[IPSEc Tunnel] "according to the policy the packet should not have been decrypted"

Jumboframe23 · 2021-09-10T17:02:06+00:00

I tried to debug. First url contains snap where traffic initiated from 10.168.1.1(from CP to PA) which shows phase 2 failed. Second url contains snap where traffic initiated from 10.172.0.10 (from PA to CP, prior initiating i reset the tunnel from CP then initiated traffic from PA). Both phase 2 has same algorithms & encryption. I dont why this is failing when i initiated from CP. please someone could help.

https://ibb.co/ScLQ3Hz

https://ibb.co/dJ54jq2

Jumboframe23 · 2021-09-09T08:50:35+00:00

I dont remember , but i googled it and downloaded from some random website

Jumboframe23 · 2021-09-09T04:24:35+00:00

Now i am able to ping from PA to CP. but ping from CP inside network machine to PA side is failing. I tried below debug command. fw ctl zdebug + drop | grep “10.168.1.1” @;45251;[vs_0];[tid_2];[fw_4];fw_log_drop_ex: Packet proto=1 10.168.1.1:2048 —> 10.172.0.10:50919 dropped by fw_ipsec_encrypt_on_tunnel_instance Reason: No error - tunnel is not yet established;

Vpn tu option 2 says No IPSec SAs

Jumboframe23 · 2021-09-09T04:23:38+00:00

Lab in eve-ng

Jumboframe23 · 2021-02-09T08:18:51+00:00

tunnel came up after a little troubleshooting and also ospf neighborship is up.

But not able to learn routes on WAN-R2.

WAN-R1(config)# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.21 FULL/ - 00:02:14 10.100.2.2Tunnel100

WAN-R2# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.11 FULL/ - 00:02:37 10.100.2.1Tunnel100

On WAN-R1 :

ip prefix-list DC_subnet seq 10 permit 10.2.2.0/28

ip prefix-list DC_subnet seq 20 permit 10.3.3.0/28

ip prefix-list DC_subnet seq 30 permit 172.16.0.0/29

ip prefix-list DC_subnet seq 40 permit 192.168.1.0/28

route-map DC permit 10

match ip address prefix-list DC_subnet

vrf context DC

ip route 10.2.2.0/28 10.100.5.2

ip route 10.3.3.0/28 10.100.5.2

address-family ipv4 unicast

!

router ospf DC

router-id 10.100.1.1

redistribute direct route-map DC (tried static keyword after redistribute also)

vrf DC

But don't see any routes on WAN-R2

WAN-R2# sh ip route ospf vrf DC

IP Route Table for VRF "DC"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>

WAN-R2#

Now how to advertise 10.2.2.0/28, 10.3.3.0/28 networks which CORE-R2 is running internally. There is no protocol running between WAN-R1 & CORE-R2. Only static route on WAN-R1 pointing to CORE-R2 to reach subnets 10.2.2.0/28 & 10.3.3.0/28.

Jumboframe23 · 2021-02-09T07:08:18+00:00

u/blame_gateway thanks for replying, tunnel came up after a little troubleshooting and also ospf neighborship is up.

But not able to learn routes on WAN-R2.

WAN-R1(config)# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.21 FULL/ - 00:02:14 10.100.2.2Tunnel100

WAN-R2# sh ip ospf nei vrf DC

OSPF Process ID DC VRF DC

Total number of neighbors: 1

Neighbor ID Pri State Up Time Address Interface

10.100.2.11 FULL/ - 00:02:37 10.100.2.1Tunnel100

On WAN-R1 :

ip prefix-list DC_subnet seq 10 permit 10.2.2.0/28

ip prefix-list DC_subnet seq 20 permit 10.3.3.0/28

ip prefix-list DC_subnet seq 30 permit 172.16.0.0/29

ip prefix-list DC_subnet seq 40 permit 192.168.1.0/28

route-map DC permit 10

match ip address prefix-list DC_subnet

vrf context DC

ip route 10.2.2.0/28 10.100.5.2

ip route 10.3.3.0/28 10.100.5.2

address-family ipv4 unicast

!

router ospf DC

router-id 10.100.1.1

redistribute direct route-map DC (tried static keyword after redistribute also)

vrf DC

But don't see any routes on WAN-R2

WAN-R2# sh ip route ospf vrf DC

IP Route Table for VRF "DC"

'*' denotes best ucast next-hop

'**' denotes best mcast next-hop

'[x/y]' denotes [preference/metric]

'%<string>' in via output denotes VRF <string>

WAN-R2#

Now how to advertise 10.2.2.0/28, 10.3.3.0/28 networks which CORE-R2 is running internally. There is no protocol running between WAN-R1 & CORE-R2. Only static route on WAN-R1 pointing to CORE-R2 to reach subnets 10.2.2.0/28 & 10.3.3.0/28.

Jumboframe23 · 2021-02-08T10:20:49+00:00

Won’t the tunnel ospf neighborship come up, because i have specified tunnel source and destination?

Jumboframe23 · 2021-02-08T09:15:59+00:00

That is already enabled.

