Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-site ipsec up, only passes traffic to peer router interfaces

Cisco 3600 running c3640-ik9s-mz.124-25c

Juniper SSG 550m running 5.x

Traffic sourced behind Juniper can ping Cisco fa0/1 interface via VPN but nothing behind the Cisco

Cisco can source traffic from fa0/1 and ping hosts behind Juniper.

Cisco can ping host from fa0/1 interface.

Traffic sourced behind Cisco can't ping anything behind Juniper; pings do not show up using "debug ip packet xxx det" as well.

Typical "debug crypto" commands are not displaying anything useful with the exception of the "debug cry eng" which outputs gobbelty. (Yes, I said gobbelty. heh)

It's difficult to see what happens to packets after they enter the fa0/1 interface. What commands/output can I run to find out where the traffic is going? (Note: I added NAT to see if the traffic was attempting to go out s0/1 raw, it's not. It just gets dropped between the Cisco <> Juniper)

Sorry if this post is too long - first time here and couldn't find anything on encapsulation/decapsulation on Cisco routers. :-/

ip cef
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key xxx address 208.x
!
!
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
mode transport
!
crypto map test local-address Loopback0
crypto map test 10 ipsec-isakmp
set peer 208.x
set transform-set esp-3des-sha
set pfs group2
match address aclvpn-dc
!
crypto map vpn 20 ipsec-isakmp
set peer 208.76.20.21
set transform-set esp-3des-sha
set pfs group2
match address aclvpn-dc
crypto map vpn 30 ipsec-isakmp
set peer 208.76.23.11
set transform-set esp-3des-sha
set pfs group2
match address aclvpn-hq

!
interface Loopback0
ip address 202.x 255.255.255.255
load-interval 30
crypto map test
!
interface Tunnel0
ip address 172.16.19.34 255.255.255.252
load-interval 30
tunnel source Serial0/1
tunnel destination 209.x
crypto map test
!
interface FastEthernet0/1
description FA0-1-PRODUCTION-192.168.150.45
ip address 192.168.150.45 255.255.255.0
ip route-cache flow
load-interval 30
!
interface Serial0/1
ip address 121.x 255.255.255.252
load-interval 30
!
router bgp x
no synchronization
bgp log-neighbor-changes
!
ip route 10.50.0.0 255.255.0.0 Tunnel0
!
ip pim bidir-enable
!
!
ip access-list extended aclvpn-dc
permit ip 192.168.150.0 0.0.0.255 10.50.0.0 0.0.255.255 log-input
!
end
---------------------------------------------------------------------------------------

irdel02#show crypto isakmp sa
dst             src             state          conn-id slot status
208.76.20.21    202.124.251.251 QM_IDLE              1    0 ACTIVE

irdel02#show crypto session
Crypto session current status

Interface: Loopback0 Tunnel0
Session status: UP-ACTIVE    
Peer: 208.76.20.21 port 500
  IKE SA: local 202.124.251.251/500 remote 208.76.20.21/500 Active
  IPSEC FLOW: permit ip 192.168.150.0/255.255.255.0 10.50.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map

irdel02#show crypto engine connections active

  ID Interface            IP-Address      State  Algorithm           Encrypt  Decrypt
   1 Loopback0            202.124.251.251 set    HMAC_SHA+3DES_56_C        0        0
2001 Loopback0            202.124.251.251 set    3DES+SHA                  0       18
2002 Loopback0            202.124.251.251 set    3DES+SHA                217        0

-----------------------------------------------------------------------------

irdel02#show cry ipsec sa

interface: Loopback0
    Crypto map tag: test, local addr 202.124.251.251

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
   current_peer 208.76.20.21 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2159, #pkts encrypt: 2159, #pkts digest: 2159
    #pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 202.124.251.251, remote crypto endpt.: 208.76.20.21
     path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
     current outbound spi: 0xE644EEFB(3863277307)

     inbound esp sas:
      spi: 0x99FFDEF2(2583682802)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: SW:3, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4604180/2581)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE644EEFB(3863277307)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: SW:4, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4604158/2581)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel0
    Crypto map tag: test, local addr 202.124.251.251

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
   current_peer 208.76.20.21 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2159, #pkts encrypt: 2159, #pkts digest: 2159
    #pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 5, #recv errors 0

     local crypto endpt.: 202.124.251.251, remote crypto endpt.: 208.76.20.21
     path mtu 1514, ip mtu 1514, ip mtu idb Loopback0
     current outbound spi: 0xE644EEFB(3863277307)

     inbound esp sas:
      spi: 0x99FFDEF2(2583682802)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: SW:3, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4604180/2580)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE644EEFB(3863277307)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: SW:4, crypto map: test
        sa timing: remaining key lifetime (k/sec): (4604158/2580)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
irdel02#

-----------------------------------------------------------------------------------

! sent a few pings from remote Juniper side to Cisco interface

>ping 192.168.150.45 | findstr Lost
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

C:\
>tracert -d 192.168.150.45

Tracing route to 192.168.150.45 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  10.50.6.1
  2    <1 ms    <1 ms    <1 ms  172.16.0.2
  3    <1 ms    <1 ms    <1 ms  172.16.18.1
  4   356 ms   363 ms   353 ms  192.168.150.45

Trace complete.

irdel02#!before ping

irdel02#show cry ipsec sa | i inter|caps
interface: Loopback0
    #pkts encaps: 2210, #pkts encrypt: 2210, #pkts digest: 2210
    #pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121
interface: Tunnel0
    #pkts encaps: 2210, #pkts encrypt: 2210, #pkts digest: 2210
    #pkts decaps: 121, #pkts decrypt: 121, #pkts verify: 121

irdel02#!after ping

irdel02#show cry ipsec sa | i inter|caps
interface: Loopback0
    #pkts encaps: 2255, #pkts encrypt: 2255, #pkts digest: 2255
    #pkts decaps: 132, #pkts decrypt: 132, #pkts verify: 132
interface: Tunnel0
    #pkts encaps: 2255, #pkts encrypt: 2255, #pkts digest: 2255
    #pkts decaps: 132, #pkts decrypt: 132, #pkts verify: 132
irdel02#

irdel02#!sent a few ping from Juniper side to host behind cisco

irdel02#show cry ipsec sa | i inter|caps
interface: Loopback0
    #pkts encaps: 1244, #pkts encrypt: 1244, #pkts digest: 1244
    #pkts decaps: 102, #pkts decrypt: 102, #pkts verify: 102
interface: Tunnel0
    #pkts encaps: 1244, #pkts encrypt: 1244, #pkts digest: 1244
    #pkts decaps: 102, #pkts decrypt: 102, #pkts verify: 102
irdel02#show cry ipsec sa | i inter|caps
interface: Loopback0
    #pkts encaps: 1245, #pkts encrypt: 1245, #pkts digest: 1245
    #pkts decaps: 102, #pkts decrypt: 102, #pkts verify: 102
interface: Tunnel0
    #pkts encaps: 1245, #pkts encrypt: 1245, #pkts digest: 1245
    #pkts decaps: 102, #pkts decrypt: 102, #pkts verify: 102
irdel02#show cry ipsec sa | i inter|caps
interface: Loopback0
    #pkts encaps: 1246, #pkts encrypt: 1246, #pkts digest: 1246
    #pkts decaps: 103, #pkts decrypt: 103, #pkts verify: 103
interface: Tunnel0
    #pkts encaps: 1246, #pkts encrypt: 1246, #pkts digest: 1246
    #pkts decaps: 103, #pkts decrypt: 103, #pkts verify: 103
irdel02#show cry ipsec sa | i inter|caps
interface: Loopback0
    #pkts encaps: 1248, #pkts encrypt: 1248, #pkts digest: 1248
    #pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
interface: Tunnel0
    #pkts encaps: 1248, #pkts encrypt: 1248, #pkts digest: 1248
    #pkts decaps: 104, #pkts decrypt: 104, #pkts verify: 104
irdel02#

Thank you in advance.

-lgm

2 REPLIES
New Member

Re: Site-to-site ipsec up, only passes traffic to peer router in

You can try removing this statement:

ip route 10.50.0.0 255.255.0.0 Tunnel0

If you need it to go through the tunnel - I don't see 172.16.19.34 defined in your crypto ACL.

New Member

Re: Site-to-site ipsec up, only passes traffic to peer router in

ty for the response.

If I remove the ip route statement, what will be the next hop? The ipsec peer?

I might be confusing the Cisco tunnel, on the Juniper side a tunnel is required in my config. Perhaps a tunnel is not needed on the Cisco side?

Note: I did use GRE-IP on the tunnel (each side using public IP's) but the traffic was taking the GRE tunnel and not the GRE-over-IPsec tunnel

Also, I didn't realize that I needed 172.16.19.32/30 in the crypto acl.

I'll be able to test tonight and respond back.

1541
Views
0
Helpful
2
Replies