IPSEC access-list question

lgontarsk · ‎01-28-2008

Hi,

I have an access-list with the following line...

permit ip host 65.119.114.3 62.140.152.0 0.0.0.31

and its crypto ipsec sa shows up as this, with no packets encaps or decaps.

protected vrf:

local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#send errors 0, #recv errors

___________________

I also show a crypto ipsec sa which doesn't correspond directly to my accesslist. This is the second time I've seen this... is there any part of IPsec where the access-list are shared with the other end? i didn't think so, but I'm not sure how we got this, if not.

protected vrf:

local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.252/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22

#send errors 0, #recv errors 0

Thanks!!

ajagadee · ‎01-28-2008

Can you post the configuration from this device.

Regards,

Arul