Packet capture VPN traffic?

Andy White · ‎09-23-2014

Hello,

I have a site to site VPN set up to another company and it is all working. They have introduced another subnet which I've added and we can't seem to get it to work (via ICMP). I'm very sure it is their side as they are NATing the range (192.168.100.x to 192.168.98.x), but how can I prove it?

I have tried a packet capture and it only shows the ICMP request, is there any way I can see this go across the VPN? Or any debug commands?

Thanks

David Johan Castro Fernandez · ‎10-21-2014

Hello,

First you can prove this by doing a packet tracer, and you will see several phases, you will need to see the phase "VPN" that could be drop the status.

When you see that is because the virtual packt is going across, so once you do that, you will need to run debugging:

debug crypto condition peer <>

debug crypto isakmp 250

debug crypto ipsec 250

Then run the packet tracer and you will see the debugging, if you see something like this:

IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x49ba5a0, mess id 0xcd600011)!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

It points out to an issue with phase 2 <encryption domains>

Also make sure you have a NAT 0 statement.

If you still have issues, attach the packet tracer and the show tech and indicate which is the peer IP address, also the debugging.

Please don´t forget to rate

Best Regards,

David Castro,