05-12-2011 10:16 PM - edited 02-21-2020 05:20 PM
HI, all, I have a basic question regarding IPsec SA creation, my understanding is always that IPsec SAs are always subset of traffic pairs defined in local crypto ACL, say local crypto ACL protects 10.1.1.0/24 to 10.2.2.0/24, 10.1.1.0/24 to 10.2.3.0/24, we should either see one SA protects traffic between 10.1.1.0/24 - 10.2.2.0/24 or two SAs protecting both, but we should never see an IPsec SA that encryps/decryps traffic between 10.1.1.0/24 and 10.2.0.0/16, correct? yet I do see such IPsec SA created on local ASA and it is causing connectivity problem, the remote side ASA happens to have crypto ACL that allows 10.2.0.0/16 to 10.1.1.0/24, the crypto ACL contents is never exchanged during IPsec negotiation, in what scenario will an IPsec SA created outside of local crypto ACL defination?
05-12-2011 11:28 PM
Hi
The crypt access list contents are exchanged as proxy identities. Both sides aggree on intresting traffic and access list on both sides need to be a mirror of each other.
In your case the sa is negotiated to a subnet which is the superset of subnet defined locally which although dosent seem right, however the access lists need to match anyways, if you configure it that way you wont get this abnormal behaviour.
Thanks,
Asim
05-13-2011 09:22 AM
Hi, Asim, thanks a lot for your time, after I cleared the IPsec SA to the peer, that offending SA did not appear, so everything returned to normal. When the problem happens again, I will post IPsec SAs and local crypto ACL configuration.
05-13-2011 10:02 AM
Sure. No problem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide