[c-nsp] Traffic on IPSec Tunnel btw Pix and Router

Everton Diniz notrevebr at gmail.com
Tue Jul 15 09:19:02 EDT 2008 

Hi all,

I configure a tunnel btw pix and router. The traffic goes to PIX but
do not have return. I see only encaps on the router and decaps on the
PIX.
Is missing anything?

Tks

Router Output and Config
TEHTCVPNRT01#sh cry ip sa

interface: GigabitEthernet0/1
    Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
   current_peer 200.150.180.62 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 180.200.200.141, remote crypto endpt.:
200.150.180.62      path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/1
     current outbound spi: 0xEA23924(245512484)

     inbound esp sas:
      spi: 0x2E3660C5(775315653)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn
        sa timing: remaining key lifetime (k/sec): (4429641/3573)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEA23924(245512484)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn
        sa timing: remaining key lifetime (k/sec): (4429640/3573)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:



crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key 6 L2L address 200.150.180.62 no-xauth
crypto isakmp aggressive-mode disable
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac

crypto map ra-L2L-vpn 2 ipsec-isakmp
  set peer 200.150.180.62
 set transform-set aessha-pixrtr
 match address 120
 reverse-route

interface GigabitEthernet0/1
 ip address 180.200.200.141 255.255.255.192
crypto map ra-L2L-vpn

access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255



++++++++++++++++++++++++++++++++++



PIX output and Config:
local  ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
   current_peer: 180.200.200.141:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 200.150.180.62 , remote crypto endpt.: 180.200.200.141
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 2e3660c5

     inbound esp sas:
      spi: 0xea23924(245512484)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: L2L-ons
        sa timing: remaining key lifetime (k/sec): (4607999/3478)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x2e3660c5(775315653)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: L2L-ons
        sa timing: remaining key lifetime (k/sec): (4608000/3478)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


ip address outside 200.150.180.62 255.255.255.224
ip address inside 10.139.1.111 255.255.255.0
access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0
access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0
nat (inside) 0 access-list L2Lnonat
route outside 10.180.0.0 255.255.0.0 180.200.200.141  1
sysopt connection permit-ipsec
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map L2L 1 ipsec-isakmp
crypto map L2L 1 match address L2L
crypto map L2L 1 set peer 180.200.200.141
crypto map L2L 1 set transform-set aessha-pixrtr
crypto map L2L interface outside
isakmp enable outside
isakmp key L2L address 180.200.200.141 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600

More information about the cisco-nsp mailing list