06-11-2009 06:42 AM - edited 03-11-2019 08:42 AM
Hi, I have three policies (see below)which make up a crypto map policy on a security device.
How does policy 10 match traffic if there is no "match address" statement? This is the peer I wish to edit but don't know how it is matching? Is there a default addressing match assumed?
!
crypto map MYCRYPTO_MAP 10 set peer 100.200.300.1
crypto map MYCRYPTO_MAP 10 set transform-set MY_TS_SET
!
crypto map MYCRYPTO_MAP 20 match address POLICY_ACL1
crypto map MYCRYPTO_MAP 20 set peer 100.200.300.50
crypto map MYCRYPTO_MAP 20 set transform-set MY_TS_SET
!
crypto map MYCRYPTO_MAP 30 match address POLICY_ACL2
crypto map MYCRYPTO_MAP 30 set peer 100.200.300.100
crypto map MYCRYPTO_MAP 30 set transform-set MY_TS_SET2
!
Many thanks,
Gerry
06-11-2009 06:53 AM
A match address will be needed to specify interesting traffic.
Check if the VPN is even up.
Show crypto isakmp sa
Is it possible to test the VPN if it is not up?
06-11-2009 07:11 AM
Thanks Srikant,
The VPN is deinately up.
Best Regards,
Gerard
06-11-2009 07:14 AM
under tunnel group for this vpn or the group policy is there any specific acl settings.
Can you post the tunnel group, group policy and crypto config for this vpn?
06-11-2009 07:23 AM
Hi Srikant,
No ACL settings...that is why I was wondering how the traffic is being matched? Is there a default setting?
Tunnel config below.
tunnel-group 100.200.300.1 type ipsec-l2l
tunnel-group 100.200.300.1 general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group 100.200.300.1 ipsec-attributes
pre-shared-key *
peer-id-validate req
no chain
no trust-point
isakmp keepalive threshold 10 retry 2
Thanks
Gerard
06-11-2009 07:24 AM
Can you also post he output for these commands
show crypto isakmp sa
show crypto ipsec sa
06-11-2009 07:29 AM
show crypto isakmp sa
4 IKE Peer: 100.200.300.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
-----------
FW# show vpn-sessiondb detail l2l filter ipaddress 100.200.300.1
Session Type: LAN-to-LAN Detailed
Connection : 100.200.300.1
Index : 1 IP Addr : 100.200.300.1
Protocol : IPSecLAN2LAN Encryption : 3DES
Hashing : SHA1
Bytes Tx : 996874716 Bytes Rx : 622313494
Login Time : 10:40:07 UTC Thu Jun 11 2009
Duration : 4h:33m:13s
Filter Name :
IKE Sessions: 1
IPSec Sessions: 2
IKE:
Session ID : 1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 70008 Seconds
D/H Group : 2
06-11-2009 07:33 AM
try show ipsec sa peer 100.200.300.1
This should include the traffic it is encrypting/decrypting for this VPN
06-11-2009 07:37 AM
Thanks Srikant,
There appears to be a local and remote subnet listed for source and desintation but I cannot find where this is defined?
This is the point of my posting as I cannot locate where it is reading this information.
Kind Regards,
Gerard
06-11-2009 06:54 AM
how is the other side configured? as a dynamic map?
06-11-2009 07:15 AM
Thanks Steven,
The other end is checkpoint firewall with both subnets A<-->B allowed in both directions to form the tunnel.
Best Regards,
Gerry
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide