[c-nsp] Crypto map + traffic via "ip route vrf ... global"

Peter Rathlev peter at rathlev.dk
Mon Jul 14 20:46:29 EDT 2008 

Hi,

I have a strange-ish problem. I've configured an IPSec tunnel between a
7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some
reason traffic only gets encrypted ASA->7200, not the other way.

The traffic that doesn't get encrypted comes from a VRF Lite
subinterface on the "back" of the 7200. This VRF has a static 0/0 route
with a global next hop, and the global table has a static route pointing
the other way.

Traffic can go from behind ASA to behind 7200 with no problems. Traffic
from behind the 7200 doesn't get encrypted for some reason, including
replies from ICMP echos that came encrypted. And the 7200 doesn't
initiate a tunnel either.

Could it be because I can't make the crypto map work for the "ip route
vrf ... global" traffic? The configuration works fine when the host
behind the 7200 isn't in a VRF, but the 7200 being software based I
thought this wouldn't be a problem.

Configuration at the bottom, with Host X behind the 7200 and Host Y
behind the ASA. Host X is not directly connected to the 7200, but behind
another router. Traffic is routed with not problems, so it's only the
encryption that's missing. (The ASA complains about it in logs and I can
see it with tcpdump.)

The 7200 creates the IPSec SA, but only the "decaps" counter goes up:

vamtest#sh cry ips sa

interface: GigabitEthernet0/1
    Crypto map tag: vamtest, local addr [7200-outside]

   protected vrf: (none)
   local  ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0)
   current_peer [ASA-outside] port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [7200-outside], remote crypto endpt.:
[ASA-outside]
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0xA9F53FD7(2851422167)
          
     inbound esp sas:
      spi: 0x4FC8A681(1338549889)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: VAM2:2, crypto map: vamtest
        sa timing: remaining key lifetime (k/sec): (4511451/1957)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0xA9F53FD7(2851422167)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3001, flow_id: VAM2:1, crypto map: vamtest
        sa timing: remaining key lifetime (k/sec): (4511454/1955)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
          
     outbound ah sas:
          
     outbound pcp sas:
          
vamtest#

Debug ("crypto ipsec" + "crypto isakmp" + "errors" for both) says
nothing at all for traffic coming from inside. It's just routed, as if
the crypto map didn't exist.

And now the configuration:

! *** 7200 ***
ip vrf A
 rd 64512:1
!
crypto isakmp policy 25
 encr 3des
 hash sha
 authentication pre-share
!
crypto isakmp key <bla> address [ASA-outside]
!
crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac 
!
crypto map vamtest 25 ipsec-isakmp
 description SAVAM2test -> ASA Horsens
 set peer [ASA-outside]
 set transform-set sha-3des 
 match address SAVAM2test
!
interface GigabitEthernet0/1
 description Outside
 ip address [7200-outside]
 crypto map vamtest
!
interface GigabitEthernet0/2.2081
 description Inside, VRF
 encapsulation dot1Q 2081
 ip vrf forwarding A
 ip address [inside net]
 ip tcp adjust-mss 1355
!
ip route 0.0.0.0 0.0.0.0 [Outside next hop]
ip route [Host X] Gi0/2.2081 [Inside VRF next hop]
ip route vrf A [Host Y] [Outside next hop] global
!
ip access-list extended SAVAM2test
 permit ip host [Host X] host [Host Y]
!

! *** ASA ***
access-list SAVAM2test permit ip host [Host Y] host [Host X]
!
crypto map asaoutside_map 60 match address SAVAM2test
crypto map asaoutside_map 60 set peer [7200-outside]
crypto map asaoutside_map 60 set transform-set ESP-3DES-SHA
!
tunnel-group [7200-outside] type ipsec-l2l
tunnel-group [7200-outside] ipsec-attributes
 pre-shared-key <bla>
!
static (asainside,asaoutside) [Host Y] [Y int.] netmask 255.255.255.255
!


Thank you,
Peter

More information about the cisco-nsp mailing list