Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10689
Views
4
Helpful
18
Replies

Site to Site VPN - ACL required

Go to solution
GRANT3779
Spotlight
Spotlight

‎04-29-2013 03:31 AM

Hi All,

I've configured a S2S VPN and created the ACL for the "interesting traffic".

So, on my VPN router, do I need another access list - or if I try to reach the "interesting" subnets is the Crypto ACL automatically called/used? I've done all the crypto stuff but unsure as what is required ACL wise, ontop of my "interesting" ACL.

If I do a trace to one of my "interesting" subnets, it looks to be going through my default gateway, instead of trying to use the PEER address.

Am I missing something?

Thanks

Labels:
0 Helpful
18 Replies 18

Go to solution
GRANT3779
Spotlight
Spotlight
In response to sb1mpo

‎05-01-2013 12:43 AM

Ok..when running debugs now I am getting the following.. When I ping or trace to a host on the remote site, the debug output is below or part of it.. What does this indicate? I've removed the IPs.

Thanks

*May  1 07:54:56.856: ISAKMP (0:4012): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*May  1 07:54:56.856: ISAKMP:(4012): processing ID payload. message ID = 0

*May  1 07:54:56.860: ISAKMP (0:4012): ID payload

        next-payload : 8

        type         : 1

        address      : x.x.x.x

        protocol     : 17

        port         : 500

        length       : 12

*May  1 07:54:56.860: ISAKMP:(0):: peer matches *none* of the profiles

*May  1 07:54:56.860: ISAKMP:(4012): processing HASH payload. message ID = 0

*May  1 07:54:56.860: ISAKMP:received payload type 17

*May  1 07:54:56.860: ISAKMP:(4012): processing vendor id payload

*May  1 07:54:56.860: ISAKMP:(4012): vendor ID is DPD

*May  1 07:54:56.860: ISAKMP:(4012):SA authentication status:

        authenticated

*May  1 07:54:56.860: ISAKMP:(4012):SA has been authenticated with x.x.x.x

*May  1 07:54:56.860: ISAKMP: Trying to insert a peer y.y.y.y/x.x.x.x/500/,  and inserted successfully 469153FC.

*May  1 07:54:56.860: ISAKMP:(4012):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May  1 07:54:56.860: ISAKMP:(4012):Old State = IKE_I_MM5  New State = IKE_I_MM6

*May  1 07:54:56.860: ISAKMP (0:4012): received packet from x.x.x.x dport 500 sport 500 Global (I) MM_KEY_EXCH

*May  1 07:54:56.860: ISAKMP: set new node 1409855149 to QM_IDLE

*May  1 07:54:56.864: ISAKMP:(4012): processing HASH payload. message ID = 1409855149

*May  1 07:54:56.864: ISAKMP:(4012): processing NOTIFY RESPONDER_LIFETIME protocol 1

        spi 0, message ID = 1409855149, sa = 47997E20

*May  1 07:54:56.864: ISAKMP:(4012):SA authentication status:

        authenticated

*May  1 07:54:56.864: ISAKMP:(4012): processing responder lifetime

*May  1 07:54:56.864: ISAKMP:(4012): start processing isakmp responder lifetime

*May  1 07:54:56.864: ISAKMP:(4012): restart ike sa timer to 3600 secs

*May  1 07:54:56.864: ISAKMP:(4012):deleting node 1409855149 error FALSE reason "Informational (in) state 1"

*May  1 07:54:56.864: ISAKMP:(4012):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*May  1 07:54:56.864: ISAKMP:(4012):Old State = IKE_I_MM6  New State = IKE_I_MM6

*May  1 07:54:56.864: ISAKMP:(4012):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*May  1 07:54:56.864: ISAKMP:(4012):Old State = IKE_I_MM6  New State = IKE_I_MM6

*May  1 07:54:56.868: ISAKMP:(4012):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*May  1 07:54:56.868: ISAKMP:(4012):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*May  1 07:54:56.868: ISAKMP:(4012):beginning Quick Mode exchange, M-ID of -415089130

*May  1 07:54:56.868: ISAKMP:(4012):QM Initiator gets spi

*May  1 07:54:56.872: ISAKMP:(4012): sending packet to x.x.x.x my_port 500 peer_port 500 (I) QM_IDLE

*May  1 07:54:56.872: ISAKMP:(4012):Node -415089130, Input = IKE_MESG_INTERNAL, IKE_INIT_QM

*May  1 07:54:56.872: ISAKMP:(4012):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1

*May  1 07:54:56.872: ISAKMP:(4012):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*May  1 07:54:56.872: ISAKMP:(4012):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May  1 07:54:56.908: ISAKMP (0:4012): received packet from x.x.x.x dport 500 sport 500 Global (I) QM_IDLE   

*May  1 07:54:56.908: ISAKMP: set new node 575568488 to QM_IDLE

*May  1 07:54:56.912: ISAKMP:(4012): processing HASH payload. message ID = 575568488

*May  1 07:54:56.912: ISAKMP:(4012): processing NOTIFY INVALID_ID_INFO protocol 1

        spi 0, message ID = 575568488, sa = 47997E20

*May  1 07:54:56.912: ISAKMP:(4012):peer does not do paranoid keepalives.

*May  1 07:54:56.912: ISAKMP:(4012):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer x.x.x.x)

*May  1 07:54:56.912: ISAKMP:(4012):deleting node 575568488 error FALSE reason "Informational (in) state 1"

*May  1 07:54:56.912: ISAKMP:(4012):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

*May  1 07:54:56.912: ISAKMP:(4012):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*May  1 07:54:56.912: ISAKMP (0:4012): received packet from x.x.x.x dport 500 sport 500 Global (I) QM_IDLE   

*May  1 07:54:56.916: ISAKMP: set new node -1143564129 to QM_IDLE

*May  1 07:54:56.916: ISAKMP:(4012): sending packet to x.x.x.x my_port 500 peer_port 500 (I) QM_IDLE

*May  1 07:54:56.920: ISAKMP:(4012):purging node -1143564129

*May  1 07:54:56.920: ISAKMP:(4012):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*May  1 07:54:56.920: ISAKMP:(4012):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*May  1 07:54:56.920: ISAKMP:(4012):deleting SA reason "No reason" state (I) QM_IDLE       (peer x.x.x.x)

*May  1 07:54:56.920: ISAKMP:(0):Can't decrement IKE Call Admission Control stat outgoing_active since it's already 0.

*May  1 07:54:56.920: ISAKMP: Unlocking peer struct 0x469153FC for isadb_mark_sa_deleted(), count 0

*May  1 07:54:56.920: ISAKMP: Deleting peer node by peer_reap for x.x.x.x: 469153FC

*May  1 07:54:56.920: ISAKMP:(4012):deleting node -415089130 error FALSE reason "IKE deleted"

*May  1 07:54:56.920: ISAKMP:(4012):deleting node 1409855149 error FALSE reason "IKE deleted"

*May  1 07:54:56.920: ISAKMP:(4012):deleting node 575568488 error FALSE reason "IKE deleted"

*May  1 07:54:56.924: ISAKMP:(4012):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*May  1 07:54:56.924: ISAKMP:(4012):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to sb1mpo

‎05-01-2013 01:04 AM

Also, looking at my access-list - it shows 108 matched after pingin tests. I get no reply though. Does this suggest return path is no good on remote end?

Extended IP access list VPN-INTERESTING-TRAFFIC

    10 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255 (108 matches)

0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to GRANT3779

‎05-01-2013 01:37 AM

Now working ok...Was an ACL on remote side.

Thanks for help all!

0 Helpful

Go to solution
Rudy Sanjoko
Level 4
Level 4
In response to GRANT3779

‎05-01-2013 02:00 AM

Great to hear that you managed to make it works!! don't forget to mark this post as answered so that other people know that it has been solved.

0 Helpful
Customers Also Viewed These Support Documents