We help IT Professionals succeed at work.
Get Started
IPSec VPN Tunnel Not Injecting Addressing
Hello Community,
I have created an VPN as shown in the attached configs. The tunnel is up and ipsec appears to working fine. However, I'm unable to ping the address 10.1.0.4 (interface on the router) from the other site with address 10.12.0.4. I think the problem might be that traffic isn't being recognized in the ipsec tunnel as shown here:
cisco-csr-vpn#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 10.1.0.4
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 52.184.181.0 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 83, #pkts decrypt: 83, #pkts verify: 83
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.0.4, remote crypto endpt.: 52.184.181.0
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xEC0058AA(3959445674)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE8D52690(3906283152)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607992/3051)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEC0058AA(3959445674)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607996/3051)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
However, I'm not sure how to inject traffic into the tunnel. Can someone let me know where I might be going wrong?
Cheers
Carlton
14-40-46--52.225.134.147-52.225.134..txt
I have created an VPN as shown in the attached configs. The tunnel is up and ipsec appears to working fine. However, I'm unable to ping the address 10.1.0.4 (interface on the router) from the other site with address 10.12.0.4. I think the problem might be that traffic isn't being recognized in the ipsec tunnel as shown here:
cisco-csr-vpn#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 10.1.0.4
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 52.184.181.0 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 83, #pkts decrypt: 83, #pkts verify: 83
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.0.4, remote crypto endpt.: 52.184.181.0
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xEC0058AA(3959445674)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xE8D52690(3906283152)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607992/3051)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEC0058AA(3959445674)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: CSR:1, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607996/3051)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
However, I'm not sure how to inject traffic into the tunnel. Can someone let me know where I might be going wrong?
Cheers
Carlton
14-40-46--52.225.134.147-52.225.134..txt
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE