Sunday, 5 April 2020

IPSEC SITE TO SITE VPN - TSHOOT

Issue :- not able to ping PC2 from PC1 & viceversa

PC1>ping 20.0.0.100

20.0.0.100 icmp_seq=1415 timeout

20.0.0.100 icmp_seq=1416 timeout

20.0.0.100 icmp_seq=1417 timeout

20.0.0.100 icmp_seq=1418 timeout

20.0.0.100 icmp_seq=1419 timeout


PC2> ping 10.0.0.100

10.0.0.100 icmp_seq=1 timeout

10.0.0.100 icmp_seq=2 timeout

10.0.0.100 icmp_seq=3 timeout

IPSEC VPN TSHOOT 


Let's check ipsec phase 1

R1#sh crypto isakmp sa

dst             src             state          conn-id slot status

12.0.0.2        12.0.0.1        QM_IDLE             41    0 ACTIVE


R2#sh cry isakmp sa

dst             src             state          conn-id slot status

12.0.0.2        12.0.0.1        QM_IDLE             42    0 ACTIVE


IPsec Phase 1 is ACTIVE i.e up

But Phase 2 is not up


R1#sh cry ipsec sa

interface: Serial0

    Crypto map tag: TECHMAP, local addr 12.0.0.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)

   current_peer 12.0.0.2 port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0   ==================> no packets

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1323, #recv errors 0                      ===============> errors

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0

     current outbound spi: 0x0(0)
<OUTPUT OMITTED>


R2#sh crypto ipsec sa

interface: Serial0

    Crypto map tag: TECHMAP, local addr 12.0.0.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)

   current_peer 12.0.0.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 12.0.0.2, remote crypto endpt.: 12.0.0.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0

     current outbound spi: 0x0(0)
<OUTPUT OMITTED>

This is the log getting generated on R1 and R2 when bi-directional traffic is generated


R1#

Jun 21 19:47:21.999: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /10.0.0.100, src_addr= 20.0.0.100, prot= 1


R2#

Jun 21 19:40:09.147: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 12.0.0.1

Lets initiate traffic from PC1 to PC2 and on the debug on R1

R1#

Jun 21 19:53:15.783: IP: tableid=0, s=12.0.0.1 (local), d=12.0.0.2 (Serial0), routed via FIB

Jun 21 19:53:15.783: IP: s=12.0.0.1 (local), d=12.0.0.2 (Serial0), len 120, sending

Jun 21 19:53:15.807: IP: tableid=0, s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), routed via RIB

Jun 21 19:53:15.807: IP: s=12.0.0.2 (Serial0), d=12.0.0.1 (Serial0), len 120, rcvd 3

R1#

The best commands to start the troubleshooting is -

R1#sh crypto map

Crypto Map "TECHMAP" 10 ipsec-isakmp

        Peer = 12.0.0.2

        Extended IP access list 100

            access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255

        Current peer: 12.0.0.2

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                TECHSTUFF,

        }

        Interfaces using crypto map TECHMAP:

                Serial0



R2#sh crypto map

Crypto Map "TECHMAP" 10 ipsec-isakmp

        Peer = 12.0.0.1

        Extended IP access list 100

            access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255  ==============> Wrong entry in ACL

        Current peer: 12.0.0.1

        Security association lifetime: 4608000 kilobytes/3600 seconds

        PFS (Y/N): N

        Transform sets={

                TECHSTUFF,

        }

        Interfaces using crypto map TECHMAP:

                Serial0


R2#sh ip access-lists 100

Extended IP access list 100

    10 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255

R2#config

Configuring from terminal, memory, or network [terminal]?

Enter configuration commands, one per line.  End with CNTL/Z.

R2(config)#

R2(config)#ip access-list ex 100

R2(config-ext-nacl)#no permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255

R2(config-ext-nacl)#permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

R2(config-ext-nacl)#^Z



Now lets initate traffic from PC1 to PC2



PC1> ping 20.0.0.100

84 bytes from 20.0.0.100 icmp_seq=1 ttl=62 time=59.004 ms

84 bytes from 20.0.0.100 icmp_seq=2 ttl=62 time=34.002 ms

84 bytes from 20.0.0.100 icmp_seq=3 ttl=62 time=34.002 ms

84 bytes from 20.0.0.100 icmp_seq=4 ttl=62 time=47.003 ms

84 bytes from 20.0.0.100 icmp_seq=5 ttl=62 time=34.002 ms



R1#sh crypto ipsec sa

interface: Serial0

    Crypto map tag: TECHMAP, local addr 12.0.0.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)

   current_peer 12.0.0.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72         ==========>Able to view packets

    #pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1601, #recv errors 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0

     current outbound spi: 0x55840A09(1434716681)

     inbound esp sas:

      spi: 0xF80375FC(4160976380)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2001, flow_id: SW:1, crypto map: TECHMAP

        sa timing: remaining key lifetime (k/sec): (4543112/3376)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:

      spi: 0x55840A09(1434716681)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2002, flow_id: SW:2, crypto map: TECHMAP

        sa timing: remaining key lifetime (k/sec): (4543112/3375)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE


R2#sh crypto ipsec sa

interface: Serial0

    Crypto map tag: TECHMAP, local addr 12.0.0.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)

   current_peer 12.0.0.1 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 72, #pkts encrypt: 72, #pkts digest: 72

    #pkts decaps: 72, #pkts decrypt: 72, #pkts verify: 72

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 12.0.0.2, remote crypto endpt.: 12.0.0.1

     path mtu 1500, ip mtu 1500, ip mtu idb Serial0

     current outbound spi: 0xF80375FC(4160976380)

     inbound esp sas:

      spi: 0x55840A09(1434716681)

        transform: esp-256-aes esp-sha-hmac ,


In this ticket we saw how a wrong entry in the interesting traffic ACL would create a issue .


Hope You all liked this !!!!!!



Thank You!!!!!

No comments:

Post a Comment