I have just configured the IPSEC tunnel between my router and the Access point.I could see that the Tunnel has came up and Active in both sides.
However,When I checked the "Show cyrpto ipsec sa" ,I Could see that decaps packet counters are getting incremented but the encaps packets are always showed as 0.
I think the router is able to decrypt the packets in it's ingress path but it is not encrypting the outbound packets or the packets are not getting routed through the tunnel.
Can someone guide me to fix this?
Router#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: SG_LAB_MAP, local addr 10.140.134.50
protected vrf: (none)
local ident (addr/mask/prot/port): (10.140.134.50/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.1.10/255.255.255.255/0/0)
current_peer 192.168.1.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 177, #pkts decrypt: 177, #pkts verify: 177
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.140.134.50, remote crypto endpt.: 192.168.1.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x290F(10511)
inbound esp sas:
spi: 0x2527(9511)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 3, flow_id: Motorola SEC 1.0:3, crypto map: SG_LAB_MAP
no sa timing
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x290F(10511)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport, }
conn id: 4, flow_id: Motorola SEC 1.0:4, crypto map: SG_LAB_MAP
no sa timing
IV size: 16 bytes
replay detection support: N
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Router Config
Router#sh run
Building configuration...
Current configuration : 3333 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 <Intentionally Trimmed>
enable password <Intentionally Trimmed>
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool test
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 1 2
!
!
ip cef
no ip domain lookup
ip domain name yourdomain.com
!
ipv6 unicast-routing
no ipv6 cef
multilink bundle-name authenticated
!
!
!
username <Intentionally Trimmed> privilege 15 secret 5 <Intentionally Trimmed>
!
!
!
crypto ipsec transform-set MANUAL_TRANSFORM_SET01 esp-aes esp-sha-hmac
mode transport
!
crypto map SG_LAB_MAP 100 ipsec-manual
description "<Intentionally Trimmed> (APREL) MAC <Intentionally Trimmed>"
set peer 192.168.1.10 default
set session-key inbound esp 9511 cipher <Intentionally Trimmed> authenticator <Intentionally Trimmed>
set session-key outbound esp 10511 cipher <Intentionally Trimmed> authenticator <Intentionally Trimmed>
set transform-set MANUAL_TRANSFORM_SET01
match address <Intentionally Trimmed>
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel100
description "<Intentionally Trimmed>"
no ip address
ipv6 address FDC9:CCBE:10C0:A6:BF22:7825:C8F6:7257/64
ipv6 enable
tunnel source 10.140.134.50
tunnel destination 192.168.1.10
tunnel mode ipv6ip
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
speed auto
full-duplex
crypto map SG_LAB_MAP
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip tcp adjust-mss 1452
ipv6 enable
!
ip forward-protocol nd
ip route 10.140.134.0 255.255.255.0 10.140.134.1
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
!
ip access-list extended AP_001350FFFE11B666_ACL
permit ip host 10.140.134.50 host 192.168.1.10
permit ip host 10.140.134.50 host 192.168.1.1
!
no cdp run
ipv6 route FDC9:CCBE:1DC7:A6::/64 Tunnel100
!
!
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password <Intentionally Trimmed>
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Router#
Best Answer
Your
show crypto ipsec saoutput looks strange as I do not see Encryption Domains (Local and Remote subnets) at both end. Indeed, your Encryption Domains are also your VPN IP peers (10.140.134.50 and 192.168.1.10), that is incorrect!When see only encaps/decaps packets at one end, it is likely an issue with routing, thus return traffic cannot hit Firewalls/Routers for being encrypted.
You can try initiating traffic from Router end and see whether the traffic is encrypted (encaps packets counters).