Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
5
Replies

ASA5500 Transport mode

fsebera
Level 4
Level 4

‎02-16-2011 06:45 AM - edited ‎03-11-2019 12:51 PM

I have an ASA5520 running IOS 8.0(4) in routed mode, single context with a security license to support 3DES and 750 VPN users.

:

I setup an L2L IPsec VPN tunnel between this ASA and a Cisco router running 15.x.

On the router, I specified transport mode.

On this ASA5520 I left to default tunnel mode (initially by accident).

:

The tunnel initialized with tunnel mode as the transport and everything works well. I can pass traffic to and through the tunnel.

:

When I tried to force the ASA5520 to use Transport, the tunnel will not initialize.

If I remove the ASA5520 from the picture and swap in another Cisco router, everything works well in Transport mode.

:

QUESTION: Is TRANSPORT mode supported on the ASA5520 with L2L IPsec tunnels with IOS 8.0(4)?

:
:

crypto ipsec transform-set <name> esp-3des esp-sha-hmac

mode transport

:

Tks

Frank

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎02-16-2011 06:53 AM

Frank,

I've used transport mode in IOS routers to avoid re-encapsulating the packet in IPsec (when it's already encapsulated in GRE).

ASAs won't support GRE.

Transport mode is only intended when the VPN final destination is also the VPN endpoint for the tunnel itself.

I guess my question is why are you trying to set up a L2L tunnel using transport mode (if not using GRE)?

Assuming you want to communicate devices that are behind the ASA across the tunnel.

Federico.

0 Helpful

fsebera
Level 4
Level 4
In response to Federico Coto Fajardo

‎02-16-2011 07:11 AM

. . . Because when the packet arrives at the remote router (before being encrypted again by this R-to-ASA tunnel), it has been encrypted twice already - Not my choice, I don't make the rules here, I just have to follow 'em.

:

The strange thing here is the ASA ignores the mode (transport) presented in the initial setup.

:

Is the router relaxing the transport mode rules while the ASA is enforcing 'em?

Regards

Frank

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to fsebera

‎02-16-2011 07:53 AM

I know the ASA supports transport mode for remote L2TP/IPsec connections.

Tunnel mode is the default and usual configuration for L2L.

However, I don't seem to find any indication that transport mode is not supported for L2L.

I am going to see if I can either find you some information or do a test myself.

Could you include a simple drawing of your scenario just for reference?


Federico.

0 Helpful

fsebera
Level 4
Level 4
In response to Federico Coto Fajardo

‎02-16-2011 08:48 AM

Hey Federico,

:

Very crude setup.

When the mobile router (Mobile_R1) receives a packet, the packet has already been encrypted two times. MTU is in the 1200 range at R2. The packet still has several additional VPN tunnels to traverse before the final destination is reached.

:

Mobile_R1----R2-----FW1_DMZ------FW2_DMZ---Server(s)

:

Logical link between Mobile_R1 and FW1 (L2L tunnel) should function in Transport mode but will not, only tunnel mode.

Frank

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card