11-21-2011 06:32 PM - edited 02-21-2020 05:43 PM
The topology as attachment.
Spoke site(a linux-based soho router) configured IPSec vpn with a full network route(Peer: 0.0.0.0/0) to Hub, and Dynamic IPSec VPN has been established between Hub and Spoke site;
At begining this topology can working properly,the IPSec can terminated at Hub,and I can ping the PC2 at Spoke from any interface at Hub;
But recently I cannot ping the host(pc2) at Spoke from the interfaces at Hub.Meanwihle,I can ping the PC2 from Loop101 at hosting,if change source interface to tun101,that's not working;
Does anyone has some experience to solved this problem,please help me to find it out. Thanks a lot!
========================================
Hub#show run (VPN)
crypto keyring 3gvpnsh
pre-shared-key address 0.0.0.0 0.0.0.0 key tseinfo
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 10 5
crypto isakmp nat keepalive 60
crypto ipsec transform-set 3gvpnsh esp-3des esp-sha-hmac
mode transport
crypto map 3gvpnsh 100 ipsec-isakmp dynamic 3gvpnsh
***:No Access-list configured for this dynamic VPN***
========================================
Hub#sh cry ipsec sa
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.13.248.44/255.255.255.252/0/0)
current_peer 114.81.217.74 port 500
PERMIT, flags={}
#pkts encaps: 942, #pkts encrypt: 942, #pkts digest: 942
#pkts decaps: 722, #pkts decrypt: 722, #pkts verify: 722
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: ***.***.***.***, remote crypto endpt.: ###.###.###.###
path mtu 1500, ip mtu 1500
current outbound spi: 0x36562A88(911616648)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x684A6A6D(1749707373)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 871, flow_id: 871, sibling flags 80000040, crypto map: 3gvpnsh
sa timing: remaining key lifetime (k/sec): (4407128/991)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x36562A88(911616648)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 872, flow_id: 872, sibling flags 80000040, crypto map: 3gvpnsh
sa timing: remaining key lifetime (k/sec): (4406428/979)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
========================================================
11-21-2011 09:30 PM
hi,
what are u using for tunnel traffic and interesting traffic to flow , static or any protocol?
11-21-2011 10:13 PM
Hi Chandan,
Thanks for ur reply,
I want all the data pass throught the IPSec tunnel from Spoke to Hub,and before this problem appeared,that's followed all I wanted.
I just curioused why if I ping from Spoke to Hub,I can just get "packet decap" increasing,and if I ping from Hub to Spoke,I can just get "packer encap" increasing. I've been checked all the 'IP route' and ACL serval times,but nothing help..
11-22-2011 06:25 PM
=======================
Hub#show crypto session
Peer: x.x.x.x port 500
IKE SA: local a.b.c.d/500 remote x.x.x.x/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.13.248.44/255.255.255.252
Active SAs: 2, origin: dynamic crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 10.13.248.44/255.255.255.252
Active SAs: 2, origin: dynamic crypto map
***********************************
Hub#show crypto ipsec sa
Crypto map tag: 3gvpnsh, local addr a.b.c.d
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.13.248.44/255.255.255.252/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={}
#pkts encaps: 1520, #pkts encrypt: 1520, #pkts digest: 1520
#pkts decaps: 1168, #pkts decrypt: 1168, #pkts verify: 1168
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: a.b.c.d, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500
current outbound spi: 0x8803A054(2281939028)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xCEE95B50(3471399760)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 723, flow_id: 723, sibling flags C0000040, crypto map: 3gvpnsh
sa timing: remaining key lifetime (k/sec): (4509998/13)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
spi: 0xF22C6C77(4062997623)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 775, flow_id: 775, sibling flags 80000040, crypto map: 3gvpnsh
=======================
as 'show crypto session & show cry ipsec sa' above, I should can ping to '10.13.248.44/30' at Hub,Am I right?
but I can just ping the host at '10.13.248.44/30' from '10.13.0.23' only.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: