Thursday, June 20, 2013

Troubleshooting IPSec Phase2 issues

Problem - '#sh crypto ipsec sa' shows packets are being encrypted outbound but no packets are being decrypted inbound.

  Check the following: 

  •     Crypto ACL at either end is a mirror of each other. Use host to host /32 addresses don't use subnets
  •     Check routing at remote end is in place with correct exit interface
  •     If traffic passes through a Firewall towards the VPN terminating peer check that NAT Traversal is in place - apply:

             policy-map global_policy
                 class inspection_default
                      inspect ipsec-pass-thru

  •     Check that port 500/4500/ah/esp are permitted on outbound acls to the remote end. Look at ACL's.
  •     Check that 'sysopt connection permit-vpn' is applied to permit IPSEC protocols to by pass ACLs that are applied to the tunnel interface

No comments:

Post a Comment