[c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.

Pär Åslund pslund at gmail.com
Tue Dec 15 08:45:56 EST 2009 

Hi Lee,

No, I don't have it configured with crypto connect. From what I read
so far, I don't need that for site-to-site ipsec?

The asa in the remote office can ping the remote peer ip configured on
the 6500. Just seems like bad magic for me right now that for some
reason the traffic doesn't seem to reach the IPSEC module.


Extra, forgot to show the configuration of the interfaces on module 8
- WS-SVC-IPSEC-1

Current configuration : 243 bytes
!
interface GigabitEthernet8/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 8
 switchport mode trunk
 mtu 4500
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
end

interface GigabitEthernet8/2
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan none
 switchport mode trunk
 mtu 4500
 no ip address
 flowcontrol receive on
 flowcontrol send off
 spanning-tree portfast trunk
end

Best regards,
.pelle

On Tue, Dec 15, 2009 at 1:30 PM, Lee <ler762 at gmail.com> wrote:
> Do you have the inside and outside vlan for your ipsec traffic configured
> with a crypto connect? eg
>
> interface Vlan7
>   description outside:encrypted traffic
>   no ip address
>   crypto engine subslot 8/0
>   crypto connect vlan8
> !
> interface Vlan8
>   description inside:cleartext traffic
>   ip address xxx
>   crypto map xxx
>   crypto engine subslot 8/0
>
> Regards,
> Lee
>
>
> On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund <pslund at gmail.com> wrote:
>>
>> Hi,
>>
>> I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
>> site-to-site tunnel.
>>
>> Last night, I got the tunnel up. But after applying a acl to the 6500,
>> the tunnel went down and stayed down. Removing configuration just to
>> get the tunnel up again and continue trying to get the interesting
>> traffic through as intended, the tunnel never comes up. The remote
>> device is a ASA 5505, where I haven't touched anything since this
>> failure started. From what I can get out of all this, looking at logs
>> and crypto statistics. The traffic never gets to the module in slot 8.
>>
>> show crypto sessions - nothing
>> show crypto isakmp sa - nothing
>> show crypto ipsec sa - nothing
>>
>> I can still use packet-tracer on the asa as I could before and the
>> flow is created, but nothing ends up in the 6500 logs. debug crypto
>> isakmp and debug crypto ipsec is both enabled without anything being
>> logged. Any ideas are most welcome. Guess I have missed something
>> obvious but right now I just can't figure out what it is.
>>
>> This it the configuration from the 6500.
>>
>> crypto isakmp policy 1
>>  encr 3des
>>  authentication pre-share
>>  group 2
>> crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
>> !
>> crypto isakmp client configuration group GROUP1
>>  key <KEY>
>>  dns 172.16.9.2
>>  domain i.company.com
>>  pool vpn
>>  acl 101
>> crypto isakmp profile ikepro
>>   match identity group GROUP1
>>   client authentication list userlist
>>   isakmp authorization list grouplist
>>   client configuration address respond
>>   client configuration group GROUP1
>> crypto isakmp profile site-to-site
>>   keyring default
>>   match identity address <peer ip> 255.255.255.255
>>   keepalive 60 retry 5
>> !
>> !
>> crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
>> !
>> crypto ipsec profile ipsecpro
>>  set transform-set 3dessha
>> !
>> !
>> crypto dynamic-map dynmap 10
>>  set transform-set 3dessha
>>  set isakmp-profile ikepro
>> crypto dynamic-map dynmap 15
>>  set peer 76.238.146.205
>>  set transform-set 3dessha
>>  set isakmp-profile site-to-site
>> crypto dynamic-map dynmap 20
>>  set transform-set 3dessha
>>  set isakmp-profile ikepro
>> !
>> !
>> crypto map vpnmap engine slot 8
>> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
>>
>>
>> and then on VLAN 8 where the traffic is suppose to come in:
>> interface Vlan8
>>  ip address <ip> 255.255.255.248
>>  ip nat outside
>>  standby 8 ip <standby ip>
>>  standby 8 priority 115
>>  standby 8 preempt
>>  standby 8 name <standby name>
>>  crypto map vpnmap redundancy <standby name>
>> end
>>
>> Best regards,
>> .pelle
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list