topic Re: Only one sides of IPSec tunnel encrypting packets in Network Security

Only one sides of IPSec tunnel encrypting packets

techsupport — Mon, 11 Mar 2019 15:47:32 GMT

Any ideas as to how onside of the tunnel is not encrypting traffic thanks

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 26731, #pkts decrypt: 26731,

show crypto isakmp sa

18 IKE Peer: Vendor

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

show crypto ipsec sa

Crypto map tag: vpn_map, seq num: 4, local addr: 198.X.227.X

access-list VPN_TO_Vendor permit ip host 10.20.12.127 host 192.168.13.3

local ident (addr/mask/prot/port): (10.20.12.127/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.13.3/255.255.255.255/0/0)

current_peer: Vendor

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 26731, #pkts decrypt: 26731, #pkts verify: 26731

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 198.X.227.X, remote crypto endpt.: Vendor

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 1205B666

inbound esp sas:

spi: 0x0B404729 (188761897)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 119238656, crypto-map: vpn_map

sa timing: remaining key lifetime (kB/sec): (4274991/27948)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x1205B666 (302364262)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 119238656, crypto-map: vpn_map

sa timing: remaining key lifetime (kB/sec): (4275000/27948)

IV size: 8 bytes

replay detection support: Y

Re: Only one sides of IPSec tunnel encrypting packets

John Blakley — Wed, 24 Jun 2009 15:04:27 GMT

Can you post your crypto map config and acl's on the ASA? What are you connecting to on the other end, and can you post those configs as well?

Also, looking at this map, you're encrypting traffic from one host. This has to match on your "vendors" end the opposite direction.

Your side:

access-list VPN_TO_Vendor permit ip host 10.20.12.127 host 192.168.13.3

Vendors side:

access-list VPN_TO_Vendor permit ip host 192.168.13.3 host 10.20.12.127

And you also need to make sure that you're not natting that connection with an acl:

access-list NONAT permit ip host 10.20.12.127 host 192.168.13.3

nat (inside) 0 access-list NONAT

HTH,

John

Re: Only one sides of IPSec tunnel encrypting packets

francisco_1 — Wed, 24 Jun 2009 15:34:56 GMT

looks like your tunnel is up but you are only receiving traffic only one direction so the device above is receiving trafic and decrypting it but nothing behind this device is sending traffic out so there is nothing to encrypt on the tunnel. Best to have a PC at both end and test sending ICMP data across the tunnel and look at the stats again.

Francisco