only one way traffic is being encrypted

From: imran ali <immrccie_at_gmail.com>
Date: Mon, 14 Feb 2011 14:21:04 +0300

 Hi group

i run into following error when testing EZVPN on two routers

R5 and R4 are connected directly over s1/0

R5 is server and R4 is client.

R4#sh crypto ipsec sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 148.1.45.4

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 150.1.5.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 133, #pkts decrypt: 133, #pkts verify: 133
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 148.1.45.4, remote crypto endpt.: 150.1.5.5
     path mtu 1500, ip mtu 1500, ip mtu idb Serial1/1
     current outbound spi: 0x9B12AF1C(2601692956)

     inbound esp sas:

AS U CAN SEE ONLY ONE WAY TRAFFIC IS ENCRYPTED AND NOT TWO WAY .

Here is the config

R4
R4#sh run
R4#sh run
Building configuration...

Current configuration : 2592 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login con none
aaa authorization exec default local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
username WEB password 0 CISCO
username WEB autocommand access-enable host timeout 10
archive
 log config
  hidekeys
!
!
!
!
!
!
crypto ipsec client ezvpn EZVPN
 connect auto
 group ccie key cisco
 mode client
 peer 150.1.5.5
 virtual-interface 1
 username cisco password cisco
 xauth userid mode local
!
!
!
!
!
!
!
interface Loopback22
 ip address 44.44.44.44 255.255.255.0
 crypto ipsec client ezvpn EZVPN inside
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 148.1.0.4 255.255.255.0
 ip access-group ACCESS in
 encapsulation frame-relay
 ip ospf authentication-key cisco
 ip ospf priority 0
 serial restart-delay 0
 frame-relay map ip 148.1.0.2 401
 frame-relay map ip 148.1.0.1 401 broadcast
 no frame-relay inverse-arp
!
interface Serial1/1
 ip address 148.1.45.4 255.255.255.0
 ip ospf authentication null
 serial restart-delay 0
 crypto ipsec client ezvpn EZVPN
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Virtual-Template1 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
router ospf 1
 router-id 4.4.4.4
 log-adjacency-changes
 area 0 authentication
 network 148.1.0.4 0.0.0.0 area 0
 network 148.1.45.4 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended ACCESS
 permit tcp any host 148.1.4.100 eq www time-range WEEKDAYAS
 dynamic WEB permit tcp any host 148.1.4.100 eq www
 deny tcp any host 148.1.4.100 eq www
 permit ip any any
!
!
!
!
!
control-plane
!
alias configure r router rip
alias configure o router ospf
alias configure e router eigrp
alias exec c conf t
alias exec s sh ip int b
alias exec r sh run int
alias exec sr sh ip route
alias exec o sh ip ospf nei
alias exec d sh ip eigrp nei
alias exec b sh run | beg
alias exec i sh run | in
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication con
line aux 0
line vty 0 4
 rotary 1
!
time-range WEEKDAYAS
 periodic weekdays 8:00 to 14:59
!
!
end

===========================R5==============================================
R5#show run
Building configuration...

Current configuration : 2765 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R5
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login con none
aaa authentication login AUTH local
aaa authorization network default local
aaa authorization network AUTHO local
!
!
aaa session-id common
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
username VPN_USER password 0 cisco
username cisco password 0 cisco
archive
 log config
  hidekeys
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ccie
 key cisco
 pool POOL
 acl 100
 save-password
crypto isakmp profile myiskmp
   match identity group ccie
   client authentication list AUTH
   isakmp authorization list AUTHO
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec profile myipsec
 set transform-set myset
 set isakmp-profile myiskmp
!
!
!
!
!
!
!
interface Loopback0
 ip address 150.1.5.5 255.255.255.0
!
interface Loopback1
 ip address 148.1.57.5 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial1/0
 ip address 148.1.35.5 255.255.255.0
 encapsulation frame-relay
 serial restart-delay 0
 frame-relay map ip 148.1.35.3 503 broadcast
 no frame-relay inverse-arp
!
interface Serial1/1
 ip address 148.1.45.5 255.255.255.0
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile myipsec
!
router ospf 1
 log-adjacency-changes
 network 148.1.35.5 0.0.0.0 area 100
 network 148.1.45.5 0.0.0.0 area 0
 network 148.1.57.5 0.0.0.0 area 0
 network 150.1.5.5 0.0.0.0 area 0
 neighbor 148.1.35.3
!
ip local pool POOL 148.1.57.100 148.1.57.110
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 148.1.57.0 0.0.0.255 any
no cdp log mismatch duplex
!
!
!
!
control-plane
!
alias configure r router rip
alias configure o router ospf
alias configure e router eigrp
alias exec c conf t
alias exec s sh ip int b
alias exec r sh run int
alias exec sr sh ip route
alias exec o sh ip ospf nei
alias exec d sh ip eigrp nei
alias exec b sh run | beg
alias exec i sh run | in
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication con
line aux 0
line vty 0 4
!
!
end

R5#

Blogs and organic groups at http://www.ccie.net
Received on Mon Feb 14 2011 - 14:21:04 ART

This archive was generated by hypermail 2.2.0 : Tue Mar 01 2011 - 07:01:50 ART