[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal Highlighted

Latest reply: Nov 9, 2018 01:00:21 748 13 3 1
topology shows as below:

[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-1
when router established ipsec vpn with oppsite device correctly,and ping from 192.168.9.253 to 192.168.14.10 is normal,but telnet between these two terminal devices is abnormal.
[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-2
ping from 192.168.9.253 to 192.168.14.10 is success.

[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-3
telnet 192.168.14.10 on R1 failed.


1.since the ping is normal,it proves that network connection between two IPSec devices is regular.It's probably caused by traffic policy or ACL.
[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-4
only two ACL on the router,check the configuration to find out where have these two ACL been used.

[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-5
ACL 3001 is used in nat outbound,

[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-6
acl 3002 is used in ipsec policy.

since acl 3001 denys traffic between network 192.168.9.0 and 192.168.14.0,and acl 3001 is used in nat outbound,this only result in not translating traffic from 192.168.9.0 to 192.168.14.0,
acl 3002 used in ipsec policy,it permits ipsec to encrypting traffic between 192.168.9.0 and 192.168.14.0.

since ipsec tunnel will encrypt traffic between network 192.168.9.0 and 192.168.14.0,let's check if the ipsec tunnel works fine.

packet count before and after command "telnet 192.168.14.10 80" being executed are same 
[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-7

but when ping being executed,the packe count increased to  5,[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-8
this matchs the number of ICMP packet sended by R1.

It seems that router didn't encrypt the telnet traffic,but encrypted ping traffic.
router may have different forwarding path between encrypted and unencrypted traffic.
checking routing-table of the router,
[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-9
we find that all traffics to network 192.168.14.0 are forwarded to AR1(172.16.12.1)

checking interface g0/0/1 configuration on AR1, we find traffic-policy has been implemented,check this traffic-policy 
[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-10
this traffic policy will lead all the traffic,those without matching rule 5 of acl 3003,to the 10.1.12.2,

It seems that this cause telnet traffic from R1 not reaching to server1,to make sure this,capturing packets on interface g0/0/1 on AR1,
[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-11
here we find something interesting,the source IP address of the telnet traffic has been translated to 172.16.12.2,this makes the telnet traffic forwarded to the 10.1.12.2 and results in telnet abnormal.
So,delete this traffic policy can solve this problem,but before taking this action,we should be allowed by custormer.
To figure out what the traffic policy is used for,we confirm with the user what this traffic policy is used for.We are told that this traffic policy is used to distinguish traffic,router will forward traffic,which with source IP address 192.168.9.0 and destination IP address 192.168.14.0,to server1,the rest part of traffic to 10.1.12.2,
So this traffic policy is necessary and can't be deleted.
with noticing that the telnet traffic source IP address translated to 172.16.12.2,let's check AR2 configuration.
[CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2784565-12
With configuration on the interface g0/0/1,we noticed that nat server has been configured.Since nat server will check if the IP address matchs,but it doesn't check whether the port-number matchs,so when AR2 telnet AR1,router translate the source IP address to 172.16.12.2,this makes IPSec ignoreing the telnet traffic,and router send telnet traffic to AR1 directlly,then AR1 forward these traffic to 10.1.12.2,at last,result in telnet failure.
Ping is normal because of Ping base on IP,not TCP protocol.
What's more,we can learn that router decrypt IPSec traffic before executing traffic policy,cause if it's not like this,ping cann't be success.

With finding the problem,it's easy to fixing the problem.
replace nat server with nat static
nat static protocol tcp global current-interface 2000 inside 192.168.9.253 2000
do some test,it works with ping and telnet.

At last,what is the diffrence between nat server and nat static?
nat static and nat static are quite same when traffic direction is inward,but there is a little diffrence when traffic direction is outward.When configuring with nat server,router checks only if the IP address matchs,but when configuring with nat static,router checks IP address and portnumber both,this makes them quite different during forward traffic outwards.

if you find any errors in this post,plz figure it out,and it's pleasure to see you guys sharing your thoughts~ 

This article contains more resources

You need to log in to download or view. No account?Register

x
  • x
  • convention:

Mark.hu
Created Oct 26, 2018 09:29:46 Helpful(0) Helpful(0)

I also did this experiment before, and this problem has also appeared. I have checked the product manual for a long time, but I still can't solve it. If anyone has a solution, please share it, thank you. This post was last edited by Mark.hu at 2018-10-31 05:57.
  • x
  • convention:

lizhi94
Created Oct 26, 2018 09:53:14 Helpful(0) Helpful(0)



the sharing of technology enrichs my knowledge and the professional answer is totally right to bring me the new viewpoint.
at the sametime ,it is necessary for me to read the posts. within the posts cuting large amouts of fact meterials, which encourage me to be better.
one hand, i have aquired a large number of skills which is very useful for us and is interesting for us to remember it.
another hand, that a good post which is in network technology contains a lot of excellent experience.
thanks very much for your sharing. we are so happy for your next sharing like this. This post was last edited by lizhi94 at 2018-10-26 09:57.
  • x
  • convention:

faysalji
Created Oct 27, 2018 18:00:11 Helpful(0) Helpful(0)

Thanks for sharing the issue
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
faysalji
Created Oct 27, 2018 18:00:30 Helpful(0) Helpful(0)

The solution is good
  • x
  • convention:

chenhui
chenhui Created Nov 9, 2018 01:05:48
hope you enjoy this,more cases and knowledge sharing are on their way.  
If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
Mysterious.color
MVE Created Oct 27, 2018 18:37:41 Helpful(0) Helpful(0)

ah it's hard to find where the bug.
it may takes hours to find
  • x
  • convention:

Core%20Engineer%2C%20Technical%20Department.%20High%20experience%20in%20Networking
Mysterious.color
MVE Created Oct 27, 2018 18:38:47 Helpful(0) Helpful(0)

thanks for writing these kind of posts helpful and good
  • x
  • convention:

chenhui
chenhui Created Nov 9, 2018 01:03:13
it's pleasure to be helpful to you  
Core%20Engineer%2C%20Technical%20Department.%20High%20experience%20in%20Networking
w1
Created Oct 30, 2018 09:51:38 Helpful(0) Helpful(0)

very good case, it show the checking process step by step, form this post, i know more probability about the IPsec issue. and Yes, the NAT configruation is also cause the IPsec issue, i will pay more attention on it in the next
  • x
  • convention:

Torrent
Created Nov 6, 2018 03:37:12 Helpful(0) Helpful(0)

nat static and nat static are quite same when traffic direction is inward,but there is a little diffrence when traffic direction is outward.When configuring with nat server,router checks only if the IP address matchs,but when configuring with nat static,router checks IP address and portnumber both,this makes them quite different during forward traffic outwards.
thanks for sharing, learned![CASE]After configuring ipsec vpn on router,ping is normal but telnet is abnormal-2795641-1
  • x
  • convention:

wissal
MVE Created Nov 7, 2018 15:08:40 Helpful(0) Helpful(0)

I like this kind of post, well done, thanks
  • x
  • convention:

Telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20an%20operator%2C%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20network%20department%2C%20for%2020%20years%20I%20managed%20several%20types%20of%20projects%2C%20for%20the%20different%20nodes%20of%20the%20network.
12
Back to list

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login