Also,

Your Phase 1 Policys dont match on the ASA and Router. The lifetimes are different.

- Jouni

Hi Jouni

Thanks for your reply. The ISAKMP policy has 'hash sha' configured as a default:

C2951#sh run all | s crypto isakmp policy

crypto isakmp policy 10

encr aes 256

hash sha

authentication pre-share

group 5

lifetime 28800

As for the transform set, there's a 'crypto ipsec transform-set default esp-aes esp-sha-hmac' in the config which should be used by the crypto map by default. Anyway, I've configured it individually to rule out any issues:

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto map OUR-MAP 10 ipsec-isakmp

set peer 20.0.0.1

set transform-set AES-SHA

set pfs group5

set isakmp-profile 20.0.0.1

match address TEST1

reverse-route

No success so far.

I agree with you about the 'crypto isakmp key', it's just a leftover since this was my first trial; I've changed the config at some point and included the keyring section.

I'm not sure about the route but I believe we have to direct the traffic somewhere (towards the Internet) seen from the VRF perspective, so I believe a VRF route is mandatory. Still, the Ping wouldn't trigger any crypto process, the router just remains silent.

Regarding your following post about the ISAKMP lifetime; this is a parameter that doesn't have to match, since both boxes will negotiate it and agree upon the lower value. Anyway, I don't even get to the point where ISAKMP will start to negotiate, so there must be another problem (like routing?) that is the issue here...

If you're not getting any debugs that (tyically) is caused by two things:

1) Traffic is not hitting your crypto map (most likely due to leaking being misconfigured in your case).

2) For whatever reason locally switched traffic does fail to do route lookup.

a) My suggestion use "global" keyword when configuring static routing

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/command/iri-cr-a1.html#GUID-24399FED-0F6A-479C-B88A-D7FB74257058

b) rely on RRI to configure your VRF-aware IPsec.

This example is overly simplified but you will get the idea:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-rev-rte-inject.html#GUID-DEBFE993-16DF-4599-946A-1B7A42521C92

Hi Marcin

Thanks for your input. I agree with your diagnosis. This is what I've done meanwhile:

crypto map OUR-MAP 10 ipsec-isakmp

set peer 20.0.0.1

set transform-set AES-SHA

set pfs group5

set isakmp-profile 20.0.0.1

match address TEST1

reverse-route remote-peer 20.0.0.1

ip route 0.0.0.0 0.0.0.0 30.0.0.1

ip route vrf test 10.0.0.0 255.255.255.0 GigabitEthernet0/0 30.0.0.1

ip route vrf test 10.0.0.0 255.255.255.0 30.0.0.1 global

(I've used all routing statements together, as well as the the top one combined with the last two alternately.)

As I've also been playing around w/ IKEv2 before and left these commands on the box, I thought it might be a good idea to clear the config, boot the box and re-apply the IKEv1 config. Still, the problem persists - the VRF Ping doesn't trigger any crypto process.

OK, I've forgot to no shut the gi0/0 interface after the boot and re-application of the config. Now IKEv1 gets triggered! They can't agree upon some parameters right now, but at least I can continue to troubleshoot! Thanks so far!

Good, once you're at that point you're not far from success.

Marcin

Meanwhile the tunnel's up, and I've found out the optimal way to configure the VPN routing so the VRF knows where to route its packets to. I was able to do this by removing any 'ip route vrf ...' and adding the 'reverse-route remote-peer static' command under the crypto map section (see below). However, I now have the problem that only every second Ping gets answered when I issue the VRF Ping, yet all Pings get answered when I initiate the Pings from the remote side (src 10.0.0.1). What do you think might be the cause for this?

As a reference, see my findings by playing around with the reverse-route command:

C2951(config-crypto-map)#reverse-route remote-peer 20.0.0.1 gateway

C2951(config-crypto-map)#do sh ip route vrf test     

Routing Table: test

Codes: -snip-

Gateway of last resort is not set

-> no route to 10.0.0.0 /24 appears

      40.0.0.0/32 is subnetted, 1 subnets

C        40.0.0.1 is directly connected, Loopback1

C2951(config-crypto-map)#reverse-route static

C2951(config-crypto-map)#do sh ip route vrf test

Routing Table: test

Codes: -snip-

Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets

S        10.0.0.0 [1/0] via 20.0.0.1

      40.0.0.0/32 is subnetted, 1 subnets

C        40.0.0.1 is directly connected, Loopback1

C2951(config-crypto-map)#reverse-route remote-peer 20.0.0.1 static

C2951(config-crypto-map)#do sh ip route vrf test                 

Routing Table: test

Codes: -snip-

Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets

S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

      40.0.0.0/32 is subnetted, 1 subnets

C        40.0.0.1 is directly connected, Loopback1

C2951#ping vrf test 10.0.0.1 sou lo1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

Packet sent with a source address of 40.0.0.1

.!.!.

Success rate is 40 percent (2/5), round-trip min/avg/max = 1/1/1 ms

C2651XM#ping 40.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 40.0.0.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Clear your routing table. If you left the two 10.0.0.0/24 VRF routes you're most likely doing per-packet load balancing.

There are no VRF routes left in the config, and I've cleared the global and the VRF routing table. Even rebooted the box. Still only half of the Pings get answered. There are no crypto ipsec errors, so it should have something to do with routing...but what?

C2951#sh crypto ipsec sa

interface: GigabitEthernet0/0

    Crypto map tag: OUR-MAP, local addr 30.0.0.2

   protected vrf: test

   local  ident (addr/mask/prot/port): (40.0.0.1/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

   current_peer 20.0.0.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

    #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 30.0.0.2, remote crypto endpt.: 20.0.0.1

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0xEB02ACDA(3942821082)

     PFS (Y/N): Y, DH group: group5

     inbound esp sas:

      spi: 0x1A943A9F(445921951)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 18009, flow_id: ISM VPN:9, sibling_flags 80000040, crypto map: OUR-MAP

        sa timing: remaining key lifetime (k/sec): (4225929/3571)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xEB02ACDA(3942821082)

        transform: esp-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 18010, flow_id: ISM VPN:10, sibling_flags 80000040, crypto map: OUR-MAP

        sa timing: remaining key lifetime (k/sec): (4225928/3571)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

C2951#sh ip route 10.0.0.0

% Network not in table

C2951#sh ip route vrf test 10.0.0.0

Routing Table: test

Routing entry for 10.0.0.0/24, 1 known subnets

S        10.0.0.0 [1/0] via 20.0.0.1, GigabitEthernet0/0

After involving TAC it seems to be a bug (to be confirmed by DE) in the ASA code. The problem for the 50% success rate of Pings through the VPN tunnel is caused by the enabled ICMP inspect. If I disable the inspect, I get a 100% success rate. The issue can be reproduced on 9.1(2) and 9.1(3), yet not on 9.1(1).

Bug ID CSCul55863