Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1648
Views
5
Helpful
17
Replies

GETVPN "show crypto ipsec sa" output question

whistleblower14
Level 1
Level 1

‎02-16-2023 04:24 AM

Hi,

I´m dealing with GETVPN and I´ve a question regarding the output of "show crypto ipsec sa"...

the ACL on the KS is configured the following way:

permit ip 172.16.0.0 0.3.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.3.255.255

why does the crypto ipsec output on the GM show´s the encrypted- and decrypted packets in different sections/lines?

local ident (addr/mask/prot/port): (172.16.0.0/255.252.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 271179882, #pkts decrypt: 271179882, #pkts verify: 271179882

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.252.0.0/0/0)
#pkts encaps: 255682246, #pkts encrypt: 255682246, #pkts digest: 255682246
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Labels:
17 Replies 17

MHM Cisco World
VIP
VIP
In response to whistleblower14

‎03-04-2023 08:28 AM

GETVPN one.pngTWO GETVPN.png

THREE GETVPN.png

I make review some GETVPN and find that Cisco mention about the using ACL for encrypt data and effect of permit ip any any in number of SA in GM,
so can you confirm that the KS push ACL with 

permit ip 172.16.0.0 0.3.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.3.255.255

instead of 

permit ip any any 

0 Helpful

whistleblower14
Level 1
Level 1
In response to MHM Cisco World

‎03-04-2023 10:17 AM

I don`t use a permit ip any any configuration in the Crypto-ACL on the KS, so yes - I can confirm that the KS pushes the ACL that way to the GMs

permit ip 172.16.0.0 0.3.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.3.255.255

and for each line a dedicated SA is build, that`s the "issue" I´m facing

0 Helpful

MHM Cisco World
VIP
VIP
In response to whistleblower14

‎03-04-2023 06:16 PM

I run lab and add two ACL line 
permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255

permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255

and I get as you get to SA one encrypt and other decrypt 

so as I mention before this BECUASE asymmetric behave because we not add permit ip any any  

 

Screenshot (345).png

 

IOU2#show crypto ipsec sa

interface: Ethernet0/0
Crypto map tag: mhm-1, local addr 110.0.0.2

protected vrf: (none)
local ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
Group: mhm-1
current_peer 0.0.0.0 port 848
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
Group: mhm-1
current_peer 0.0.0.0 port 848
PERMIT, flags={}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

0 Helpful
Customers Also Viewed These Support Documents