06-25-2010 03:57 AM - edited 02-21-2020 04:42 PM
Hi,
I have a central location (Location-2) which connects to the two site to site VPN Locations (Location-1 & Location-3). Traffic flows between the Location-2 and Location-1 and also between Location-2 and Location-3. Now, the requirement is to esatblish the traffic from Location -1 to Location-3 without establishing a site to site VPN between Location- 1 and Location -3.
The scenarion is like this
Location 1 <-------------> Location 2 <------------> Location 3
192.168.205.0/24 10.192.153.0/24 10.0.57.0/27
VPN Exists between:
Location 1 & Location 2
Location 2 & Location 3
Now, i want to reach from 192.168.205.17 (Location 1 Server) to 10.0.57.10 (Location 3 Server)
I have added the subnets into the existing tunnels.
Location 1 (Protected networks): --- Source 192.168.205.0/24
Destination 10.192.153.0/24 & 10.0.57.0/27
Location 2 (Protected network in the tunnel created to Location1 ) --- Source 10.192.153.0/24 & 10.0.57.0/27
Destination 192.168.205.0/24
Location 2 (Protected network in the tunnel created to Locaion 2) ---- Source 10.192.153.0/24 & 192.168.205.0/24
Destination 10.0.57.0/27
Location 3 (Protected Network) --- Source 10.0.57.0/27
Destination 10.192.153.0/24 & 192.168.205.0/24
Location 1 & Location 2 is having the ASA 5520. Location 3 is customer place and i am not aware of the device.
In order to permit the traffic between the intra area. This command is given on Location 2 ASA box.
"same-security-traffic permit intra-interface"
Still i am not able to reach Location 3 from Location1 .
when i do a packet trace at the location 2 on the internet inteface (where VPN is terminated)
source as 192.168.205.17
detination as 10.0.57.10 with ip
then i am seeing the message "IPSEC SPOOF Detected" and packet is getting dropped.
Any help like how to resolve this issue
06-26-2010 01:29 AM
When you are trying to access LAN 1 - 192.168.205.0/24 from LAN 3 - 10.0.57.0/27, can you please share the output of the following from both Location 1 and Location 2:
show crypto isa sa
show crypto ipsec sa
If you don't mind sharing configuration from both Location 1 and 2, that would help.
You might also want to check NAT on Location 2, and making sure that there is no NAT statement on the outside interface.
So far, your description of how it is being configured seems correct.
06-27-2010 09:25 PM
Hi,
When i am trying to access LAN3 :- 10.0.57.10 From LAN 1 : 192.168.205.17 , the output of the command
1) sh crypto isakmp sa
2) sh crypto ipsec sa at location 1 and location 2 are as follows:-
Location 1:-
sh crypto isakmp sa
IKE Peer: 216.25.240.70
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
sh crypto ipsec sa
interface: INTERNET
Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1
access-list INTERNET_5_cryptomap permit ip Iloyal_Network1 255.255.255.0 EXT_Ashburn 255.255.254.0
local ident (addr/mask/prot/port): (Iloyal_Network1/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
current_peer: 216.25.240.70
#pkts encaps: 5441572, #pkts encrypt: 5441572, #pkts digest: 5441572
#pkts decaps: 5496981, #pkts decrypt: 5496981, #pkts verify: 5496981
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5441572, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 90295500
inbound esp sas:
spi: 0x6E08190B (1846024459)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3907513/25525)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x90295500 (2418627840)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3910585/25525)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1
access-list INTERNET_5_cryptomap permit ip Iloyal_Network2 255.255.255.0 EXT_Ashburn 255.255.254.0
local ident (addr/mask/prot/port): (Iloyal_Network2/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
current_peer: 216.25.240.70
#pkts encaps: 246587, #pkts encrypt: 246587, #pkts digest: 246587
#pkts decaps: 446676, #pkts decrypt: 446676, #pkts verify: 446676
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 246587, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D3B7A2B0
inbound esp sas:
spi: 0x71231FDE (1898127326)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3295810/19472)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFDF 0xFFFFFFFF
outbound esp sas:
spi: 0xD3B7A2B0 (3552027312)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3904920/19472)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1
access-list INTERNET_5_cryptomap permit ip host INT_TC_22_172 EXT_Ashburn 255.255.254.0
local ident (addr/mask/prot/port): (INT_TC_22_172/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
current_peer: 216.25.240.70
#pkts encaps: 193, #pkts encrypt: 193, #pkts digest: 193
#pkts decaps: 152, #pkts decrypt: 152, #pkts verify: 152
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 193, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3EC4F7F6
inbound esp sas:
spi: 0x6B0260F3 (1795318003)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3914983/28721)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3EC4F7F6 (1053095926)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3914985/28721)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1
access-list INTERNET_5_cryptomap permit ip INT_aiRES_73_NETWORK 255.255.255.0 EXT_Ashburn 255.255.254.0
local ident (addr/mask/prot/port): (INT_aiRES_73_NETWORK/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
current_peer: 216.25.240.70
#pkts encaps: 1249568, #pkts encrypt: 1249568, #pkts digest: 1249568
#pkts decaps: 933172, #pkts decrypt: 933172, #pkts verify: 933172
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1249568, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B638265E
inbound esp sas:
