[c-nsp] Crypto map + traffic via "ip route vrf ... global"
Peter Rathlev
peter at rathlev.dk
Mon Jul 14 20:46:29 EDT 2008
Hi,
I have a strange-ish problem. I've configured an IPSec tunnel between a
7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some
reason traffic only gets encrypted ASA->7200, not the other way.
The traffic that doesn't get encrypted comes from a VRF Lite
subinterface on the "back" of the 7200. This VRF has a static 0/0 route
with a global next hop, and the global table has a static route pointing
the other way.
Traffic can go from behind ASA to behind 7200 with no problems. Traffic
from behind the 7200 doesn't get encrypted for some reason, including
replies from ICMP echos that came encrypted. And the 7200 doesn't
initiate a tunnel either.
Could it be because I can't make the crypto map work for the "ip route
vrf ... global" traffic? The configuration works fine when the host
behind the 7200 isn't in a VRF, but the 7200 being software based I
thought this wouldn't be a problem.
Configuration at the bottom, with Host X behind the 7200 and Host Y
behind the ASA. Host X is not directly connected to the 7200, but behind
another router. Traffic is routed with not problems, so it's only the
encryption that's missing. (The ASA complains about it in logs and I can
see it with tcpdump.)
The 7200 creates the IPSec SA, but only the "decaps" counter goes up:
vamtest#sh cry ips sa
interface: GigabitEthernet0/1
Crypto map tag: vamtest, local addr [7200-outside]
protected vrf: (none)
local ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0)
current_peer [ASA-outside] port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: [7200-outside], remote crypto endpt.:
[ASA-outside]
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xA9F53FD7(2851422167)
inbound esp sas:
spi: 0x4FC8A681(1338549889)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: VAM2:2, crypto map: vamtest
sa timing: remaining key lifetime (k/sec): (4511451/1957)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA9F53FD7(2851422167)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: VAM2:1, crypto map: vamtest
sa timing: remaining key lifetime (k/sec): (4511454/1955)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
vamtest#
Debug ("crypto ipsec" + "crypto isakmp" + "errors" for both) says
nothing at all for traffic coming from inside. It's just routed, as if
the crypto map didn't exist.
And now the configuration:
! *** 7200 ***
ip vrf A
rd 64512:1
!
crypto isakmp policy 25
encr 3des
hash sha
authentication pre-share
!
crypto isakmp key <bla> address [ASA-outside]
!
crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac
!
crypto map vamtest 25 ipsec-isakmp
description SAVAM2test -> ASA Horsens
set peer [ASA-outside]
set transform-set sha-3des
match address SAVAM2test
!
interface GigabitEthernet0/1
description Outside
ip address [7200-outside]
crypto map vamtest
!
interface GigabitEthernet0/2.2081
description Inside, VRF
encapsulation dot1Q 2081
ip vrf forwarding A
ip address [inside net]
ip tcp adjust-mss 1355
!
ip route 0.0.0.0 0.0.0.0 [Outside next hop]
ip route [Host X] Gi0/2.2081 [Inside VRF next hop]
ip route vrf A [Host Y] [Outside next hop] global
!
ip access-list extended SAVAM2test
permit ip host [Host X] host [Host Y]
!
! *** ASA ***
access-list SAVAM2test permit ip host [Host Y] host [Host X]
!
crypto map asaoutside_map 60 match address SAVAM2test
crypto map asaoutside_map 60 set peer [7200-outside]
crypto map asaoutside_map 60 set transform-set ESP-3DES-SHA
!
tunnel-group [7200-outside] type ipsec-l2l
tunnel-group [7200-outside] ipsec-attributes
pre-shared-key <bla>
!
static (asainside,asaoutside) [Host Y] [Y int.] netmask 255.255.255.255
!
Thank you,
Peter
More information about the cisco-nsp
mailing list