topic Re: How to shut down ASA Site to Site VPN tunnel without removing it in Network Security

How to shut down ASA Site to Site VPN tunnel without removing it

rmorenobb — Fri, 21 Feb 2020 16:21:45 GMT

How to shut down ASA Site to Site VPN tunnel without removing it? I only want to temporarily shut down the VPN tunnel for testing on another firewall, since the peers have similar interesting traffic, but I don't want to remove the existing VPN tunnel, just shut down temporarily.

This is an old ASA 5510

crypto map XXCryptoMap 16 set peer 1.1.1.1 2.2.2.2

crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA

crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

asafirewall01# sh access-list OO_temp_XXCryptoMap16

access-list OO_temp_XXCryptoMap16; 2 elements; name hash: 0xe3fb223a (dynamic)

access-list OO_temp_XXCryptoMap16 line 1 extended permit ip host 10.0.1.2 host 1.1.1.1 (hitcnt=1815) 0x27ad149d

access-list OO_temp_XXCryptoMap16 line 2 extended permit ip host 10.0.1.3 host 2.2.2.2 (hitcnt=2) 0x1d4b9726

peer address: 1.1.1.1

Crypto map tag: XXCryptoMap, seq num: 16, local addr: 10.0.1.2

access-list OO_temp_XXCryptoMap16 extended permit ip host 10.0.1.2 host 1.1.1.1

local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)

current_peer: 1.1.1.1

#pkts encrypt: 0, #pkts digest: 0

#pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/0, remote crypto endpt.:2.2.2.2/0

path mtu 1500, ipsec overhead 74(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 7ACD4800

current inbound spi : 72AF7097

inbound esp sas:

spi: 0x72AF7097 (1924100247)

transform: esp-aes esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }

slot: 0, conn_id: 63479808, crypto-map: BBCryptoMap

sa timing: remaining key lifetime (kB/sec): (4374000/27260)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x7ACD4800 (2060273664)

transform: esp-aes esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }

slot: 0, conn_id: 63479808, crypto-map: BBCryptoMap

sa timing: remaining key lifetime (kB/sec): (4374000/27260)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Re: How to shut down ASA Site to Site VPN tunnel without removing it

Rob Ingram — Tue, 16 Oct 2018 21:28:50 GMT

Hi,
You could disable the crypto map on the outside interface. E.g - "no crypto map XXCryptoMap interface OUTSIDE" <- assuming OUTSIDE is the name of your outside interface. Of course, that would disable all VPN's on that interface, if you have any others?

HTH

Re: How to shut down ASA Site to Site VPN tunnel without removing it

rmorenobb — Tue, 16 Oct 2018 21:33:50 GMT

Thanks! Yah, that's not what I want to do, as I have two other active tunnels that I cannot bring down, I only want to bring down the one tunnel.

Re: How to shut down ASA Site to Site VPN tunnel without removing it

Rob Ingram — Tue, 16 Oct 2018 21:48:08 GMT

Ok. When you removed the ACL did you clear the SAs (assuming they were already active)?
How are you routing the traffic?...if no interesting traffic is even routed via that firewall the tunnel would not establish.

Re: How to shut down ASA Site to Site VPN tunnel without removing it

rmorenobb — Tue, 16 Oct 2018 21:56:09 GMT

I got an error trying to remove the acls , said it was in use. I'll have to try again tomorrow.

Re: How to shut down ASA Site to Site VPN tunnel without removing it

Dennis Mink — Tue, 16 Oct 2018 22:43:18 GMT

remove the peer IP address, or even put a temporary deny on ISAKMp and ESP from a certain public IP, so the attempts to negotiate a tunnel from the remote end get denied by your ACL (put a specific deny, obove the rule that allows port 500 and ESP) and enable/disable for testing purposes

Re: How to shut down ASA Site to Site VPN tunnel without removing it

ramatoulaye.hane1 — Wed, 17 Oct 2018 11:39:33 GMT

Hello,

Change the pre-shared key

Re: How to shut down ASA Site to Site VPN tunnel without removing it

Rahul Govindan — Wed, 17 Oct 2018 12:25:36 GMT

Remove the match statement from crypto map. ASA wont allow you to remove the ACL itself without removing all the references.

So if your crypto map is as below:

hostname(config)# crypto map abcmap 1 match address l2l_list
hostname(config)# crypto map abcmap 1 set peer 10.10.4.108
hostname(config)# crypto map abcmap 1 set ikev1 transform-set FirstSet
hostname(config)# crypto map abcmap 1 set ikev2 ipsec-proposal secure
hostname(config)# crypto map abcmap interface outside

Do a "no crypto map abcmap 1 match address l2l_list" to remove the match entry from the crypto map.

Re: How to shut down ASA Site to Site VPN tunnel without removing it

adedipeopeoluwa — Fri, 19 Oct 2018 13:33:23 GMT

Hello,

An easier way out.

Disable the ACL by making it inactive, This way there will be no active traffic running through the tunnel and the tunnel will be down.

e.g access-list ACL-VPN extended permit ip any any inactive

This will prevent unnecessary complexities and mistakes that may arise from removing and putting back your VPN parameters.

Re: How to shut down ASA Site to Site VPN tunnel without removing it

vsurresh — Fri, 19 Oct 2018 14:47:49 GMT

Hello,

You can simply remove just the set peer line and re-add it after the testing.

Re: How to shut down ASA Site to Site VPN tunnel without removing it

rmorenobb — Thu, 25 Oct 2018 16:01:11 GMT

I did

conf t

no crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA

no crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

that took the tunnel down

and when I was done testing, i added the lines back to bring the tunnel back up

conf t

crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA

crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

So thank you! It worked nicely.