02-09-2012 08:14 PM
Hello all,
I'm hoping someone can help me out here. I'll try starting from the beginning and provide as much detail as possible.
I have a 2621xm as my main router. I've been using it for several years now and it's working excellently. Recently I've set up a crypto map tunnel over the internet with a friend who also has a 2621xm.
The tunnel worked excellently, we've been sharing network resources for a while with no issues. However, recently I've noticed that during copying through the tunnel to the other end, my 2621 crashes as its running at 99% CPU usage. I decided to add a 2651 to my network as the crypto router, keeping my original 2621 as my gateway router (See attached image).
I copied all pertinent crypto information to the new router (1.9) and added a route on my 2621(1.1) to forward all traffic for the other network to go through the new router (1.9)
Long story short, the crypto map is established:
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: xx.xx.xx.xx port 4500
IKE SA: local 192.168.1.9/4500 remote xx.xx.xx.xx/4500 Active
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.128 192.168.1.128/255.255.255.128
Active SAs: 4, origin: crypto map
I am able to ping any device on my friends network from any device on my network with NO problem. The issue is that my friend is unable to ping anything on my network. I know it's a routing issue, but I can't figure out what?
I thought if I added the following to my gateway router it would help:
ip nat inside source static esp 192.168.1.9 int fa0/1
since esp is specifically for Tunnel mode support, but that didn't work. What am I missing?
Also, since the change - I've noticed I'm getting this error intermittently on my new crypto router:
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=2005 local=192.168.1.9 remote=xx.xx.xx.xx spi=902CEA75 seqno=00000001
Any help would be appreciated.
If need be I can also attach my config files.
Thank you very much in advance!
Chris.
02-10-2012 09:50 AM
bump..
02-10-2012 10:18 PM
Hello Chris,
I would like to see both ends configurations and also the other site 2621XM config.
Regards,
Julio
02-11-2012 12:39 PM
also show crypto isakmp sa and show crypto ipsec sa from the two VPN ends.
02-11-2012 05:39 PM
Here is the config for my friends 2621 (192.168.1.129):
Current configuration : 6103 bytes
!
! Last configuration change at 19:54:11 MST Thu Feb 9 2012 by chris
! NVRAM config last updated at 18:55:32 MST Fri Feb 10 2012 by chris
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname NAT
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip gratuitous-arps
ip cef
!
!
ip dhcp use vrf connected
ip dhcp binding cleanup interval 600
!
!
no ip bootp server
no ip domain lookup
!
ip multicast-routing
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username chris privilege 15 secret 5 $1$.3XL$ib4E47KrR4UxQDE4mFCp..
username darryl privilege 15 secret 5 $1$YXTI$OtPt6prgUBDfPGKdb4FdA.
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key letmein address xx.xx.xx.xx no-xauth
!
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set STRONG
reverse-route
!
!
crypto map NAT_to_Limbo client authentication list sdm_vpn_xauth_ml_1
crypto map NAT_to_Limbo isakmp authorization list sdm_vpn_group_ml_1
crypto map NAT_to_Limbo client configuration address respond
crypto map NAT_to_Limbo 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set STRONG
set pfs group2
match address 106
!
!
!
!
interface FastEthernet0/0
description ++++ INTERNAL NETWORK ++++
ip address 192.168.1.129 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip pim dense-mode
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description ++++ INTERNET INTERFACE ++++
ip address dhcp
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
crypto map NAT_to_Limbo
crypto ipsec df-bit clear
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 72.53.31.1
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.1.146 25565 interface FastEthernet0/1 25565
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.129 23 interface FastEthernet0/1 23
ip nat inside source static tcp 192.168.1.129 22 interface FastEthernet0/1 22
!
logging trap debugging
logging facility local2
access-list 1 remark SDM_ACL Category=16
access-list 1 deny any log
access-list 1 permit any
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip 192.168.1.128 0.0.0.127 192.168.1.0 0.0.0.127
access-list 100 permit ip any any
access-list 102 permit tcp host 75.155.57.38 any eq 25565
access-list 106 permit ip 192.168.1.128 0.0.0.127 192.168.1.0 0.0.0.127
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
speed 115200
line aux 0
line vty 0 4
!
ntp clock-period 17180147
ntp server 209.167.68.100
ntp server 216.234.161.11
ntp server 209.172.32.214
ntp server 205.189.158.228
Here's the results from the show crypto isakmp sa:
NAT#show crypto isakmp sa
dst src state conn-id slot status
XX.XX.XX.XX YY.YY.YY.YY QM_IDLE 1 0 ACTIVE
Here's the results from the show crypto ipsec sa:
NAT#show crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: NAT_to_Limbo, local addr XX.XX.XX.XX
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.128/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.128/0/0)
current_peer 75.155.57.145 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1466517, #pkts encrypt: 1466517, #pkts digest: 1466517
#pkts decaps: 1982091, #pkts decrypt: 1982091, #pkts verify: 1982091
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 26, #recv errors 9
local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: YY.YY.YY.YY
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xA5C9A9FA(2781456890)
inbound esp sas:
spi: 0x64B9681E(1689872414)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2006, flow_id: SW:6, crypto map: NAT_to_Limbo
sa timing: remaining key lifetime (k/sec): (4403163/3420)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA5C9A9FA(2781456890)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: SW:1, crypto map: NAT_to_Limbo
sa timing: remaining key lifetime (k/sec): (4403164/3420)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Here is my gateway config (192.168.1.1):
Current configuration : 3005 bytes
!