spi: 0x582E3E42 (1479425602)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3914761/25527)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB638265E (3057133150)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3914797/25527)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1
access-list INTERNET_5_cryptomap permit ip INT_DC_NETWORK 255.255.255.0 Neovera_Belle-Air_LAN 255.255.255.224
local ident (addr/mask/prot/port): (INT_DC_NETWORK/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Neovera_Belle-Air_LAN/255.255.255.224/0/0)
current_peer: 216.25.240.70
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 17, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9BBD37E3
inbound esp sas:
spi: 0x7713C5FB (1997784571)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3915000/28451)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x9BBD37E3 (2612869091)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3914999/28451)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1
access-list INTERNET_5_cryptomap permit ip INT_DC_NETWORK 255.255.255.0 EXT_Ashburn 255.255.254.0
local ident (addr/mask/prot/port): (INT_DC_NETWORK/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
current_peer: 216.25.240.70
#pkts encaps: 16077242, #pkts encrypt: 16077242, #pkts digest: 16077242
#pkts decaps: 17194362, #pkts decrypt: 17194362, #pkts verify: 17194362
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16077242, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1B4A82F2
inbound esp sas:
spi: 0x2E71B949 (779204937)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3888412/25525)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x1B4A82F2 (457868018)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3905478/25525)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1
access-list INTERNET_5_cryptomap permit ip IBS_TVM_AOS_Network 255.255.255.0 EXT_Ashburn 255.255.254.0
local ident (addr/mask/prot/port): (IBS_TVM_AOS_Network/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
current_peer: 216.25.240.70
#pkts encaps: 1416371, #pkts encrypt: 1416371, #pkts digest: 1416371
#pkts decaps: 1609581, #pkts decrypt: 1609581, #pkts verify: 1609581
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1416371, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4C533C9E
inbound esp sas:
spi: 0x22666D60 (577138016)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3912838/23680)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x4C533C9E (1280523422)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
sa timing: remaining key lifetime (kB/sec): (3914653/23680)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Location 2:-
sh crypto isakmp sa
To location 1
1 IKE Peer: 202.177.46.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
To Location 3
2 IKE Peer: 208.77.255.101
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
sh crypto ipsec sa
interface: Internet_Twix
Crypto map tag: Internet_Twix_map, seq num: 5, local addr: 216.25.240.70
access-list Internet_Twix_5_cryptomap permit ip DC_TRVM_NETWORK 255.255.255.0 10.0.57.0 255.255.255.224
local ident (addr/mask/prot/port): (DC_TRVM_NETWORK/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.57.0/255.255.255.224/0/0)
current_peer: 208.77.255.101
#pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.25.240.70, remote crypto endpt.: 208.77.255.101
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 288A2AD3
inbound esp sas:
spi: 0x9EEBA5FD (2666243581)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 74915840, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4374000/27380)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x288A2AD3 (680143571)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 74915840, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4373997/27380)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70
access-list Internet_Twix_1_cryptomap permit ip 10.0.57.0 255.255.255.224 DC_TRVM_NETWORK 255.255.255.0
local ident (addr/mask/prot/port): (10.0.57.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (DC_TRVM_NETWORK/255.255.255.0/0/0)
current_peer: 202.177.46.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 47, #pkts decrypt: 47, #pkts verify: 47
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7713C5FB
inbound esp sas:
spi: 0x9BBD37E3 (2612869091)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4373997/27375)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x0000FFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7713C5FB (1997784571)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4374000/27375)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70
access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 aiRES_TRVM 255.255.255.0
local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (aiRES_TRVM/255.255.255.0/0/0)
current_peer: 202.177.46.1
#pkts encaps: 938545, #pkts encrypt: 938545, #pkts digest: 938545
#pkts decaps: 1249490, #pkts decrypt: 1249490, #pkts verify: 1249490
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 938545, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 582E3E42
inbound esp sas:
spi: 0xB638265E (3057133150)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4373735/24451)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x582E3E42 (1479425602)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4373689/24451)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70
access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 iLoyal_network 255.255.255.0
local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (iLoyal_network/255.255.255.0/0/0)
current_peer: 202.177.46.1
#pkts encaps: 5524091, #pkts encrypt: 5524091, #pkts digest: 5524091
#pkts decaps: 5448662, #pkts decrypt: 5448662, #pkts verify: 5448662
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5524091, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 6E08190B
inbound esp sas:
spi: 0x90295500 (2418627840)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4368056/24449)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x6E08190B (1846024459)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4362669/24449)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70
access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 DC_TRVM_NETWORK 255.255.255.0
local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (DC_TRVM_NETWORK/255.255.255.0/0/0)
current_peer: 202.177.46.1
#pkts encaps: 17275512, #pkts encrypt: 17275512, #pkts digest: 17275512
#pkts decaps: 16109043, #pkts decrypt: 16109043, #pkts verify: 16109043
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 17275512, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 2E71B949
inbound esp sas:
spi: 0x1B4A82F2 (457868018)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4361292/24449)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x2E71B949 (779204937)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4338271/24449)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70
access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 Tnc_Cok 255.255.255.0
local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (192.168.22.172/255.255.255.255/0/0)
current_peer: 202.177.46.1
#pkts encaps: 194, #pkts encrypt: 194, #pkts digest: 194
#pkts decaps: 255, #pkts decrypt: 255, #pkts verify: 255
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 194, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 6B0260F3
inbound esp sas:
spi: 0x3EC4F7F6 (1053095926)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4373980/27645)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x6B0260F3 (1795318003)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4373979/27645)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70
access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 IBS_TVM_AOS_Network 255.255.255.0
local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (IBS_TVM_AOS_Network/255.255.255.0/0/0)
current_peer: 202.177.46.1
#pkts encaps: 1635974, #pkts encrypt: 1635974, #pkts digest: 1635974
#pkts decaps: 1432941, #pkts decrypt: 1432941, #pkts verify: 1432941
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1635974, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 22666D60
inbound esp sas:
spi: 0x4C533C9E (1280523422)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4372312/22604)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x22666D60 (577138016)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
sa timing: remaining key lifetime (kB/sec): (4367986/22604)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I have also enable NAT Exemption on the outside interface at Location 2. Still i am getting the IPSEC Spoof detected error at location 2.
Configuration is little difficult for me to post at the moment. If these outputs will help you to give a correct solution, it will be great.
06-28-2010 03:39 AM
Base on the output attached, here is what happens:
1) Traffic is getting encrypted on Loc 1 from Loc 1 towards Loc 2 from 192.168.205.0/24 towards 10.0.57.0/27
2) Traffic is then getting decrypted on Loc 2 from Loc 1 towards Loc 2 from 192.168.205.0/24 towards 10.0.57.0/27
3) Traffic is then getting re-encrypted on Loc 2 towards Loc 3 from 192.168.205.0/24 towards 10.0.57.0/27
In summary, traffic from Loc 1 towards Loc 3 travels as far as Loc 3 ASA base on the output provided.
As you haven't included the output from Loc 3, I would assume that you would see decrypted traffic showing some numbers while encrypted traffic between 10.0.57.0/27 and 192.168.205.0/24 subnets will be showing 0.
If that is the case, there could be a number of issues:
1) Please check if NAT exemption has been configured correctly.
2) Please check if there is any ACL that might be blocking the access
3) Please check if the 10.0.57.0/27 subnet is directly connected to the firewall, if not, please check routing (pls make sure that the 10.0.57.0/27 knows how to route to 192.168.205.0/24 subnet, ie: via the ASA)
4) Lastly, if you test with ping, please also make sure that the host 10.0.57.10 doesn't have personal firewall that might be blocking ping from different subnet, and you have "inspect icmp" enable on the ASA.
Hope that helps.
06-29-2010 11:52 PM
Hi Halijenn,
Finally i got this working.
There was some ACL at location 3 which was blocking the request. Thats why i was getting SYN Timeout in the firewall log.
Now, i am able to reach location 1 to loaction 3.
Thanks for yours help and suggestion.
But it has nothing to do with the IPSEC Spoof detection at location 2 using the packet trace.
I am still getting the same error.
It may be due to the 192.168.205.17 packet as source on the firewall at location 2. This may be due to non ipsec packet entering the IPSEC tunnel.
06-30-2010 06:06 AM
Hi!
IPSEC spoof detected means that you are trying to send unencrypted packets over an encrypted line.
Most logical explanation for this would be that the location two VPN server does not re-encrypt the packets after recieving them from location 1.
Are you sure the included subnets in the tunnels are accurate and that the correct routes are applied?
Stan
12-05-2023 03:07 AM - edited 12-05-2023 03:07 AM
Add keyword decrypted at the end of packet-tracer command, if you are trying to simulate traffic from remote vpn site to local site.
It should solve packet-tracer IPSEC spoof issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide