Site-to-site ipsec up, only passes traffic to peer router interfaces
Cisco 3600 running c3640-ik9s-mz.124-25c
Juniper SSG 550m running 5.x
Traffic sourced behind Juniper can ping Cisco fa0/1 interface via VPN but nothing behind the Cisco
Cisco can source traffic from fa0/1 and ping hosts behind Juniper.
Cisco can ping host from fa0/1 interface.
Traffic sourced behind Cisco can't ping anything behind Juniper; pings do not show up using "debug ip packet xxx det" as well.
Typical "debug crypto" commands are not displaying anything useful with the exception of the "debug cry eng" which outputs gobbelty. (Yes, I said gobbelty. heh)
It's difficult to see what happens to packets after they enter the fa0/1 interface. What commands/output can I run to find out where the traffic is going? (Note: I added NAT to see if the traffic was attempting to go out s0/1 raw, it's not. It just gets dropped between the Cisco <> Juniper)
Sorry if this post is too long - first time here and couldn't find anything on encapsulation/decapsulation on Cisco routers. :-/
ip cef ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 lifetime 28800 ! crypto isakmp key xxx address 208.x ! ! crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac mode transport ! crypto map test local-address Loopback0 crypto map test 10 ipsec-isakmp set peer 208.x set transform-set esp-3des-sha set pfs group2 match address aclvpn-dc ! crypto map vpn 20 ipsec-isakmp set peer 126.96.36.199 set transform-set esp-3des-sha set pfs group2 match address aclvpn-dc crypto map vpn 30 ipsec-isakmp set peer 188.8.131.52 set transform-set esp-3des-sha set pfs group2 match address aclvpn-hq
! interface Loopback0 ip address 202.x 255.255.255.255 load-interval 30 crypto map test ! interface Tunnel0 ip address 172.16.19.34 255.255.255.252 load-interval 30 tunnel source Serial0/1 tunnel destination 209.x crypto map test ! interface FastEthernet0/1 description FA0-1-PRODUCTION-192.168.150.45 ip address 192.168.150.45 255.255.255.0 ip route-cache flow load-interval 30 ! interface Serial0/1 ip address 121.x 255.255.255.252 load-interval 30 ! router bgp x no synchronization bgp log-neighbor-changes ! ip route 10.50.0.0 255.255.0.0 Tunnel0 ! ip pim bidir-enable ! ! ip access-list extended aclvpn-dc permit ip 192.168.150.0 0.0.0.255 10.50.0.0 0.0.255.255 log-input ! end ---------------------------------------------------------------------------------------
irdel02#show crypto isakmp sa dst src state conn-id slot status 184.108.40.206 220.127.116.11 QM_IDLE 1 0 ACTIVE
irdel02#show crypto session Crypto session current status
Interface: Loopback0 Tunnel0 Session status: UP-ACTIVE Peer: 18.104.22.168 port 500 IKE SA: local 22.214.171.124/500 remote 126.96.36.199/500 Active IPSEC FLOW: permit ip 192.168.150.0/255.255.255.0 10.50.0.0/255.255.0.0 Active SAs: 2, origin: crypto map
irdel02#show crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt 1 Loopback0 188.8.131.52 set HMAC_SHA+3DES_56_C 0 0 2001 Loopback0 184.108.40.206 set 3DES+SHA 0 18 2002 Loopback0 220.127.116.11 set 3DES+SHA 217 0
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...