1. Home
  2. Cisco Systems
  3. IPSec Tunnels set up, but can't pass traffic

IPSec Tunnels set up, but can't pass traffic

I'm able to set up AES IPSec tunnels from an 1811 router to a 3845 router, but cannot pass traffic. A firewall, not under our control, sits immediately in front of the 3845, so I suspect that it is causing the problem.

Here's the config on the 1811 side:

crypto isakmp policy 2 encr aes authentication pre-share group 2 ! crypto isakmp key xxxx address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 30 periodic ! crypto ipsec transform-set backup esp-aes esp-sha-hmac ! crypto ipsec profile backup set transform-set backup

The tunnels look absolutely fine and are working on other interfaces where the firewall isn't present. Any ideas?

Reply to
philbo30
Loading thread data ...

Do you have the correct routes in place?

Reply to
Brian V

Apply the crypto map to the interface and add static routes to send traffic to that destination through the crypto map interface.

Check to see the progress with these commands: show crypto isakmp sa show crypto ipsec sa debug crypto isakmp

Your desired output for the "show crypto isakmp sa" command is a QM_IDLE status for your connection.

Reply to
Scott Perry

in message

Those have been applied...see tunnel configuration below:

interface Tunnel1 description BACKUP TUNNEL ip address 10.190.1.253 255.255.255.252 ip virtual-reassembly tunnel source 80.123.123.123 tunnel destination 121.212.111.121 tunnel mode ipsec ipv4 tunnel protection ipsec profile backup

In addition, the routes look like this:

ip route 0.0.0.0 0.0.0.0 80.123.118.209 ip route 10.0.0.0 255.0.0.0 Tunnel0 ip route 10.0.0.0 255.0.0.0 Tunnel1 2 ip route 10.128.0.1 255.255.255.255 10.160.224.1 ip route 172.0.0.0 255.0.0.0 Tunnel0 ip route 172.22.0.0 255.255.0.0 Tunnel0 ip route 172.22.0.0 255.255.0.0 Tunnel1 2 ip route 121.212.111.0 255.255.0.0 Tunnel1 ip route 121.212.111.121 255.255.255.255 80.123.123.123

With tunnel0 shutdown, the routing table looks like:

Gateway of last resort is 80.123.123.123 to network 0.0.0.0

80.0.0.0/28 is subnetted, 1 subnets C 80.123.123.123 is directly connected, FastEthernet1 172.22.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.22.20.0/28 is directly connected, Vlan2 S 172.22.0.0/16 is directly connected, Tunnel1 10.0.0.0/8 is variably subnetted, 6 subnets, 5 masks S 10.0.0.0/8 is directly connected, Tunnel1 C 10.190.1.252/30 is directly connected, Tunnel1 C 10.160.224.0/26 is directly connected, FastEthernet0 S 10.128.0.1/32 [1/0] via 10.160.224.1 C 10.160.224.254/32 is directly connected, Loopback0 C 10.33.224.0/24 is directly connected, Vlan2 121.212.111.0/32 is subnetted, 1 subnets S 121.212.111.121 [1/0] via 80.123.123.123 S* 0.0.0.0/0 [1/0] via 80.123.123.122 S 121.212.0.0/16 is directly connected, Tunnel1

Any ideas ??

Reply to
philbo30

Do you control the firewall? Can it be monitored/checked to see if protocol 50 (ESP) is permitted as necessary to/from your vpn endpoint?

Reply to
Al

Issue was resolved by changing the default route on the 3845. It had pointed all traffic to the wrong interface on the firewall. This still allowed the tunnels to come up, but not pass traffic. Very bizarre. Problem identified by looking at logs that included icmp redirects.

Reply to
philbo30

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.