IOS to IOS VPN across ASA

From: Ajay mehra (ajaymehra01@gmail.com)
Date: Wed Aug 06 2008 - 05:36:47 ART

Next message: Ajay mehra: "Re: IOS to IOS VPN across ASA"
Previous message: akyccie: "Re: Shaping/Queuing Confusion"
Next in thread: Ajay mehra: "Re: IOS to IOS VPN across ASA"
Maybe reply: Ajay mehra: "Re: IOS to IOS VPN across ASA"
Maybe reply: Khawar Butt: "RE: IOS to IOS VPN across ASA"
Maybe reply: Joseph Brunner: "RE: IOS to IOS VPN across ASA"
Maybe reply: Ajay mehra: "Re: IOS to IOS VPN across ASA"
Maybe reply: Khawar Butt: "RE: IOS to IOS VPN across ASA"
Maybe reply: Farrukh Haroon: "Re: IOS to IOS VPN across ASA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I started with IE labs today and was trying to do IOS to IOS IPsec across
ASA.
Can you please help me in finding the correct answer for these question

I have R1---------------ASA-----------------------R2 with R1 on inside and
R2 on outside network.

R1 is 136.1.121.1 and R2 is 136.1.122.2

1: To establish Ipsec tunnel using esp we should permit esp on outside
interface. Also we need to permit udp port 500 for ISAKMP on outside (only
if we are initiating tunnel from R2). But in my case tunnel comes up even
though I do not have any access list to permit udp port 500 in outsid
interface, I am initiating connection from R2.

access-list OUTSIDE_IN extended permit icmp any any
access-list OUTSIDE_IN extended permit tcp any host 10.0.0.100 eq www
access-list OUTSIDE_IN extended permit udp any host 10.0.0.100 eq ntp
access-list OUTSIDE_IN extended permit esp host 136.1.122.2 host 136.1.121.1
access-group OUTSIDE_IN in interface outside

why ISAKMP phase 1 negotiation is sucessful when I initiate connection from
R2 even though I do not permit UDP port 500 on outside interface?

2: Will the IPSEC tunnel remain up even if I clear ISAKMP sa? I was under
impression that clearing phase 1 sa will clear phase 2 sa also.

after I do "clea crypto isakm sa" I still have counters incrementing for
packets encypt and decrypt.

R2(config-if)#do sh cryp isa sa
dst src state conn-id slot status

R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
#pkts encaps: 38, #pkts encrypt: 38, #pkts digest: 38
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
R2(config-if)#

R2(config-if)#do pi 150.1.1.1 so 150.1.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms

R2(config-if)#do sh cryp ipsec sa | in encaps|decaps
#pkts encaps: 43, #pkts encrypt: 43, #pkts digest: 43
#pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35
R2(config-if)#

Thanks,

Ajay

Blogs and organic groups at http://www.ccie.net

Next message: Ajay mehra: "Re: IOS to IOS VPN across ASA"
Previous message: akyccie: "Re: Shaping/Queuing Confusion"
Next in thread: Ajay mehra: "Re: IOS to IOS VPN across ASA"
Maybe reply: Ajay mehra: "Re: IOS to IOS VPN across ASA"
Maybe reply: Khawar Butt: "RE: IOS to IOS VPN across ASA"
Maybe reply: Joseph Brunner: "RE: IOS to IOS VPN across ASA"
Maybe reply: Ajay mehra: "Re: IOS to IOS VPN across ASA"
Maybe reply: Khawar Butt: "RE: IOS to IOS VPN across ASA"
Maybe reply: Farrukh Haroon: "Re: IOS to IOS VPN across ASA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Sep 01 2008 - 08:15:29 ART