[c-nsp] Traffic on IPSec Tunnel btw Pix and Router
Everton Diniz
notrevebr at gmail.com
Thu Sep 25 11:53:51 EDT 2008
Nothing happens, i put the static route for test.
I could not make it work. The pix was change for a router and i put a
Tunnel interface and works ok.
tks for all!!!
On Thu, Sep 25, 2008 at 12:44 PM, Gamino, Rogelio (OCTO-Contractor)
<rogelio.gamino at dc.gov> wrote:
> What happens if you remove the static route?
>
> route outside 10.180.0.0 255.255.0.0 180.200.200.141
>
> I don't think I've had to put static routes on the vpn device for routes
> at the other end of the tunnel. The acl (L2L in this case) should take
> care of that.
>
>
> Rogelio Gamino
> rogelio.gamino at dc.gov
> (o) 202-741-5853
> (c) 202-716-9965
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz
> Sent: Tuesday, July 15, 2008 9:19 AM
> To: cisco-nsp
> Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router
>
> Hi all,
>
> I configure a tunnel btw pix and router. The traffic goes to PIX but
> do not have return. I see only encaps on the router and decaps on the
> PIX.
> Is missing anything?
>
> Tks
>
> Router Output and Config
> TEHTCVPNRT01#sh cry ip sa
>
> interface: GigabitEthernet0/1
> Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141
>
> protected vrf: (none)
> local ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
> remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
> current_peer 200.150.180.62 port 500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 4, #recv errors 0
>
> local crypto endpt.: 180.200.200.141, remote crypto endpt.:
> 200.150.180.62 path mtu 1500, ip mtu 1500, ip mtu idb
> GigabitEthernet0/1
> current outbound spi: 0xEA23924(245512484)
>
> inbound esp sas:
> spi: 0x2E3660C5(775315653)
> transform: esp-3des esp-md5-hmac ,
> in use settings ={Tunnel, }
> conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn
> sa timing: remaining key lifetime (k/sec): (4429641/3573)
> IV size: 8 bytes
> replay detection support: Y
> Status: ACTIVE
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
> spi: 0xEA23924(245512484)
> transform: esp-3des esp-md5-hmac ,
> in use settings ={Tunnel, }
> conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn
> sa timing: remaining key lifetime (k/sec): (4429640/3573)
> IV size: 8 bytes
> replay detection support: Y
> Status: ACTIVE
>
> outbound ah sas:
>
> outbound pcp sas:
>
>
>
> crypto isakmp policy 11
> encr 3des
> hash md5
> authentication pre-share
> group 2
> lifetime 3600
> crypto isakmp key 6 L2L address 200.150.180.62 no-xauth
> crypto isakmp aggressive-mode disable
> crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
>
> crypto map ra-L2L-vpn 2 ipsec-isakmp
> set peer 200.150.180.62
> set transform-set aessha-pixrtr
> match address 120
> reverse-route
>
> interface GigabitEthernet0/1
> ip address 180.200.200.141 255.255.255.192
> crypto map ra-L2L-vpn
>
> access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255
>
>
>
> ++++++++++++++++++++++++++++++++++
>
>
>
> PIX output and Config:
> local ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
> remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
> current_peer: 180.200.200.141:500
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
> #pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
> failed: 0
> #send errors 0, #recv errors 0
>
> local crypto endpt.: 200.150.180.62 , remote crypto endpt.:
> 180.200.200.141
> path mtu 1500, ipsec overhead 56, media mtu 1500
> current outbound spi: 2e3660c5
>
> inbound esp sas:
> spi: 0xea23924(245512484)
> transform: esp-3des esp-md5-hmac ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 4, crypto map: L2L-ons
> sa timing: remaining key lifetime (k/sec): (4607999/3478)
> IV size: 8 bytes
> replay detection support: Y
>
>
> inbound ah sas:
>
>
> inbound pcp sas:
>
>
> outbound esp sas:
> spi: 0x2e3660c5(775315653)
> transform: esp-3des esp-md5-hmac ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 3, crypto map: L2L-ons
> sa timing: remaining key lifetime (k/sec): (4608000/3478)
> IV size: 8 bytes
> replay detection support: Y
>
>
> outbound ah sas:
>
>
> outbound pcp sas:
>
>
> ip address outside 200.150.180.62 255.255.255.224
> ip address inside 10.139.1.111 255.255.255.0
> access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0
> 255.255.0.0
> access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0
> 255.255.0.0
> nat (inside) 0 access-list L2Lnonat
> route outside 10.180.0.0 255.255.0.0 180.200.200.141 1
> sysopt connection permit-ipsec
> crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
> crypto ipsec security-association lifetime seconds 3600
> crypto map L2L 1 ipsec-isakmp
> crypto map L2L 1 match address L2L
> crypto map L2L 1 set peer 180.200.200.141
> crypto map L2L 1 set transform-set aessha-pixrtr
> crypto map L2L interface outside
> isakmp enable outside
> isakmp key L2L address 180.200.200.141 netmask 255.255.255.255 no-xauth
> isakmp identity address
> isakmp policy 1 authentication pre-share
> isakmp policy 1 encryption 3des
> isakmp policy 1 hash md5
> isakmp policy 1 group 2
> isakmp policy 1 lifetime 3600
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list