Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2535
Views
0
Helpful
5
Replies

IPSec traffic is encrypted only from one side - why?

ameen.ahmed
Level 1
Level 1

‎09-19-2013 09:21 AM - edited ‎02-21-2020 07:10 PM

Hi Friends,

I've created a site to site VPN between cisco devices. VPN tunnels are coming up, but traffic is getting encryted only at side.

Anyone any idea why it's?

Output from local device:

Router#show crypto isa

CRPvtMUScingh01#show crypto isakmp sa | in 204.75.145.14

216.143.142.69  204.75.145.14   QM_IDLE             33    0 ACTIVE

Router#sh crypto ipsec sa | be 204.75.145.14

   current_peer 204.75.145.14 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 216.143.142.69, remote crypto endpt.: 204.75.145.14

     path mtu 1412, ip mtu 1412

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 216.143.142.69, remote crypto endpt.: 204.75.144.14

     path mtu 1412, ip mtu 1412

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (205.173.92.5/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (204.75.145.138/255.255.255.255/0/0)

   current_peer 204.75.145.14 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 216.143.142.69, remote crypto endpt.: 204.75.145.14

     path mtu 1412, ip mtu 1412

     current outbound spi: 0x111D7A8E(287144590)

     inbound esp sas:

      spi: 0x86F5054A(2264204618)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3085, flow_id: Onboard VPN:85, crypto map: geshared

        sa timing: remaining key lifetime (k/sec): (4378030/3492)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x111D7A8E(287144590)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3048, flow_id: Onboard VPN:48, crypto map: geshared

        sa timing: remaining key lifetime (k/sec): (4378031/3492)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Output from remote devcie:

ud1-vpn-rtr01a#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

216.143.142.69  204.75.145.14   QM_IDLE          14566 ACTIVE

ud1-vpn-rtr01a#sh cry ses bri

Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating

        K - No IKE

ivrf = (none)

           Peer     I/F        Username          Group/Phase1_id   Uptime Status

216.143.142.69   Gi0/2                           216.143.142.69 00:08:55    UA

ud1-vpn-rtr01a#sh cry ipsec sa peer 216.143.142.69

interface: GigabitEthernet0/2

    Crypto map tag: SMS, local addr 204.75.145.14

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (204.75.145.138/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (205.173.92.5/255.255.255.255/0/0)

   current_peer 216.143.142.69 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Labels:
0 Helpful
5 Replies 5

npokhriy
Level 1
Level 1

‎09-19-2013 12:04 PM

Hi Ameen,

Please Check your nat-exempt statements on local device. It seems that packet is coming on this device but reply is not going back.

you can take captures on inside interface of local device to check whether packet is coming back to inside interface or not.

You can check your internal routing as well.

If possible, share your configuration froim local device.

Regards,

Naresh

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-19-2013 07:47 PM

Naresh's advice is good.

The most common cause I would see is that the local site's routing is not sending the return traffic back into the ASA for encapsulation into the VPN tunnel.

0 Helpful

ameen.ahmed
Level 1
Level 1

‎09-20-2013 04:46 AM

Thanks for your helps. Device configurations are below:-

Router#

!

crypto ipsec transform-set xyz esp-3des esp-sha-hmac

!

crypto isakmp key ABC-Main address 30.30.30.10

crypto isakmp key ABC-DR address 30.30.30.20

!

crypto map abcdefg 260 ipsec-isakmp

description *** VPN Tunnel - To Main location ***

set peer 30.30.30.10

set transform-set xyz

match address Main-ABC

!

crypto map abcdefg 270 ipsec-isakmp

description *** VPN Tunnel - To DR location ***

set peer 30.30.30.20

set transform-set xyz

match address DR-ABC

!

ip route 30.30.30.10 255.255.255.255 20.20.20.1 name main-peer

ip route 30.30.30.20 255.255.255.255 20.20.20.1 name DR-peer

!

ip route 10.10.10.5 255.255.255.255 20.20.20.1 name towards-remote-site

!

ip route 192.168.20.31 255.255.255.255 192.168.1.5 name towards-firewall

!

ip access-list extended Main-ABC

remark *** VPN Tunnel - To Main location ***

permit ip host 192.168.20.31 host 10.10.10.5

!

ip access-list extended DR-ABC

remark *** VPN Tunnel - To DR location ***

permit ip host 192.168.20.31 host 10.10.10.5

!

!

Firewall#

!

static (inside,outside) 192.168.20.31 15.10.10.5 netmask 255.255.255.255           - NAT for inside server

!

static (outside,inside) 15.20.20.5 10.10.10.5 netmask 255.255.255.255          - NAT for remote server

!

route outside 10.10.10.5 255.255.255.255 192.168.1.10          ! towards Router

!

object-group service tcp_service tcp

port-object eq 3389

port-object eq 443

port-object eq 21

!

object-group service udp_service udp

port-object eq 161

port-object eq 162

!

object-group network source

network-object host 10.10.10.5

!

object-group network destination

network-object host 192.168.20.31

!

access-list on-outside-to-in extended permit tcp object-group source object-group destination object-group tcp_service

access-list on-outside-to-in extended permit udp object-group source object-group destination object-group udp_service

access-list on-outside-to-in extended permit icmp object-group source object-group destination object-group ICMP-ALLOWED

!

!

0 Helpful

ameen.ahmed
Level 1
Level 1
In response to ameen.ahmed

‎09-20-2013 04:53 AM

On both sides, we use Cisco router as VPN peers.

0 Helpful

ameen.ahmed
Level 1
Level 1
In response to ameen.ahmed

‎09-23-2013 04:54 AM

Any idea friends?

0 Helpful
Customers Also Viewed These Support Documents