[c-nsp] Ping-test accross a IPSec VPN

Luan Nguyen luan.nguyen at mci.com
Tue Sep 6 14:14:10 EDT 2005


I just tested out with a 7206VXR VAM2 also running 12.3.15a and also ran
into drop ping packets.  The config looks good by the way.  
I assume you also did extended ping on the router itself.  I'll put a couple
sun boxes on the LAN sides later and see if similar behavior exists.
Show interface tunnel0 will show more packet output than packet input
Show ip traffic will show that under ICMP, echo reply receive will be less
than echo sent
Show crypto ipsec sa int tu0 | I pkts shows that packets failed to decap
Show crypto engine accelerator stat shows that packets failed to come in.
Once in they all out so the packets were dropped before hitting the crypto
engine.
Seems like router fails to decap some of the echo reply packets.

-luan


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jim Nelson
Sent: Thursday, September 01, 2005 10:20 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ping-test accross a IPSec VPN

Scenario: There are two routers that share a VPN across an inter-city VLAN.
The routers will ping across the VLAN link without dropping any packets, no
matter the size of the payload. However, they will drop a few packets, which
have 1300 byte payload, across the GRE tunnel interfaces (3-4 out of one
hundred). The crypto map encrypts all GRE packets.

+++++++
Router1 (3745 with a  AIM-VPN/HPII-PLUS)

crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key <secret> address 10.192.1.18 !
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac  mode transport !
crypto map vpn 10 ipsec-isakmp
 set peer 10.192.1.18
 set transform-set strong
 match address VPN10
!
interface Tunnel10
 ip address 10.192.1.21 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source 10.192.1.17
 tunnel destination 10.192.1.18
 crypto map vpn
!
interface FastEthernet2/0
 description City VLAN to spkcr02
 ip address 10.192.1.17 255.255.255.252
 ip access-group CVLAN-IN in
 duplex auto
 speed auto
 crypto map vpn
!
ip access-list extended VPN10
 permit gre host 10.192.1.17 host 10.192.1.18

Router2 (3660 with a Virtual Private Network (VPN) Module - an older AIM/HP
card)

crypto isakmp policy 10
 encr 3des
 authentication pre-share
crypto isakmp key <secret> address 10.192.1.17 !
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac  mode transport !
crypto map vpn 10 ipsec-isakmp
 set peer 10.192.1.17
 set transform-set strong
 match address VPN10
!
interface Tunnel10
 description City VLAN
 ip address 10.192.1.22 255.255.255.252
 ip mtu 1400
 tunnel source 10.192.1.18
 tunnel destination 10.192.1.17
 crypto map vpn
!
interface FastEthernet0/1
 description City VLAN to precr01 fas 2/0  ip address 10.192.1.18
255.255.255.252  ip access-group CVLAN-IN in  duplex auto  speed auto
crypto map vpn !
ip access-list extended VPN10
 permit gre host 10.192.1.18 host 10.192.1.17
+++++++

The inter-city VLAN is a 10Mbps link. Router1 is running IOS 12.3(15a), and
Router2, 12.2(27). Any ideas?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list