Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2285
Views
0
Helpful
1
Replies

Multiple Inbound and Outbound SAS being established

jmyers1973
Level 1
Level 1

‎09-27-2015 11:59 PM

I have IPSec tunnels configured between a Cisco 2911 IOS 15.4(3) and Calamp Vanguard 3000 running Linux Openswan U2.6.23/K2.6.27.9-CAv8.  The issue is that when the IPSec is established, I am creating multiple inbound and outbound SA's on the cisco router:

  inbound esp sas:
      spi: 0x26AF27C7(649013191)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2263, flow_id: Onboard VPN:263, sibling_flags 80000040, crypto map: DSL_CM
        sa timing: remaining key lifetime (k/sec): (4608000/86055)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xE3A54752(3819259730)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2265, flow_id: Onboard VPN:265, sibling_flags 80004040, crypto map: DSL_CM
        sa timing: remaining key lifetime (k/sec): (4355145/86078)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF6BA1EAA(4139392682)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2264, flow_id: Onboard VPN:264, sibling_flags 80000040, crypto map: DSL_CM
        sa timing: remaining key lifetime (k/sec): (4608000/86055)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
      spi: 0xA4FF92F6(2768212726)
        transform: esp-256-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2266, flow_id: Onboard VPN:266, sibling_flags 80004040, crypto map: DSL_CM
        sa timing: remaining key lifetime (k/sec): (4355173/86078)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

 

The transform set for esp-256-aes esp-md5-hmac is not configured on the Calamp and should not be making an active connection.  I have to add it to the current crypto map or the tunnel will fail after a few seconds.  So, I have two transform-sets established on the Cisco router but the Calamp Linux system is only configured for the SHA1 authentication, not the MD5.  I am at a loss at to why this second spi is being established in this configuration.  

Any help would be greatly appreciated.

 

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-28-2015 05:31 AM

Truth be told best way to check who's starting QM exchange causing those SPIs to be introduced. 

I can't do it for you, but we've written a guide a couple of years back:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/113594-trouble-ios-ike-00.html

 

Experience wise, I have not seen IOS introduce in IKEv1 a transform set it's not configured to use. 

IKEv2 and smart defaults are a bit different. 

0 Helpful
Customers Also Viewed These Support Documents