08-13-2020 01:26 PM
Hi,
When configuring route-based vpn's on the ASA what determines the remote traffic selector in the IKEv2 child SA's?
Is it the routes configured locally on the firewall, or is this somehow determined by the remote end?
The reason for asking is that i recently replaced the 10.0.0.0/8 route with more specific /24 routes,
but for some reason i am still seeing the following under IKEv2 details. Even after clearing the ipsec sa's
Child sa: local selector 192.168.11.0/0 - 192.168.11.255/65535
remote selector 10.0.0.0/0 - 10.255.255.255/65535
08-13-2020 01:33 PM
08-13-2020 02:51 PM - edited 08-13-2020 02:54 PM
peer address: <Snip> Crypto map tag: __vti-crypto-map-13-0-3, seq num: 65280, local addr: <Snip> local ident (addr/mask/prot/port): (192.168.14.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) current_peer: <Snip> #pkts encaps: 304835, #pkts encrypt: 304835, #pkts digest: 304835 #pkts decaps: 315844, #pkts decrypt: 315844, #pkts verify: 315844 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 304835, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0 #pkts invalid pad (rcv): 0, #pkts invalid ip version (rcv): 0, #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: <Snip>/500, remote crypto endpt.: <Snip>/500 path mtu 1500, ipsec overhead 78(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 00E86439 current inbound spi : 47CF0BA2 inbound esp sas: spi: 0x47CF0BA2 (1204751266) SA State: active transform: esp-aes-256 esp-sha-256-hmac no compression in use settings ={L2L, Tunnel, IKEv2, VTI, } slot: 0, conn_id: 218312704, crypto-map: __vti-crypto-map-13-0-3 sa timing: remaining key lifetime (kB/sec): (4233967/28092) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x00E86439 (15230009) SA State: active transform: esp-aes-256 esp-sha-256-hmac no compression in use settings ={L2L, Tunnel, IKEv2, VTI, } slot: 0, conn_id: 218312704, crypto-map: __vti-crypto-map-13-0-3 sa timing: remaining key lifetime (kB/sec): (4001222/28091) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: __vti-crypto-map-13-0-3, seq num: 65280, local addr: <Snip> local ident (addr/mask/prot/port):(192.168.11.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) current_peer:<Snip> #pkts encaps: 47791, #pkts encrypt: 47792, #pkts digest: 47792 #pkts decaps: 48258, #pkts decrypt: 48259, #pkts verify: 48259 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 48096, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #pkts no sa (send): 0, #pkts invalid sa (rcv): 0 #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0 #pkts invalid prot (rcv): 0, #pkts verify failed: 0 #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0 #pkts invalid pad (rcv): 0, #pkts invalid ip version (rcv): 0, #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0 #pkts replay failed (rcv): 0 #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0 #pkts internal err (send): 0, #pkts internal err (rcv): 0 local crypto endpt.: <Snip>/500, remote crypto endpt.: <Snip>/500 path mtu 1500, ipsec overhead 78(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: A61C9466 current inbound spi : EFAE9C99
So for some reason. Im not seeing the more specific routes appear in the "remote ident", just the supernet, which i have no route for anymore.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide