Crypto Map - Address Matching question

crazyhorse29 · ‎06-11-2009

Hi, I have three policies (see below)which make up a crypto map policy on a security device.

How does policy 10 match traffic if there is no "match address" statement? This is the peer I wish to edit but don't know how it is matching? Is there a default addressing match assumed?

!

crypto map MYCRYPTO_MAP 10 set peer 100.200.300.1

crypto map MYCRYPTO_MAP 10 set transform-set MY_TS_SET

!

crypto map MYCRYPTO_MAP 20 match address POLICY_ACL1

crypto map MYCRYPTO_MAP 20 set peer 100.200.300.50

crypto map MYCRYPTO_MAP 20 set transform-set MY_TS_SET

!

crypto map MYCRYPTO_MAP 30 match address POLICY_ACL2

crypto map MYCRYPTO_MAP 30 set peer 100.200.300.100

crypto map MYCRYPTO_MAP 30 set transform-set MY_TS_SET2

!

Many thanks,

Gerry

srikantganesh · ‎06-11-2009

A match address will be needed to specify interesting traffic.

Check if the VPN is even up.

Show crypto isakmp sa

Is it possible to test the VPN if it is not up?

crazyhorse29 · ‎06-11-2009

Thanks Srikant,

The VPN is deinately up.

Best Regards,

Gerard

srikantganesh · ‎06-11-2009

under tunnel group for this vpn or the group policy is there any specific acl settings.

Can you post the tunnel group, group policy and crypto config for this vpn?

crazyhorse29 · ‎06-11-2009

Hi Srikant,

No ACL settings...that is why I was wondering how the traffic is being matched? Is there a default setting?

Tunnel config below.

tunnel-group 100.200.300.1 type ipsec-l2l

tunnel-group 100.200.300.1 general-attributes

no accounting-server-group

default-group-policy DfltGrpPolicy

tunnel-group 100.200.300.1 ipsec-attributes

pre-shared-key *

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 10 retry 2

Thanks

Gerard

srikantganesh · ‎06-11-2009

Can you also post he output for these commands

show crypto isakmp sa

show crypto ipsec sa

crazyhorse29 · ‎06-11-2009

show crypto isakmp sa

4 IKE Peer: 100.200.300.1

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

-----------

FW# show vpn-sessiondb detail l2l filter ipaddress 100.200.300.1

Session Type: LAN-to-LAN Detailed

Connection : 100.200.300.1

Index : 1 IP Addr : 100.200.300.1

Protocol : IPSecLAN2LAN Encryption : 3DES

Hashing : SHA1

Bytes Tx : 996874716 Bytes Rx : 622313494

Login Time : 10:40:07 UTC Thu Jun 11 2009

Duration : 4h:33m:13s

Filter Name :

IKE Sessions: 1

IPSec Sessions: 2

IKE:

Session ID : 1

UDP Src Port : 500 UDP Dst Port : 500

IKE Neg Mode : Main Auth Mode : preSharedKeys

Encryption : AES256 Hashing : SHA1

Rekey Int (T): 86400 Seconds Rekey Left(T): 70008 Seconds

D/H Group : 2

srikantganesh · ‎06-11-2009

try show ipsec sa peer 100.200.300.1

This should include the traffic it is encrypting/decrypting for this VPN

crazyhorse29 · ‎06-11-2009

Thanks Srikant,

There appears to be a local and remote subnet listed for source and desintation but I cannot find where this is defined?

This is the point of my posting as I cannot locate where it is reading this information.

Kind Regards,

Gerard

srue · ‎06-11-2009

how is the other side configured? as a dynamic map?

crazyhorse29 · ‎06-11-2009

Thanks Steven,

The other end is checkpoint firewall with both subnets A<-->B allowed in both directions to form the tunnel.

Best Regards,

Gerry