Issue :- not able to ping PC2 from PC1 & viceversa
PC1>ping 20.0.0.10020.0.0.100 icmp_seq=1415 timeout
20.0.0.100 icmp_seq=1416 timeout
20.0.0.100 icmp_seq=1417 timeout
20.0.0.100 icmp_seq=1418 timeout
20.0.0.100 icmp_seq=1419 timeout
PC2> ping 10.0.0.100
10.0.0.100 icmp_seq=1 timeout
10.0.0.100 icmp_seq=2 timeout
10.0.0.100 icmp_seq=3 timeout
IPSEC VPN TSHOOT |
Let's check ipsec phase 1
R1#sh crypto isakmp sa
dst src state conn-id slot status12.0.0.2 12.0.0.1 QM_IDLE 41 0 ACTIVE
R2#sh cry isakmp sa
dst src state conn-id slot status
12.0.0.2 12.0.0.1 QM_IDLE 42 0 ACTIVE
IPsec Phase 1 is ACTIVE i.e up
But Phase 2 is not up
R1#sh cry ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.2 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 ==================> no packets
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1323, #recv errors 0 ===============> errors
local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x0(0)
<OUTPUT OMITTED>
R2#sh crypto ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.0.0.2, remote crypto endpt.: 12.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x0(0)
<OUTPUT OMITTED>
This is the log getting generated on R1 and R2 when bi-directional traffic is generated
R1#
Jun 21 19:47:21.999: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.0.0.100, src_addr= 20.0.0.100, prot= 1
R2#
Jun 21 19:40:09.147: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 12.0.0.1
Lets initiate traffic from PC1 to PC2 and on the debug on R1
R1#
Jun 21 19:53:15.783: IP: tableid=0, s=12.0.0.1 (local), d=12.0.0.2 (Serial0), routed via FIB
Jun 21 19:53:15.783: IP: s=12.0.0.1 (local), d=12.0.0.2 (Serial0), len 120, sending
Jun 21 19:53:15.807: IP: tableid=0, s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), routed via RIB
Jun 21 19:53:15.807: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 120, rcvd 3
R1#
The best commands to start the troubleshooting is -
R1#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.2
Extended IP access list 100
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
Current peer: 12.0.0.2
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
TECHSTUFF,
}
Interfaces using crypto map TECHMAP:
Serial0
R2#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
Peer = 12.0.0.1
Extended IP access list 100
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255 ==============> Wrong entry in ACL
Current peer: 12.0.0.1
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
TECHSTUFF,
}
Interfaces using crypto map TECHMAP:
Serial0
R2#sh ip access-lists 100
Extended IP access list 100
10 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
R2#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#
R2(config)#ip access-list ex 100
R2(config-ext-nacl)#no permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
R2(config-ext-nacl)#permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
R2(config-ext-nacl)#^Z
Now lets initate traffic from PC1 to PC2
PC1> ping 20.0.0.100
84 bytes from 20.0.0.100 icmp_seq=1 ttl=62 time=59.004 ms
84 bytes from 20.0.0.100 icmp_seq=2 ttl=62 time=34.002 ms
84 bytes from 20.0.0.100 icmp_seq=3 ttl=62 time=34.002 ms
84 bytes from 20.0.0.100 icmp_seq=4 ttl=62 time=47.003 ms
84 bytes from 20.0.0.100 icmp_seq=5 ttl=62 time=34.002 ms
R1#sh crypto ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72 ==========>Able to view packets
#pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1601, #recv errors 0
local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0x55840A09(1434716681)
inbound esp sas:
spi: 0xF80375FC(4160976380)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: SW:1, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4543112/3376)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x55840A09(1434716681)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: SW:2, crypto map: TECHMAP
sa timing: remaining key lifetime (k/sec): (4543112/3375)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
R2#sh crypto ipsec sa
interface: Serial0
Crypto map tag: TECHMAP, local addr 12.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer 12.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72
#pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 12.0.0.2, remote crypto endpt.: 12.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Serial0
current outbound spi: 0xF80375FC(4160976380)
inbound esp sas:
spi: 0x55840A09(1434716681)
transform: esp-256-aes esp-sha-hmac ,
In this ticket we saw how a wrong entry in the interesting traffic ACL would create a issue .
Hope You all liked this !!!!!!
Thank You!!!!!
No comments:
Post a Comment