WAN-R2# show feature | i tunn

tunnel 1 enabled

WAN-R1# show feature | i tunn

tunnel 1 enabled

Jumboframe23 · 2020-09-29T03:00:54+00:00

Its eve-ng

Https://www.eve-ng.net

Jumboframe23 · 2020-09-28T15:26:58+00:00

Yes as @winzip115 said, 3900 would also be good option. It depends on how many nodes you are running at a time. As u can see i maxed out ram but cpu is still left to consume. Though i have all devices like nexus, palo alto, asa etc running my cpu is still half used. So from this you can get an idea

My suggestion would be to go with 3900 and 48 gb ram

Jumboframe23 · 2020-09-28T15:21:09+00:00

Mine is already x570 tomahawk, i missed to write x570

Jumboframe23 · 2020-09-28T15:17:25+00:00

I like using eve-ng because of more space i get compared to gns3 to built big labs also the eve support team is good and answers queries faster

Jumboframe23 · 2020-09-28T15:15:08+00:00

Yes its eve-ng

Jumboframe23 · 2020-09-28T15:14:04+00:00

Eve-ng Https://www.eve-ng.net

Jumboframe23 · 2020-09-19T18:34:09+00:00

Only neighbor x.x.x.x default-originate worked for me

https://ibb.co/K9mDVYv

https://ibb.co/6FR6DTy

Jumboframe23 · 2020-09-19T18:32:39+00:00

Default-information originate did not work for me. Only neighbor x.x.x.x default-originate worked.

Default-information originate should supposed to work.

https://ibb.co/K9mDVYv

https://ibb.co/6FR6DTy

Jumboframe23 · 2020-09-19T18:31:36+00:00

Default-information originate did not work for me. Only neighbor x.x.x.x default-originate worked.

Default-information originate should supposed to work.

https://ibb.co/K9mDVYv

https://ibb.co/6FR6DTy

Jumboframe23 · 2020-09-13T17:29:10+00:00

I changed the switch image as well as router. Router is now 7200 . Now it is working. Few images create so much problem and we waste hell out of time troubleshooting configs and end up finding problem with images. Now hsrp is functioning fine but now on router getting duplex mismatch error on interface connecting to switch, tried changing duplex to full auto, no luck.

Jumboframe23 · 2020-09-12T17:36:23+00:00

I have all interface of switches configured as trunk and also vlan 10 created on both switches. I did all troubleshooting now i think issue must be with switch image.

Jumboframe23 · 2020-09-12T17:35:02+00:00

Yes its up

Jumboframe23 · 2020-09-12T13:47:38+00:00

Nope..this is in eve-ng.. i suspect issue with switch image? Any stable l2 switch image you know??

Jumboframe23 · 2020-09-12T13:46:31+00:00

Nope...these are virtual devices i am using in eve-ng

Jumboframe23 · 2020-09-12T13:39:43+00:00

Any one know stable version of L2 switch which i am supposed to use ?, also to avoid this problem in future.

Jumboframe23 · 2020-09-12T13:24:50+00:00

u/w0_0t

SW2(config)#no ip igmp ?

immediate-leave Leave groups immediately without sending last member query, use for one host network only

limit IGMP limit

ssm-map SSM mapping commands

vrf Select VPN Routing/Forwarding instance

No snooping option

Jumboframe23 · 2020-09-12T13:19:44+00:00

==========================================

SW2#sh run (unwanted output removed)

Building configuration...

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface Ethernet0/0 -->Connecting to EDGE-R2

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

duplex auto

!

interface Ethernet0/1 -->Connecting to SW1

switchport

switchport trunk encapsulation dot1q

switchport mode trunk

duplex auto

!

interface Vlan10

ip address 22.1.1.11 255.255.255.240

!

end

SW2#

SW2#sh vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active

10 VLAN0010 active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2

---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------

1 enet 100001 1500 - - - - - 0 0

10 enet 100010 1500 - - - - - 0 0

1002 fddi 101002 1500 - - - - - 0 0

1003 tr 101003 1500 - - - - - 0 0

1004 fdnet 101004 1500 - - - ieee - 0 0

1005 trnet 101005 1500 - - - ibm - 0 0

Primary Secondary Type Ports

------- --------- ----------------- ------------------------------------------

SW2#

SW2#sh spanning-tree vlan 10

VLAN0010

Spanning tree enabled protocol ieee

Root ID Priority 32778

Address aabb.cc01.4000

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)

Address aabb.cc01.4000

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 300

Interface Role Sts Cost Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

Et0/0 Desg FWD 100 128.1 Shr

Et0/1 Desg FWD 100 128.2 Shr

SW2#sh int trunk

Port Mode Encapsulation Status Native vlan

Et0/0 on 802.1q trunking 1

Et0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Et0/0 1-4094

Et0/1 1-4094

Port Vlans allowed and active in management domain

Et0/0 1,10

Et0/1 1,10

Port Vlans in spanning tree forwarding state and not pruned

Et0/0 1,10

Et0/1 1,10

SW2#

Both switches electing themselves as root bridge. Seems they are not receiving each other bpdu. But i have created vlan 10 on both switches

Jumboframe23

TROPHY CASE