Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
0
Replies

ASR1002 IPSEC VPN vs ISR 3945

Krasnoperov
Level 1
Level 1

‎04-18-2013 04:24 AM - edited ‎02-21-2020 06:49 PM

hi,  i have a simple config which I move from one production router to other

it works fine on ISR 3945

crypto isakmp policy 15

encr aes 256

authentication pre-share

group 5

crypto isakmp key XXX address 15x.65.x.23    no-xauth

crypto isakmp invalid-spi-recovery

!

!

crypto ipsec transform-set vpn_trans esp-aes 256 esp-sha-hmac

mode tunnel

crypto ipsec df-bit clear

!

!

!

crypto map D_CrMap 10 ipsec-isakmp

set peer 15x.65.x.23

set security-association lifetime kilobytes 4000000

set security-association lifetime seconds 28800

set transform-set vpn_trans

set pfs group5

match address 101

!

!

!

!

!

!

!

!

interface Loopback0

description -=IPSEC-VPN=-

ip address 46.2x.x.99 255.255.255.255

crypto map D_CrMap

interface TenGigabitEthernet0/2/0.301

description -=ISP=-

encapsulation dot1Q 301

ip address 46.2x.x.66 255.255.255.248

ip nat outside

ip flow ingress

ip flow egress

BUT DOES NOT work on ASR1002, in fact I see tunnel, but nothing in couters of trafic inside tunnel

sh crypto ipsec sa

interface: Loopback0

    Crypto map tag: D_CrMap, local addr 46.2x.x.99

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.x.5x.6/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (153.y.y.20/255.255.255.255/0/0)

   current_peer 15x.65.x.23 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 46.2x.x.99, remote crypto endpt.: 15x.65.x.23

     plaintext mtu 1454, path mtu 1514, ip mtu 1514, ip mtu idb Loopback0

     current outbound spi: 0x9822B722(2562897698)

     PFS (Y/N): Y, DH group: group5

     inbound esp sas:

      spi: 0x23423423E(2234234234)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2009, flow_id: HW:9, sibling_flags 80000048, crypto map: D_CrMap

        sa timing: remaining key lifetime (k/sec): (4000000/2895)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x92342342(2234234498)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2010, flow_id: HW:10, sibling_flags 80000048, crypto map: D_CrMap

        sa timing: remaining key lifetime (k/sec): (4000000/2895)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents