Re: Route based vpns and traffic selectors

Chewbakka1 · ‎08-13-2020

Hi,

When configuring route-based vpn's on the ASA what determines the remote traffic selector in the IKEv2 child SA's?

Is it the routes configured locally on the firewall, or is this somehow determined by the remote end?

The reason for asking is that i recently replaced the 10.0.0.0/8 route with more specific /24 routes,

but for some reason i am still seeing the following under IKEv2 details. Even after clearing the ipsec sa's

Child sa: local selector 192.168.11.0/0 - 192.168.11.255/65535
remote selector 10.0.0.0/0 - 10.255.255.255/65535

Rob Ingram · ‎08-13-2020

Hi,
It's the routing (static/dynamic) which determines which traffic should be sent over a route based VPN.

The local and remote selectors should be 0.0.0.0/0.0.0.0, can you provide the output of "show crypto ipsec sa detail"

Chewbakka1 · ‎08-13-2020

peer address: <Snip>
    Crypto map tag: __vti-crypto-map-13-0-3, seq num: 65280, local addr: <Snip>

      local ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      current_peer: <Snip>
      #pkts encaps: 304835, #pkts encrypt: 304835, #pkts digest: 304835
      #pkts decaps: 315844, #pkts decrypt: 315844, #pkts verify: 315844
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 304835, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: <Snip>/500, remote crypto endpt.: <Snip>/500
      path mtu 1500, ipsec overhead 78(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 00E86439
      current inbound spi : 47CF0BA2

    inbound esp sas:
      spi: 0x47CF0BA2 (1204751266)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, VTI, }
         slot: 0, conn_id: 218312704, crypto-map: __vti-crypto-map-13-0-3
         sa timing: remaining key lifetime (kB/sec): (4233967/28092)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x00E86439 (15230009)
         SA State: active
         transform: esp-aes-256 esp-sha-256-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, VTI, }
         slot: 0, conn_id: 218312704, crypto-map: __vti-crypto-map-13-0-3
         sa timing: remaining key lifetime (kB/sec): (4001222/28091)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: __vti-crypto-map-13-0-3, seq num: 65280, local addr: <Snip>

      local ident (addr/mask/prot/port):(192.168.11.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      current_peer:<Snip>


      #pkts encaps: 47791, #pkts encrypt: 47792, #pkts digest: 47792
      #pkts decaps: 48258, #pkts decrypt: 48259, #pkts verify: 48259
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 48096, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: <Snip>/500, remote crypto endpt.: <Snip>/500
      path mtu 1500, ipsec overhead 78(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: A61C9466
      current inbound spi : EFAE9C99

So for some reason. Im not seeing the more specific routes appear in the "remote ident", just the supernet, which i have no route for anymore.