Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1388
Views
0
Helpful
5
Replies

Editing a crypto map with multiple entries

germaine.hudson
Level 1
Level 1

‎11-11-2020 08:56 AM

There's a crypto map that already existed and I edited one of the entries to change the diffie-hillman group and the lifetime. The SA table doesn't show the change. Do I need to delete that entry in the crypto map and then recreate it?

 

Here's the crypto map right now:

 

Crypto Map IPv4 "ToVendor" 18 ipsec-isakmp
Description: To_Monitor
Peer = x.x.x.x
Extended IP access list 123
access-list 123 permit ip host 10.175.239.239 192.168.200.0 0.0.3.255
access-list 123 permit ip host 10.162.239.239 192.168.200.0 0.0.3.255
access-list 123 permit ip host 10.174.239.239 192.168.200.0 0.0.3.255
access-list 123 permit ip host 10.174.239.240 192.168.200.0 0.0.3.255
access-list 123 permit ip host 10.51.239.10 192.168.200.0 0.0.3.255
Current peer: x.x.x.x
Security association lifetime: 4608000 kilobytes/28800 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group5
Mixed-mode : Disabled
Transform sets={
ESP-AES-256-SHA256: { esp-256-aes esp-sha256-hmac } ,
}
Interfaces using crypto map ToVendor:
GigabitEthernet0/1

 

 

Here's the shortened output for the crytpo ipsec sa:

 

 

protected vrf: (none)
local ident (addr/mask/prot/port): (10.174.239.239/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.200.0/255.255.252.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

 

Thanks for any help

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎11-11-2020 09:01 AM

Hi @germaine.hudson 

That IPSec SA isn't formed properly, there are no inbound|outbound esp sas.

You shouldn't need to delete the crypto map enter, clear the crypto isakmp|ipsec sas and then generate some traffic in order to establish the tunnel.


HTH

0 Helpful

germaine.hudson
Level 1
Level 1
In response to Rob Ingram

‎11-11-2020 09:31 AM - edited ‎11-11-2020 09:33 AM

So the diffie-hillman not showing in the IPSEC sa output isnt an issue?

0 Helpful

Rob Ingram
VIP
VIP

‎11-11-2020 09:34 AM

If the IPSec SA wasn't established correctly before, then no possibly not.

Has the VPN worked before?

 

Double check the crypto map ACL that defines interesting traffic and isakmp/ipsec policies.

Run the debugs isakmp|ipsec and provide the output for review.

0 Helpful

germaine.hudson
Level 1
Level 1
In response to Rob Ingram

‎11-11-2020 12:10 PM

No the tunnel has never been up before. There's an extended access-list on the port. I'm assuming the issue might be there. If I add a sequence to permit esp from their host and udp-eq isakmp I'm hoping that it will come up. 

0 Helpful

Rob Ingram
VIP
VIP

‎11-11-2020 12:15 PM

@germaine.hudson 

An ACL on the outside interface inbound? Then yes, you'll need to ensure ESP, UDP/500 and if nat in the path UDP/4500

0 Helpful
Customers Also Viewed These Support Documents