! Last configuration change at 19:27:26 MST Fri Feb 10 2012 by chris
! NVRAM config last updated at 18:55:28 MST Fri Feb 10 2012 by chris
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Limbo
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip bootp server
ip multicast-routing
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username user privilege 15 secret 5 $1$a2z4$vohhcY7hnS2ZrU04avNa3.
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description ++++ INTERNET CONNECTION ++++
ip address dhcp
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 75.155.56.1
ip route 192.168.1.128 255.255.255.128 192.168.1.9
!
!
no ip http server
ip http authentication local
ip http secure-server
!
logging trap debugging
logging facility local2
access-list 1 permit any
access-list 1 remark SDM_ACL Category=16
access-list 1 deny any log
access-list 100 permit ip any any
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
speed 115200
line aux 0
line vty 0 4
!
ntp clock-period 17180235
ntp server 209.167.68.100
ntp server 216.234.161.11
ntp server 209.172.32.214
ntp server 205.189.158.228
!
end
Here's the config for my new crypto router (192.168.1.9):
Current configuration : 2451 bytes
!
! Last configuration change at 19:30:29 MST Fri Feb 10 2012 by chris
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Crypto
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username user privilege 15 secret 5 $1$a2z4$vohhcY7hnS2ZrU04avNa3.
!
!
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key letmein address XX.XX.XX.XX no-xauth
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set STRONG
reverse-route
!
!
crypto map Limbo_to_NAT client authentication list sdm_vpn_xauth_ml_1
crypto map Limbo_to_NAT isakmp authorization list sdm_vpn_group_ml_1
crypto map Limbo_to_NAT client configuration address respond
crypto map Limbo_to_NAT 10 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set STRONG
set pfs group2
match address 106
!
!
!
!
interface FastEthernet0/0
ip address 192.168.1.9 255.255.255.128
duplex auto
speed auto
crypto map Limbo_to_NAT
crypto ipsec df-bit clear
!
interface Serial0/0
ip address 10.10.10.2 255.255.255.252
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
interface Serial0/2
no ip address
shutdown
!
interface Serial0/3
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 192.168.1.128 255.255.255.128 192.168.1.129
!
!
ip http server
ip http authentication local
no ip http secure-server
!
access-list 1 permit any
access-list 1 remark SDM_ACL Category=16
access-list 1 deny any log
access-list 100 permit ip any any
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip 192.168.1.0 0.0.0.127 192.168.1.128 0.0.0.127
access-list 106 permit ip 192.168.1.0 0.0.0.127 192.168.1.128 0.0.0.127
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
speed 115200
line aux 0
line vty 0 4
!
ntp clock-period 17208398
ntp server 64.250.229.100
!
end
Show crypto isakmp sa:
Crypto#show crypto isakmp sa
dst src state conn-id slot status
YY.YY.YY.YY XX.XX.XX.XX QM_IDLE 1 0 ACTIVE
Show crypto ipsec sa:
interface: FastEthernet0/0
Crypto map tag: Limbo_to_NAT, local addr 192.168.1.9
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (192.168.1.128/255.255.255.128/0/0)
current_peer XX.XX.XX.XX port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1320704, #pkts encrypt: 1320704, #pkts digest: 1320704
#pkts decaps: 966373, #pkts decrypt: 966373, #pkts verify: 966373
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 192.168.1.9, remote crypto endpt.: XX.XX.XX.XX
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x64B9681E(1689872414)
inbound esp sas:
spi: 0xA5C9A9FA(2781456890)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2006, flow_id: SW:6, crypto map: Limbo_to_NAT
sa timing: remaining key lifetime (k/sec): (4501525/1633)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x64B9681E(1689872414)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: SW:1, crypto map: Limbo_to_NAT
sa timing: remaining key lifetime (k/sec): (4501520/1631)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Hopefully this has everything you need. Let me know if you need anything else! All config files are at the minimum that worked. I've removed all access-lists and any non important information.
Thanks in advance, Mudit!
10-29-2012 12:58 PM
Hi Chris,
Were you able to fix the MAC ERR problem ? I am also facing the same issue.
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed
Regards,
Akhtar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide