03-08-2019 01:38 PM - edited 02-21-2020 08:55 AM
From the ASA, if y ou do sh crypto ikev2 sa, it show the following below. Are all the child SA just allowed subnets on the tunnel?
Session-id:2758, Status:UP-ACTIVE, IKE count:1, CHILD count:14
Tunnel-id Local Remote Status Role
1682665127 X.X.X.6/500 X.X.X.0/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/18416 sec
Child sa: local selector X.X.X..0/0 - 1X.X.X..255/65535
remote selector X.X.X..160/0 - X.X.X.1/65535
ESP spi in/out: 0x6d1f4027/0xbbe517cf
Child sa: local selector X.X.X.28/0 - X.X.X.255/65535
remote selector X.X.X.60/0 - X.X.X.91/65535
ESP spi in/out: 0xbb935ee4/0xa7642a72
03-08-2019 02:22 PM
Yes. The networks defined in the crypto ACL will be identified as CHILD SA. If you have multiple networks defined in the ACL you will have multiple CHILD SAs. 1 IKE SA (identifying the VPN peers) will be created, then a CHILD SA per network.
You can use the command show vpn-sessiondb detail l2l to indicate total number of IKE/IPSec tunnels
03-08-2019 03:25 PM
03-08-2019 03:38 PM
show crypto ikev2 sa detail will show you the IKE SA and CHILD count
ASA-1# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:2
Tunnel-id Local Remote Status Role
2165229 1.1.1.1/500 3.3.3.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 0/544 sec
Session-id: 1
Status Description: Negotiation done
Local spi: 2C539E8C33326D0E Remote spi: 50BCD8D9AFD45EE9
Local id: 1.1.1.1
Remote id: 3.3.3.1
Local req mess id: 41 Remote req mess id: 42
Local next mess id: 41 Remote next mess id: 42
Local req queued: 41 Remote req queued: 42
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Child sa: local selector 192.168.100.0/0 - 192.168.100.255/65535
remote selector 10.30.0.0/0 - 10.30.3.255/65535
Child sa: local selector 10.10.0.0/0 - 10.10.0.255/65535
remote selector 10.30.0.0/0 - 10.30.3.255/65535
Use the command show crypto ipsec sa and check the encaps|decaps these should be increasing as packets traverse the tunnel. If they are unequal, then you've probably got a nat or routing issue on one end of the tunnel.
ASA-1(config)# show crypto ipsec sa
interface: OUTSIDE
Crypto map tag: CMAP, seq num: 3, local addr: 1.1.1.1
access-list VPN_3 extended permit ip 10.10.0.0 255.255.255.0 10.30.0.0 255.255.252.0
local ident (addr/mask/prot/port): (10.10.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.30.0.0/255.255.252.0/0/0)
current_peer: 3.3.3.1
#pkts encaps: 103, #pkts encrypt: 103, #pkts digest: 103
#pkts decaps: 103, #pkts decrypt: 103, #pkts verify: 103
HTH
03-09-2019 07:07 AM
03-09-2019 07:38 AM
Hi,
Not entirely sure I am following...but whatever IP address/networks your devices are communicating with needs to be defined in the crypto ACL, which would create the associated CHILD SA. If the remote networks are natted then you'd need to define that in your crypto ACL.
HTH
03-09-2019 09:48 AM - edited 03-09-2019 09:52 AM
I attached a pic to help - don't have Visio. I also made another post as I know this getting a bit more in depth. Basically need understanding.
Let's say HQ router is head end router with all IPSEC configs for remote sites.
The circuit goes to another location (Provider in diagram) who handles the physical connections to the remote sites.
So remote end configs for the tunnels are still built on devices at the remote site router or ASA, etc. correct?
Would these tunnels for the remote sites be the child SAs? I am confused where or what would the main SA or tunnel be?
So does the Transport provider just need our public ip addresses since they are not supposed to know about the tunnels?
03-09-2019 10:02 AM
03-10-2019 12:57 PM
03-11-2019 07:44 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide