[c-nsp] Crypto map + traffic via "ip route vrf ... global"

Christian Koch christian at broknrobot.com
Mon Jul 14 21:59:11 EDT 2008 

on the 7200, map ipsec tunnel to the vrf instance? - iskamp profile?



On Mon, Jul 14, 2008 at 8:46 PM, Peter Rathlev <peter at rathlev.dk> wrote:

> Hi,
>
> I have a strange-ish problem. I've configured an IPSec tunnel between a
> 7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some
> reason traffic only gets encrypted ASA->7200, not the other way.
>
> The traffic that doesn't get encrypted comes from a VRF Lite
> subinterface on the "back" of the 7200. This VRF has a static 0/0 route
> with a global next hop, and the global table has a static route pointing
> the other way.
>
> Traffic can go from behind ASA to behind 7200 with no problems. Traffic
> from behind the 7200 doesn't get encrypted for some reason, including
> replies from ICMP echos that came encrypted. And the 7200 doesn't
> initiate a tunnel either.
>
> Could it be because I can't make the crypto map work for the "ip route
> vrf ... global" traffic? The configuration works fine when the host
> behind the 7200 isn't in a VRF, but the 7200 being software based I
> thought this wouldn't be a problem.
>
> Configuration at the bottom, with Host X behind the 7200 and Host Y
> behind the ASA. Host X is not directly connected to the 7200, but behind
> another router. Traffic is routed with not problems, so it's only the
> encryption that's missing. (The ASA complains about it in logs and I can
> see it with tcpdump.)
>
> The 7200 creates the IPSec SA, but only the "decaps" counter goes up:
>
> vamtest#sh cry ips sa
>
> interface: GigabitEthernet0/1
>    Crypto map tag: vamtest, local addr [7200-outside]
>
>   protected vrf: (none)
>   local  ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0)
>   remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0)
>   current_peer [ASA-outside] port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
>    #pkts compressed: 0, #pkts decompressed: 0
>    #pkts not compressed: 0, #pkts compr. failed: 0
>    #pkts not decompressed: 0, #pkts decompress failed: 0
>    #send errors 0, #recv errors 0
>
>     local crypto endpt.: [7200-outside], remote crypto endpt.:
> [ASA-outside]
>     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
>     current outbound spi: 0xA9F53FD7(2851422167)
>
>     inbound esp sas:
>      spi: 0x4FC8A681(1338549889)
>        transform: esp-3des esp-sha-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3002, flow_id: VAM2:2, crypto map: vamtest
>        sa timing: remaining key lifetime (k/sec): (4511451/1957)
>        IV size: 8 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     inbound ah sas:
>
>     inbound pcp sas:
>
>     outbound esp sas:
>      spi: 0xA9F53FD7(2851422167)
>        transform: esp-3des esp-sha-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3001, flow_id: VAM2:1, crypto map: vamtest
>        sa timing: remaining key lifetime (k/sec): (4511454/1955)
>        IV size: 8 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     outbound ah sas:
>
>     outbound pcp sas:
>
> vamtest#
>
> Debug ("crypto ipsec" + "crypto isakmp" + "errors" for both) says
> nothing at all for traffic coming from inside. It's just routed, as if
> the crypto map didn't exist.
>
> And now the configuration:
>
> ! *** 7200 ***
> ip vrf A
>  rd 64512:1
> !
> crypto isakmp policy 25
>  encr 3des
>  hash sha
>  authentication pre-share
> !
> crypto isakmp key <bla> address [ASA-outside]
> !
> crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac
> !
> crypto map vamtest 25 ipsec-isakmp
>  description SAVAM2test -> ASA Horsens
>  set peer [ASA-outside]
>  set transform-set sha-3des
>  match address SAVAM2test
> !
> interface GigabitEthernet0/1
>  description Outside
>  ip address [7200-outside]
>  crypto map vamtest
> !
> interface GigabitEthernet0/2.2081
>  description Inside, VRF
>  encapsulation dot1Q 2081
>  ip vrf forwarding A
>  ip address [inside net]
>  ip tcp adjust-mss 1355
> !
> ip route 0.0.0.0 0.0.0.0 [Outside next hop]
> ip route [Host X] Gi0/2.2081 [Inside VRF next hop]
> ip route vrf A [Host Y] [Outside next hop] global
> !
> ip access-list extended SAVAM2test
>  permit ip host [Host X] host [Host Y]
> !
>
> ! *** ASA ***
> access-list SAVAM2test permit ip host [Host Y] host [Host X]
> !
> crypto map asaoutside_map 60 match address SAVAM2test
> crypto map asaoutside_map 60 set peer [7200-outside]
> crypto map asaoutside_map 60 set transform-set ESP-3DES-SHA
> !
> tunnel-group [7200-outside] type ipsec-l2l
> tunnel-group [7200-outside] ipsec-attributes
>  pre-shared-key <bla>
> !
> static (asainside,asaoutside) [Host Y] [Y int.] netmask 255.255.255.255
> !
>
>
> Thank you,
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

More information about the cisco-nsp mailing list