakmp

set peer 193.204.104.1

set transform-set TS-ESRIN-SAP

match address 107

!

call rsvp-sync

!

fax interface-type modem

mta receive maximum-recipients 0

!

interface FastEthernet0/0

ip address 10.66.66.2 255.255.255.0

duplex auto

speed auto

crypto map CM-ESRIN-SAP

!

interface FastEthernet0/1

ip address 193.204.106.11 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet1/0

no ip address

shutdown

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.66.66.1

ip http server

ip pim bidir-enable

!

access-list 107 permit ip host 193.204.106.10 host 192.171.5.10

!

dial-peer cor custom

!

line con 0

speed 115200

line aux 0

line vty 0 4

exec-timeout 0 0

password ************

login

!

end

=========== NETLAB-R0 ===========

!

version 12.2

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

service linenumber

!

hostname NETLAB-R0

!

logging buffered 65535 debugging

aaa new-model

aaa authentication login default local

aaa authentication ppp default local

enable secret 5 ************

!

username ************password 7 ************

clock timezone UTC+2 2

ip subnet-zero

no ip source-route

!

!

ip ftp username ************

ip ftp password 7 ************

ip domain-name esrin.esa.int

ip name-server 192.171.5.18

ip name-server 192.171.5.19

no ip dhcp conflict logging

ip dhcp excluded-address 193.204.104.1 193.204.104.99

ip dhcp excluded-address 193.204.104.111 193.204.104.255

ip dhcp excluded-address 193.204.231.1 193.204.231.10

ip dhcp excluded-address 193.204.231.211 193.204.231.255

!

ip dhcp pool GARRB_144.100-110

network 193.204.104.0 255.255.255.0

default-router 193.204.104.1

dns-server 192.171.5.18

domain-name esrin.esa.it

lease 0 12

!

ip dhcp pool DATAGRIDdhcp

network 193.204.231.0 255.255.255.0

default-router 193.204.231.250

dns-server 192.171.5.18 192.171.5.19

domain-name esrin.esa.int

lease 0 12

!

ip multicast-routing

ip sap cache-timeout 30

ip cef

ip audit notify log

ip audit po max-events 100

ip audit smtp spam 20

ip ssh time-out 120

ip ssh authentication-retries 5

ip accounting-threshold 4096

!

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*/../*"

!

!

policy-map mark-inbound-http-hacks

class http-hacks

set ip dscp 1

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key address 10.66.66.2

crypto isakmp keepalive 60 5

!

!

crypto ipsec transform-set TS-ESRIN-SAP ah-md5-hmac esp-3des

!

crypto map CM-ESRIN-SAP local-address FastEthernet2/0

crypto map CM-ESRIN-SAP 1 ipsec-isakmp

set peer 10.66.66.2

set transform-set TS-ESRIN-SAP

match address 107

!

isdn switch-type basic-net3

call rsvp-sync

!

[snip]

!

interface FastEthernet2/0

description NETLAB-LAN1 193.204.104.0

ip address 193.204.104.1 255.255.255.0

ip access-group 168 out

ip pim sparse-mode

ip sap listen

duplex auto

speed auto

service-policy input mark-inbound-http-hacks

crypto map CM-ESRIN-SAP

!

interface FastEthernet2/0.1

description VideoConference Project (Operational)

encapsulation dot1Q 2

ip address ************ 255.255.255.224

ip access-group 160 out

ip policy route-map VideoSTA

!

interface FastEthernet2/0.2

description E-ISOLAN #1#

encapsulation dot1Q 3

ip address ************ 255.255.255.240

!

interface FastEthernet3/0

description WANSLAN

ip address 192.171.5.13 255.255.255.240

no ip redirects

no ip unreachables

ip pim sparse-mode

ip sap listen

duplex auto

speed auto

service-policy input mark-inbound-http-hacks

!

[snip]

!

router eigrp 350

[snip]

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.171.5.8

ip route 10.66.66.0 255.255.255.0 193.204.104.11

[snip]

no ip http server

ip pim bidir-enable

ip pim rp-address 193.204.216.254

ip pim accept-rp 193.204.216.254

!

[snip]

!

access-list 107 permit ip host 192.171.5.10 host 193.204.106.10

[snip]

access-list 168 permit ip any any

[snip]

end

New Member

Re: IPSec VPN - encapsulation error

What about IOS release 12.2.10a ? Is the command you suggest included there in this rel?

thansk again

Andrea

b.s
New Member

Re: IPSec VPN - encapsulation error

Did you ever get this solved? Having similar issues running IOS 12.2(13).

IPSEC(encapsulate): error in encapsulation fs_encap_decap_fail

457
Views
0
Helpful
4
Replies