cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1333
Views
0
Helpful
3
Replies

Dynamic IPSec vpn established between Hub and Spoke,but cannot ping each other;

henry0377
Level 1
Level 1

The topology as attachment.

Spoke site(a linux-based soho router) configured IPSec vpn with a full network route(Peer: 0.0.0.0/0) to Hub, and Dynamic IPSec VPN has been established between Hub and Spoke site;

At begining this topology can working properly,the IPSec can terminated at Hub,and I can ping the PC2 at Spoke from any interface at Hub;

But recently I cannot ping the host(pc2) at Spoke from the interfaces at Hub.Meanwihle,I can ping the PC2 from Loop101 at hosting,if change source interface to tun101,that's not working;

Does anyone has some experience to solved this problem,please help me to find it out. Thanks a lot!

========================================

Hub#show run (VPN)

crypto keyring 3gvpnsh
  pre-shared-key address 0.0.0.0 0.0.0.0 key tseinfo

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp keepalive 10 5

crypto isakmp nat keepalive 60

crypto ipsec transform-set 3gvpnsh esp-3des esp-sha-hmac
mode transport

crypto map 3gvpnsh 100 ipsec-isakmp dynamic 3gvpnsh

***:No Access-list configured for this dynamic VPN***

========================================

Hub#sh cry ipsec sa

  

protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.13.248.44/255.255.255.252/0/0)
   current_peer 114.81.217.74 port 500
     PERMIT, flags={}
    #pkts encaps: 942, #pkts encrypt: 942, #pkts digest: 942
    #pkts decaps: 722, #pkts decrypt: 722, #pkts verify: 722
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: ***.***.***.***, remote crypto endpt.: ###.###.###.###

     path mtu 1500, ip mtu 1500
     current outbound spi: 0x36562A88(911616648)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x684A6A6D(1749707373)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 871, flow_id: 871, sibling flags 80000040,  crypto map: 3gvpnsh
        sa timing: remaining key lifetime (k/sec): (4407128/991)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x36562A88(911616648)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 872, flow_id: 872, sibling flags 80000040,  crypto map: 3gvpnsh
        sa timing: remaining key lifetime (k/sec): (4406428/979)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

========================================================

3 Replies 3

c_kumar001
Level 1
Level 1

hi,

what are u using for tunnel traffic and interesting traffic to flow , static or any protocol?

Hi Chandan,

Thanks for ur reply,

I want all the data pass throught the IPSec tunnel from Spoke to Hub,and before this problem appeared,that's followed all I wanted.

I just curioused why if I ping from Spoke to Hub,I can just get "packet decap" increasing,and if I ping from Hub to Spoke,I can just get "packer encap" increasing. I've been checked all the 'IP route' and ACL serval times,but nothing help..

=======================

Hub#show crypto session

Peer: x.x.x.x port 500

  IKE SA: local a.b.c.d/500 remote x.x.x.x/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.13.248.44/255.255.255.252

        Active SAs: 2, origin: dynamic crypto map

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.13.248.44/255.255.255.252

        Active SAs: 2, origin: dynamic crypto map

***********************************

Hub#show crypto ipsec sa  

Crypto map tag: 3gvpnsh, local addr a.b.c.d

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.13.248.44/255.255.255.252/0/0)
   current_peer x.x.x.x port 500
     PERMIT, flags={}
    #pkts encaps: 1520, #pkts encrypt: 1520, #pkts digest: 1520
    #pkts decaps: 1168, #pkts decrypt: 1168, #pkts verify: 1168
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: a.b.c.d, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500
     current outbound spi: 0x8803A054(2281939028)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xCEE95B50(3471399760)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 723, flow_id: 723, sibling flags C0000040,  crypto map: 3gvpnsh
        sa timing: remaining key lifetime (k/sec): (4509998/13)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
      spi: 0xF22C6C77(4062997623)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 775, flow_id: 775, sibling flags 80000040,  crypto map: 3gvpnsh

=======================

as 'show crypto session & show cry ipsec sa' above, I should can ping to '10.13.248.44/30' at Hub,Am I right?

but I can just ping the host at '10.13.248.44/30' from '10.13.0.23' only.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: