Re: IPsec SA created but traffic pair not defined in crypto ACL

oldcreek12 · ‎05-12-2011

HI, all, I have a basic question regarding IPsec SA creation, my understanding is always that IPsec SAs are always subset of traffic pairs defined in local crypto ACL, say local crypto ACL protects 10.1.1.0/24 to 10.2.2.0/24, 10.1.1.0/24 to 10.2.3.0/24, we should either see one SA protects traffic between 10.1.1.0/24 - 10.2.2.0/24 or two SAs protecting both, but we should never see an IPsec SA that encryps/decryps traffic between 10.1.1.0/24 and 10.2.0.0/16, correct? yet I do see such IPsec SA created on local ASA and it is causing connectivity problem, the remote side ASA happens to have crypto ACL that allows 10.2.0.0/16 to 10.1.1.0/24, the crypto ACL contents is never exchanged during IPsec negotiation, in what scenario will an IPsec SA created outside of local crypto ACL defination?

Asim Malik · ‎05-12-2011

Hi

The crypt access list contents are exchanged as proxy identities. Both sides aggree on intresting traffic and access list on both sides need to be a mirror of each other.

In your case the sa is negotiated to a subnet which is the superset of subnet defined locally which although dosent seem right, however the access lists need to match anyways, if you configure it that way you wont get this abnormal behaviour.

Thanks,

Asim

oldcreek12 · ‎05-13-2011

Hi, Asim, thanks a lot for your time, after I cleared the IPsec SA to the peer, that offending SA did not appear, so everything returned to normal. When the problem happens again, I will post IPsec SAs and local crypto ACL configuration.

Asim Malik · ‎05-13-2011

Sure. No problem