Hi all,
I'm hoping someone can help.
I'm trying to restrict my ASA from answering handshake requests from any IP address apart from the specified remote peer - I only have one VPN between the HO and DC. So far I have removed the crypto map WATCH 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP which I beleived would have responded to any VPN request. I've also disabled the SSL VPN for good measure.
I have certificates installed as I orginally tried to get rsa-sig working which was unsuccessful - if you have a Watchguard on the other end don't try this!.
The output from ike-scan which is running from a different address than the peer:
ubee@ubuntu:~$ sudo ike-scan -v -M --trans=5,2,1,5 --id=test
*.*.*.* --showbackoff
[sudo] password for ubee:
WARNING: Specifying an identification payload with --id or -n does not have
any effect unless you also specify aggressive mode with --aggressive
or -A
DEBUG: pkt len=84 bytes, bandwidth=56000 bps, int=16000 us Starting ike-scan 1.9 with 1 hosts
*.*.*.* Main Mode Handshake returned
HDR=(CKY-R=17fa18bf79c4afa5)
SA=(Enc=3DES Hash=SHA1 Group=5:modp1536 Auth=PSK LifeType=Seconds
LifeDuration=28800)
VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
IKE Backoff Patterns:
IP Address No. Recv time Delta Time
*.*.*.* 1 1310135704.612627 0.000000
*.*.*.* 2 1310135712.610471 7.997844
*.*.*.* 3 1310135720.615189 8.004718
*.*.*.* 4 1310135728.618697 8.003508
*.*.*.* Implementation guess: Cisco VPN Concentrator
Ending ike-scan 1.9: 1 hosts scanned in 84.077 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify ubee@ubuntu:~$
ASA debugs showing ike-scan request above:
6|Jul 08 2011|09:08:30|302016|89.243.83.209|54971| *.*.*.* |500|Teardown UDP connection 9928544 for outside:89.243.83.209/54971 to identity: *.*.*.* /500 duration 0:02:24 bytes 500
6|Jul 08 2011|09:06:06|302015|89.243.83.209|54971| *.*.*.* |500|Built inbound UDP connection 9928544 for outside:89.243.83.209/54971 (89.243.83.209/54971) to identity: *.*.*.* /500 ( *.*.*.* /500)
Thanks in advance.
Damo.
