Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
0
Helpful
4
Replies

L2L tunnel and show connection addess

Go to solution
mahesh18
Level 6
Level 6

‎11-18-2014 02:14 PM

 

Hi Everyone,

ASA 5505 has L2L tunnel to 5520.

Tunnel is up and running.

5505# sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.31.2.30
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

 

sh crypto ipsec sa
interface: Visitor_Edge
    Crypto map tag: D_Traffic_Crypto, seq num: 1, local addr: 10.31.2.20

 

When i do sh conn  address 10.31.2.20 all
5 in use, 9316 most used
ESP Visitor 10.31.2.30 NP Identity Ifc  10.31.2.20, idle 0:00:00, bytes 9912, flags------------1
UDP Visitor  10.31.2.30:500 NP Identity Ifc  10.31.2.20:500, idle 0:00:09, bytes 3365216, flags -------------2
ESP Visitor 10.31.2.30 NP Identity Ifc  10.31.2.20, idle 0:00:00, bytes 3816, flags-------------3

Need to understand connections 1 and 3 are used for what purpose and why they have no port info?

As connection 2 is tunnel connection using port 500.But connections 1 and 3 have no port numbers why?

Regards

 

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
David_Che
Level 1
Level 1

‎11-18-2014 10:11 PM

Connection 1 and 3 represent outgoing and incoming ESP traffic, which are sitting directly on IP header, so there are no port info.

Connection 2 represent IKE message which is exchanging message on UDP port 500.

View solution in original post

0 Helpful

Go to solution
David Johan Castro Fernandez
Level 3
Level 3
In response to mahesh18

‎11-19-2014 08:22 PM

Hi David,

 

The main job of ESP is to provide the privacy we seek for IP datagrams by encrypting them. An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form. ESP also supports its own authentication scheme like that used in AH, or can be used in conjunction with AH.

Encapsulating Security Payload Fields

ESP has several fields, but packages its fields in a very different way. Instead of having just a header, it divides its fields into three components:

  • ESP Header: This contains two fields, the SPI and Sequence Number, and comes before the encrypted data. Its placement depends on whether ESP is used in transport mode or tunnel mode, as explained in the topic on IPSec modes. 
  • ESP Trailer: This section is placed after the encrypted data. It contains padding that is used to align the encrypted data, through a Padding and Pad Lengthfield. Interestingly, it also contains the Next Header field for ESP. 
     
  • ESP Authentication Data: This field contains an Integrity Check Value (ICV), computed in a manner similar to how the AH protocol works, for when ESP's optional authentication feature is used.

 

Regarding your question, the ESP protocol is to maintain the data with confidentiality, to maintain the tunnel up, you can use the ISAKMP keepalives within the tunnel group configuration.

 

If you have another question please let us know!

 

Please don´t forget to rate and mark as correct the helpful Post!

 

David Castro,

 

Regards,

View solution in original post

0 Helpful
4 Replies 4

Go to solution
David_Che
Level 1
Level 1

‎11-18-2014 10:11 PM

Connection 1 and 3 represent outgoing and incoming ESP traffic, which are sitting directly on IP header, so there are no port info.

Connection 2 represent IKE message which is exchanging message on UDP port 500.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to David_Che

‎11-19-2014 08:15 AM

 

Hi David,

 

Can you please explain me in more detail about --  "Connection 1 and 3 represent outgoing and incoming ESP traffic, which are sitting directly on IP header, so there are no port info"

Is this tunnel traffic that is uses to keep tunnel up between 2 ASA's?

Regards

MAhesh

0 Helpful

Go to solution
David Johan Castro Fernandez
Level 3
Level 3
In response to mahesh18

‎11-19-2014 08:22 PM

Hi David,

 

The main job of ESP is to provide the privacy we seek for IP datagrams by encrypting them. An encryption algorithm combines the data in the datagram with a key to transform it into an encrypted form. ESP also supports its own authentication scheme like that used in AH, or can be used in conjunction with AH.

Encapsulating Security Payload Fields

ESP has several fields, but packages its fields in a very different way. Instead of having just a header, it divides its fields into three components:

  • ESP Header: This contains two fields, the SPI and Sequence Number, and comes before the encrypted data. Its placement depends on whether ESP is used in transport mode or tunnel mode, as explained in the topic on IPSec modes. 
  • ESP Trailer: This section is placed after the encrypted data. It contains padding that is used to align the encrypted data, through a Padding and Pad Lengthfield. Interestingly, it also contains the Next Header field for ESP. 
     
  • ESP Authentication Data: This field contains an Integrity Check Value (ICV), computed in a manner similar to how the AH protocol works, for when ESP's optional authentication feature is used.

 

Regarding your question, the ESP protocol is to maintain the data with confidentiality, to maintain the tunnel up, you can use the ISAKMP keepalives within the tunnel group configuration.

 

If you have another question please let us know!

 

Please don´t forget to rate and mark as correct the helpful Post!

 

David Castro,

 

Regards,

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to David Johan Castro Fernandez

‎11-20-2014 04:53 AM

 

Many thanks David for explaining so well.

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents