03-23-2012 12:39 AM - edited 03-11-2019 03:46 PM
Queery regarding vpn tunnel on router
say on site A below are isakmp policy
crypto isakmp policy 10
authentication pre-share
group 2
encryption 3des
hash sha
lifetime 86400
crypto isakmp policy 20
authentication pre-share
group 2
encrption aes
hash md5
lifetime 86400
from site A i have created a site to site vpn with site B with policy 10
from site A i have created site to site vpn with site c with policy 20
But when i checked on site c router there was no policy matching with 20.But ther was a policy matching 10
Is it site c has used policy 10 and has brought the phase 1 up.If so how can i check it has used policy 10
Let say on site A has used 10.x.x.x lan ip for interseting traffic in vpn and has done natting with 202.x.x.x
ip nat inside source static 10.x.x.x 202.x.x.x
ip access-list extended test permit ip host 10.x.x.x 172.x.x.x
172.x.x.x is far end lan ip
Here i have used 10.x.x.x range in interseting traafic and it is natted to 202.x.x.x
If with far end i have told that my inetrseting traffic is 10.x.x.x . will there be any data transfer with site B
since i have natted with 202.x.x.x and i have given 10.x.x.x as inetrseting to far end.
Or shall i need to share the public ip as interseting traffic.
03-23-2012 02:26 AM
Hi,
I'm not sure if you can see the Phase1 parameters that were used. Though you can see the Phase1 parameters used if you debug the ISAKMP during the VPN connection forming.
To my understanding the number after isakmp policy is the order/sequence number in which the device tries negotiate the parameters with the remote device to find the matching settings. As I said before, using debug while the connection is forming is a good way check what is happening regards the Phase1 policy beeing chosen.
Regarding the interesting traffic I think you need to use the public network range in the VPN configurations (202.x.x.x). The encryption domain access-list have to be mirror images of eachother.
03-26-2012 02:34 AM
Hi JouniForss
I have out one way without debugging you can find phase 1 and phase 2 policy negioated by peers.ie by asdm
In asdm version 6.4
Click Monitoring tab. select vpn .In filter select ipsec site-to site
You will find the peer ip .Righ click peer ip click details you will find phase 1 policy and phase 2 plocy negioted.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide