Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1220
Views
15
Helpful
8
Replies

Cisco ASA ikev2 local selector

andreycgipokorskiy
Level 1
Level 1

‎11-10-2022 12:55 PM

Hello Everyone! 
We have the VPN installed with a remote client, but I have not seen a local/remote selector for some IP range in the VPN tunnel. The ACL is already set and an interesting IP subnet has been added to it.
I have a question, how will the selectors be added to the tunnel?
Is it added by the ACL and crypto map?
Is it possible if the remote site does not have our IP address added or removed from his (client's) ACL, and for that reason we don't see a remote/local selector for that subnet in the tunnel?

Thank you!                                                                                                                                                             Regards,                                                                                                                                                                  AP

Labels:
8 Replies 8

Rob Ingram
VIP
VIP

‎11-10-2022 12:59 PM

@andreycgipokorskiy assuming you have configured a policy based VPN (with a crypto map), then the crypto ACL needs modifying to specify the new networks to be encrypted.

If you are running a routed based VPN with a VTI, this does not use a crypto ACL to specify what should be encrypted. You just need to ensure the route is advertised using the dynamic routing protocol. If not using a routing protcol, the remote peer would need to define a static route over the tunnel.

andreycgipokorskiy
Level 1
Level 1
In response to Rob Ingram

‎11-10-2022 01:08 PM

Hello Rob
If I got it right the selector mean that the selectors are the IP or range that been added to ACL and that ACL was added to crypto-map. Is it correct? And if we didn't see the local and remote selector in the tunnel it is mean that other side (client) have no or removed our IP from his ACL?

Thank you!

0 Helpful

Rob Ingram
VIP
VIP
In response to andreycgipokorskiy

‎11-10-2022 01:15 PM

Hi @andreycgipokorskiy yes, the traffic selector refers to the interesting traffic defined in the ACL that should be encrypted.

Interesting traffic would need to be sent to/from the local/remote traffic selector in order for the IPSec SA to be established. So if you do not see the IPSec SA for the traffic selector, either there is a problem on the local or remote end or simply you just need to generate some traffic.

andreycgipokorskiy
Level 1
Level 1
In response to Rob Ingram

‎11-10-2022 01:18 PM

Thanks for your help Rob!

0 Helpful

MHM Cisco World
VIP
VIP

‎11-13-2022 10:34 AM

you dont see selector are the new LAN you add can ping other side ??

0 Helpful

andreycgipokorskiy
Level 1
Level 1
In response to MHM Cisco World

‎11-14-2022 06:18 AM

Hello MHM

No I can't as this IP on client side and ICMP is not allowed

0 Helpful

MHM Cisco World
VIP
VIP
In response to andreycgipokorskiy

‎11-14-2022 06:21 AM

not ICMP any traffic can pass between new local LAN and remote LAN ?

0 Helpful

andreycgipokorskiy
Level 1
Level 1
In response to MHM Cisco World

‎11-28-2022 07:56 AM

Hello MHM
I can't ping remote LAN IP
I tried to find if the remote site lost our external IP in ACL
No lack

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents