[c-nsp] 6500 with WS-SVC-IPSEC-1, traffic not reaching module.

Pär Åslund pslund at gmail.com
Wed Dec 16 06:27:55 EST 2009


Hi Lee,

You're right and I'm wrong. Have to use BITW.

Thanks for the advise, back to reading more documentation for me.

Best regards,
.pelle

On Tue, Dec 15, 2009 at 4:20 PM, Lee <ler762 at gmail.com> wrote:
> On Tue, Dec 15, 2009 at 8:45 AM, Pär Åslund <pslund at gmail.com> wrote:
>>
>> Hi Lee,
>>
>> No, I don't have it configured with crypto connect. From what I read
>> so far, I don't need that for site-to-site ipsec?
>
> All the docs I read talked about the "bump in the wire" encryption.  Somehow
> or other you have to get the traffic going thru the ipsec card & the only
> way I know of is to use the 'crypto connect' command or the
> much-discouraged-in-the-docs "switchport trunk allowed vlan add NNN" on the
> ipsec card ports.  But I never did dynamic crypto maps, so maybe they do
> some extra magic?
>
>>
>> The asa in the remote office can ping the remote peer ip configured on
>> the 6500. Just seems like bad magic for me right now that for some
>> reason the traffic doesn't seem to reach the IPSEC module.
>>
> A fun thing about the 6500 ipsec card is that traffic not matching the
> crypto map goes through unaltered whereas a real router would drop the
> traffic.  If your ASA has a 192.168.1.1 address and the 6500 vlan 8 ip
> address is 192.168.1.2 it wouldn't surprise me that the asa can ping the
> 6500.
>
> Another fun thing about the 6500 ipsec card is that routing happens only on
> the cleartext traffic.  By the time the traffic comes out of the ipsec card
> all the routing decisions have been made :(   For example, say you're
> putting traffic for 10.10.10.0/24 in the IPSec tunnel and the tunnel
> endpoint is 192.168.1.1.  If the route for 10.10.10.0/24 is out vlan10 and
> the route for 192.168.1.1 is out vlan 8 it ain't gonna work.  I ended up
> adding a static route for 10.10.10.0/24 pointing to 192.168.1.1 as a
> work-around.
>
> Then again, I haven't had anything to do with a 6500 ipsec card for over a
> year so maybe they've fixed some of the weirdness that I had to deal with.
>
>>
>> Extra, forgot to show the configuration of the interfaces on module 8
>> - WS-SVC-IPSEC-1
>>
>> Current configuration : 243 bytes
>> !
>> interface GigabitEthernet8/1
>>  switchport
>>  switchport trunk encapsulation dot1q
>>  switchport trunk allowed vlan 8
>>  switchport mode trunk
>>  mtu 4500
>>  no ip address
>>  flowcontrol receive on
>>  flowcontrol send off
>>  spanning-tree portfast trunk
>> end
>>
>> interface GigabitEthernet8/2
>>  switchport
>>  switchport trunk encapsulation dot1q
>>  switchport trunk allowed vlan none
>>  switchport mode trunk
>>  mtu 4500
>>  no ip address
>>  flowcontrol receive on
>>  flowcontrol send off
>>  spanning-tree portfast trunk
>> end
>>
>
> What I ended up with was
>
> interface GigabitEthernet8/0/1
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 550,551,702
>  switchport mode trunk
>  mtu 9216
>  no ip address
>  flowcontrol receive on
>  flowcontrol send off
>  spanning-tree portfast trunk
> !
> interface GigabitEthernet8/0/2
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 551,703
>  switchport mode trunk
>  mtu 9216
>  no ip address
>  flowcontrol receive on
>  flowcontrol send off
>  spanning-tree portfast trunk
> !
>
> Looking at it now, having vlan 551 on G8/0/1 and 2 seems wrong.. but it did
> work.  We moved all our ipsec tunnels over to asrs a while back, so nothing
> I need to do about it now :)
>
> Regards,
> Lee
>
>
>
>> Best regards,
>> .pelle
>>
>> On Tue, Dec 15, 2009 at 1:30 PM, Lee <ler762 at gmail.com> wrote:
