[c-nsp] Traffic on IPSec Tunnel btw Pix and Router

Gamino, Rogelio (OCTO-Contractor) rogelio.gamino at dc.gov
Thu Sep 25 11:44:36 EDT 2008 

What happens if you remove the static route?

route outside 10.180.0.0 255.255.0.0 180.200.200.141

I don't think I've had to put static routes on the vpn device for routes
at the other end of the tunnel. The acl (L2L in this case) should take
care of that.


Rogelio Gamino
rogelio.gamino at dc.gov
(o) 202-741-5853
(c) 202-716-9965

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz
Sent: Tuesday, July 15, 2008 9:19 AM
To: cisco-nsp
Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router

Hi all,

I configure a tunnel btw pix and router. The traffic goes to PIX but
do not have return. I see only encaps on the router and decaps on the
PIX.
Is missing anything?

Tks

Router Output and Config
TEHTCVPNRT01#sh cry ip sa

interface: GigabitEthernet0/1
    Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
   current_peer 200.150.180.62 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 180.200.200.141, remote crypto endpt.:
200.150.180.62      path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/1
     current outbound spi: 0xEA23924(245512484)

     inbound esp sas:
      spi: 0x2E3660C5(775315653)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn
        sa timing: remaining key lifetime (k/sec): (4429641/3573)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEA23924(245512484)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn
        sa timing: remaining key lifetime (k/sec): (4429640/3573)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:



crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key 6 L2L address 200.150.180.62 no-xauth
crypto isakmp aggressive-mode disable
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac

crypto map ra-L2L-vpn 2 ipsec-isakmp
  set peer 200.150.180.62
 set transform-set aessha-pixrtr
 match address 120
 reverse-route

interface GigabitEthernet0/1
 ip address 180.200.200.141 255.255.255.192
crypto map ra-L2L-vpn

access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255



++++++++++++++++++++++++++++++++++



PIX output and Config:
local  ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
   current_peer: 180.200.200.141:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 200.150.180.62 , remote crypto endpt.:
180.200.200.141
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 2e3660c5

     inbound esp sas:
      spi: 0xea23924(245512484)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: L2L-ons
        sa timing: remaining key lifetime (k/sec): (4607999/3478)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x2e3660c5(775315653)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: L2L-ons
        sa timing: remaining key lifetime (k/sec): (4608000/3478)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


ip address outside 200.150.180.62 255.255.255.224
ip address inside 10.139.1.111 255.255.255.0
access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0
255.255.0.0
access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0
255.255.0.0
nat (inside) 0 access-list L2Lnonat
route outside 10.180.0.0 255.255.0.0 180.200.200.141  1
sysopt connection permit-ipsec
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map L2L 1 ipsec-isakmp
crypto map L2L 1 match address L2L
crypto map L2L 1 set peer 180.200.200.141
crypto map L2L 1 set transform-set aessha-pixrtr
crypto map L2L interface outside
isakmp enable outside
isakmp key L2L address 180.200.200.141 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list