Re: 2 IPSEC sessions for 1 Tunnel

marshall.blanco · ‎09-08-2008

3002-->5520.

Under system status of the 3002. I have:

IKE | public ip of 5520 | etc....

IPSEC | public ip of 5520 | 3DES | HMAC/SHA-1| 0 | 0 | 0 | 0

IPSEC | 0.0.0.0/0.0.0.0 | etc....

Why do i have an ipsec tunnel with a remote address for the public interface of my ASA? I don't have any split tunneling configured either?

Richard Burts · ‎09-08-2008

Marshall

Perhaps there is something that I am not understanding correctly. I thought that you were indicating that the 3002 has a VPN connection to the ASA (when you say 3002-->5520)

So why are you surprised that the 3002 has an IKE (ISAKMP) and an IPSec SA to the ASA?

If I have failed to understand some aspect of the question then please clarify.

HTH

Rick

HTH

Rick

marshall.blanco · ‎09-08-2008

Correct. The 3002 hardware client connects to an ASA 5520. Once the tunnel is established, i see 1 IKE session and 2 IPSEC sessions.

For a regular VPN user, i have 1 IKE and 1 IPSEC session...

acomiskey · ‎09-08-2008

Looks like you have multiple security assocations defined for the tunnel.

marshall.blanco · ‎09-08-2008

How do i define what SA's go with each tunnel? Is this done through the ASA or the hardware client?

acomiskey · ‎09-08-2008

In the ASA, each sa would be a separate entry in the crytpo match access list. The example below would be 2 sa's.

access-list outside_cryptomap_1 extended permit ....

crypto map outside_map 1 match address outside_cryptomap_1

marshall.blanco · ‎09-08-2008

Attached is what is currently configured as far as access-list outside_cryptomaps and crypto maps.

the subnet in question would be the 10.0.29.0 subnet? I just noticed there was 2 entries for that subnet as well?

Would that be the reason why?

acomiskey · ‎09-08-2008

If there are no corresponding lines like these...

crypto map outside_map x match address Outside_cryptomap_2

or

crypto map outside_map x match address Outside_cryptomap_3

...then these lines are doing nothing at all.