>> > Do you have the inside and outside vlan for your ipsec traffic
>> > configured
>> > with a crypto connect? eg
>> >
>> > interface Vlan7
>> >   description outside:encrypted traffic
>> >   no ip address
>> >   crypto engine subslot 8/0
>> >   crypto connect vlan8
>> > !
>> > interface Vlan8
>> >   description inside:cleartext traffic
>> >   ip address xxx
>> >   crypto map xxx
>> >   crypto engine subslot 8/0
>> >
>> > Regards,
>> > Lee
>> >
>> >
>> > On Tue, Dec 15, 2009 at 6:46 AM, Pär Åslund <pslund at gmail.com> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I have problems with a WS-SVC-IPSEC-1 where I'm trying to setup a
>> >> site-to-site tunnel.
>> >>
>> >> Last night, I got the tunnel up. But after applying a acl to the 6500,
>> >> the tunnel went down and stayed down. Removing configuration just to
>> >> get the tunnel up again and continue trying to get the interesting
>> >> traffic through as intended, the tunnel never comes up. The remote
>> >> device is a ASA 5505, where I haven't touched anything since this
>> >> failure started. From what I can get out of all this, looking at logs
>> >> and crypto statistics. The traffic never gets to the module in slot 8.
>> >>
>> >> show crypto sessions - nothing
>> >> show crypto isakmp sa - nothing
>> >> show crypto ipsec sa - nothing
>> >>
>> >> I can still use packet-tracer on the asa as I could before and the
>> >> flow is created, but nothing ends up in the 6500 logs. debug crypto
>> >> isakmp and debug crypto ipsec is both enabled without anything being
>> >> logged. Any ideas are most welcome. Guess I have missed something
>> >> obvious but right now I just can't figure out what it is.
>> >>
>> >> This it the configuration from the 6500.
>> >>
>> >> crypto isakmp policy 1
>> >>  encr 3des
>> >>  authentication pre-share
>> >>  group 2
>> >> crypto isakmp key <SECRETKEY> address <peer ip> no-xauth
>> >> !
>> >> crypto isakmp client configuration group GROUP1
>> >>  key <KEY>
>> >>  dns 172.16.9.2
>> >>  domain i.company.com
>> >>  pool vpn
>> >>  acl 101
>> >> crypto isakmp profile ikepro
>> >>   match identity group GROUP1
>> >>   client authentication list userlist
>> >>   isakmp authorization list grouplist
>> >>   client configuration address respond
>> >>   client configuration group GROUP1
>> >> crypto isakmp profile site-to-site
>> >>   keyring default
>> >>   match identity address <peer ip> 255.255.255.255
>> >>   keepalive 60 retry 5
>> >> !
>> >> !
>> >> crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
>> >> !
>> >> crypto ipsec profile ipsecpro
>> >>  set transform-set 3dessha
>> >> !
>> >> !
>> >> crypto dynamic-map dynmap 10
>> >>  set transform-set 3dessha
>> >>  set isakmp-profile ikepro
>> >> crypto dynamic-map dynmap 15
>> >>  set peer 76.238.146.205
>> >>  set transform-set 3dessha
>> >>  set isakmp-profile site-to-site
>> >> crypto dynamic-map dynmap 20
>> >>  set transform-set 3dessha
>> >>  set isakmp-profile ikepro
>> >> !
>> >> !
>> >> crypto map vpnmap engine slot 8
>> >> crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
>> >>
>> >>
>> >> and then on VLAN 8 where the traffic is suppose to come in:
>> >> interface Vlan8
>> >>  ip address <ip> 255.255.255.248
>> >>  ip nat outside
>> >>  standby 8 ip <standby ip>
>> >>  standby 8 priority 115
>> >>  standby 8 preempt
>> >>  standby 8 name <standby name>
>> >>  crypto map vpnmap redundancy <standby name>
>> >> end
>> >>
>> >> Best regards,
>> >> .pelle
>> >> _______________________________________________
>> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >
>> >
>
>


More information about the cisco-nsp mailing list