IPSEC SPOOF Detected

Unanswered Question
Jun 25th, 2010
User Badges:

Hi,


I have a central location (Location-2) which connects to the two site to site VPN Locations (Location-1 & Location-3). Traffic flows between the Location-2 and Location-1 and also between Location-2 and Location-3. Now, the requirement is to esatblish the traffic from Location -1 to Location-3 without establishing  a site to site  VPN between Location- 1 and Location -3.


The scenarion is like this


Location 1 <------------->   Location 2 <------------>   Location 3


192.168.205.0/24           10.192.153.0/24            10.0.57.0/27


VPN Exists between:


Location 1 & Location 2

Location 2 & Location 3


Now, i want to reach from 192.168.205.17 (Location 1 Server) to 10.0.57.10 (Location 3 Server)


I have added the subnets into the existing tunnels.


Location 1 (Protected networks): --- Source  192.168.205.0/24

                                                   Destination 10.192.153.0/24 & 10.0.57.0/27


Location 2 (Protected network in the tunnel created to Location1 ) --- Source 10.192.153.0/24 & 10.0.57.0/27

                                                                                                    Destination 192.168.205.0/24

Location 2 (Protected network in the tunnel created to Locaion 2) ---- Source 10.192.153.0/24 & 192.168.205.0/24

                                                                                                    Destination 10.0.57.0/27


Location 3 (Protected Network) --- Source 10.0.57.0/27

                                                  Destination 10.192.153.0/24 & 192.168.205.0/24


Location 1 & Location 2 is having the ASA 5520. Location 3 is customer place and i am not aware of the device.


In order to permit the traffic between the intra area. This command is given on Location 2 ASA box.

"same-security-traffic permit intra-interface"


Still i am not able to reach Location 3 from Location1 .


when i do a packet trace at the location 2 on the internet inteface (where VPN is terminated)

source as 192.168.205.17

detination as 10.0.57.10 with ip


then i am seeing the message "IPSEC SPOOF Detected" and packet is getting dropped.


Any help like how to resolve this issue

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 06/26/2010 - 01:29
User Badges:
  • Cisco Employee,

When you are trying to access LAN 1 - 192.168.205.0/24 from LAN 3 - 10.0.57.0/27, can you please share the output of the following from both Location 1 and Location 2:

show crypto isa sa

show crypto ipsec sa


If you don't mind sharing configuration from both Location 1 and 2, that would help.


You might also want to check NAT on Location 2, and making sure that there is no NAT statement on the outside interface.


So far, your description of how it is being configured seems correct.

DCOPS IBS Sun, 06/27/2010 - 21:25
User Badges:

Hi,


When i am trying to access LAN3 :- 10.0.57.10 From LAN 1 : 192.168.205.17 , the output of the command

1) sh crypto isakmp sa

2) sh crypto ipsec sa at location 1 and location 2 are as follows:-


Location 1:-


sh crypto isakmp sa


    IKE Peer: 216.25.240.70
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


sh crypto ipsec sa


interface: INTERNET
  
    Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1

      access-list INTERNET_5_cryptomap permit ip Iloyal_Network1 255.255.255.0 EXT_Ashburn 255.255.254.0
      local ident (addr/mask/prot/port): (Iloyal_Network1/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
      current_peer: 216.25.240.70

      #pkts encaps: 5441572, #pkts encrypt: 5441572, #pkts digest: 5441572
      #pkts decaps: 5496981, #pkts decrypt: 5496981, #pkts verify: 5496981
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5441572, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 90295500

    inbound esp sas:
      spi: 0x6E08190B (1846024459)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3907513/25525)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x90295500 (2418627840)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3910585/25525)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1

      access-list INTERNET_5_cryptomap permit ip Iloyal_Network2 255.255.255.0 EXT_Ashburn 255.255.254.0
      local ident (addr/mask/prot/port): (Iloyal_Network2/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
      current_peer: 216.25.240.70

      #pkts encaps: 246587, #pkts encrypt: 246587, #pkts digest: 246587
      #pkts decaps: 446676, #pkts decrypt: 446676, #pkts verify: 446676
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 246587, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: D3B7A2B0

    inbound esp sas:
      spi: 0x71231FDE (1898127326)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3295810/19472)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFDF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xD3B7A2B0 (3552027312)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3904920/19472)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1

      access-list INTERNET_5_cryptomap permit ip host INT_TC_22_172 EXT_Ashburn 255.255.254.0
      local ident (addr/mask/prot/port): (INT_TC_22_172/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
      current_peer: 216.25.240.70

      #pkts encaps: 193, #pkts encrypt: 193, #pkts digest: 193
      #pkts decaps: 152, #pkts decrypt: 152, #pkts verify: 152
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 193, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 3EC4F7F6

    inbound esp sas:
      spi: 0x6B0260F3 (1795318003)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3914983/28721)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x3EC4F7F6 (1053095926)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3914985/28721)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1

      access-list INTERNET_5_cryptomap permit ip INT_aiRES_73_NETWORK 255.255.255.0 EXT_Ashburn 255.255.254.0
      local ident (addr/mask/prot/port): (INT_aiRES_73_NETWORK/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
      current_peer: 216.25.240.70

      #pkts encaps: 1249568, #pkts encrypt: 1249568, #pkts digest: 1249568
      #pkts decaps: 933172, #pkts decrypt: 933172, #pkts verify: 933172
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1249568, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: B638265E

    inbound esp sas:
      spi: 0x582E3E42 (1479425602)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3914761/25527)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xB638265E (3057133150)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3914797/25527)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1

      access-list INTERNET_5_cryptomap permit ip INT_DC_NETWORK 255.255.255.0 Neovera_Belle-Air_LAN 255.255.255.224
      local ident (addr/mask/prot/port): (INT_DC_NETWORK/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (Neovera_Belle-Air_LAN/255.255.255.224/0/0)
      current_peer: 216.25.240.70

     #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 17, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 9BBD37E3

    inbound esp sas:
      spi: 0x7713C5FB (1997784571)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28451)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x9BBD37E3 (2612869091)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28451)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1

      access-list INTERNET_5_cryptomap permit ip INT_DC_NETWORK 255.255.255.0 EXT_Ashburn 255.255.254.0
      local ident (addr/mask/prot/port): (INT_DC_NETWORK/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
      current_peer: 216.25.240.70

      #pkts encaps: 16077242, #pkts encrypt: 16077242, #pkts digest: 16077242
      #pkts decaps: 17194362, #pkts decrypt: 17194362, #pkts verify: 17194362
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 16077242, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 1B4A82F2

    inbound esp sas:
      spi: 0x2E71B949 (779204937)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3888412/25525)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x1B4A82F2 (457868018)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3905478/25525)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: INTERNET_map, seq num: 5, local addr: 202.177.46.1

      access-list INTERNET_5_cryptomap permit ip IBS_TVM_AOS_Network 255.255.255.0 EXT_Ashburn 255.255.254.0
      local ident (addr/mask/prot/port): (IBS_TVM_AOS_Network/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (EXT_Ashburn/255.255.254.0/0/0)
      current_peer: 216.25.240.70

      #pkts encaps: 1416371, #pkts encrypt: 1416371, #pkts digest: 1416371
      #pkts decaps: 1609581, #pkts decrypt: 1609581, #pkts verify: 1609581
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1416371, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.177.46.1, remote crypto endpt.: 216.25.240.70

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 4C533C9E

    inbound esp sas:
      spi: 0x22666D60 (577138016)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3912838/23680)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x4C533C9E (1280523422)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 2244608, crypto-map: INTERNET_map
         sa timing: remaining key lifetime (kB/sec): (3914653/23680)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


Location 2:-


sh crypto isakmp sa


To location 1


1   IKE Peer: 202.177.46.1
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

To Location 3


2  IKE Peer: 208.77.255.101
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


sh crypto ipsec sa


interface: Internet_Twix
    Crypto map tag: Internet_Twix_map, seq num: 5, local addr: 216.25.240.70

      access-list Internet_Twix_5_cryptomap permit ip DC_TRVM_NETWORK 255.255.255.0 10.0.57.0 255.255.255.224
      local ident (addr/mask/prot/port): (DC_TRVM_NETWORK/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.0.57.0/255.255.255.224/0/0)
      current_peer: 208.77.255.101

      #pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 216.25.240.70, remote crypto endpt.: 208.77.255.101

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 288A2AD3

    inbound esp sas:
      spi: 0x9EEBA5FD (2666243581)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 74915840, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4374000/27380)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001
    outbound esp sas:
      spi: 0x288A2AD3 (680143571)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 74915840, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4373997/27380)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001



    Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70

      access-list Internet_Twix_1_cryptomap permit ip 10.0.57.0 255.255.255.224 DC_TRVM_NETWORK 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.57.0/255.255.255.224/0/0)
      remote ident (addr/mask/prot/port): (DC_TRVM_NETWORK/255.255.255.0/0/0)
      current_peer: 202.177.46.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 47, #pkts decrypt: 47, #pkts verify: 47
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 7713C5FB

    inbound esp sas:
      spi: 0x9BBD37E3 (2612869091)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4373997/27375)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x0000FFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x7713C5FB (1997784571)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4374000/27375)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70

      access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 aiRES_TRVM 255.255.255.0
      local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (aiRES_TRVM/255.255.255.0/0/0)
      current_peer: 202.177.46.1

      #pkts encaps: 938545, #pkts encrypt: 938545, #pkts digest: 938545
      #pkts decaps: 1249490, #pkts decrypt: 1249490, #pkts verify: 1249490
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 938545, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 582E3E42

    inbound esp sas:
      spi: 0xB638265E (3057133150)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4373735/24451)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x582E3E42 (1479425602)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4373689/24451)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70

      access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 iLoyal_network 255.255.255.0
      local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (iLoyal_network/255.255.255.0/0/0)
      current_peer: 202.177.46.1

      #pkts encaps: 5524091, #pkts encrypt: 5524091, #pkts digest: 5524091
      #pkts decaps: 5448662, #pkts decrypt: 5448662, #pkts verify: 5448662
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5524091, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 6E08190B

    inbound esp sas:
      spi: 0x90295500 (2418627840)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4368056/24449)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x6E08190B (1846024459)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4362669/24449)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70

      access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 DC_TRVM_NETWORK 255.255.255.0
      local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (DC_TRVM_NETWORK/255.255.255.0/0/0)
      current_peer: 202.177.46.1

      #pkts encaps: 17275512, #pkts encrypt: 17275512, #pkts digest: 17275512
      #pkts decaps: 16109043, #pkts decrypt: 16109043, #pkts verify: 16109043
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 17275512, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 2E71B949

    inbound esp sas:
      spi: 0x1B4A82F2 (457868018)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4361292/24449)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x2E71B949 (779204937)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4338271/24449)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70

      access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 Tnc_Cok 255.255.255.0
      local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.22.172/255.255.255.255/0/0)
      current_peer: 202.177.46.1

      #pkts encaps: 194, #pkts encrypt: 194, #pkts digest: 194
      #pkts decaps: 255, #pkts decrypt: 255, #pkts verify: 255
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 194, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 6B0260F3

    inbound esp sas:
      spi: 0x3EC4F7F6 (1053095926)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4373980/27645)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x6B0260F3 (1795318003)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4373979/27645)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

    Crypto map tag: Internet_Twix_map, seq num: 1, local addr: 216.25.240.70

      access-list Internet_Twix_1_cryptomap permit ip 10.192.154.0 255.255.254.0 IBS_TVM_AOS_Network 255.255.255.0
      local ident (addr/mask/prot/port): (10.192.154.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (IBS_TVM_AOS_Network/255.255.255.0/0/0)
      current_peer: 202.177.46.1

      #pkts encaps: 1635974, #pkts encrypt: 1635974, #pkts digest: 1635974
      #pkts decaps: 1432941, #pkts decrypt: 1432941, #pkts verify: 1432941
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1635974, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 216.25.240.70, remote crypto endpt.: 202.177.46.1

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 22666D60

    inbound esp sas:
      spi: 0x4C533C9E (1280523422)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4372312/22604)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x22666D60 (577138016)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 57442304, crypto-map: Internet_Twix_map
         sa timing: remaining key lifetime (kB/sec): (4367986/22604)
         IV size: 8 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001


I have also enable NAT Exemption on the outside interface at Location 2. Still i am getting the IPSEC Spoof detected error at location 2.


Configuration is little difficult for me to post at the moment. If these outputs will help you to give a correct solution, it will be great.

Jennifer Halim Mon, 06/28/2010 - 03:39
User Badges:
  • Cisco Employee,

Base on the output attached, here is what happens:

1) Traffic is getting encrypted on Loc 1 from Loc 1 towards Loc 2 from 192.168.205.0/24 towards 10.0.57.0/27

2) Traffic is then getting decrypted on Loc 2 from Loc 1 towards Loc 2 from 192.168.205.0/24 towards 10.0.57.0/27

3) Traffic is then getting re-encrypted on Loc 2 towards Loc 3 from 192.168.205.0/24 towards 10.0.57.0/27


In summary, traffic from Loc 1 towards Loc 3 travels as far as Loc 3 ASA base on the output provided.


As you haven't included the output from Loc 3, I would assume that you would see decrypted traffic showing some numbers while encrypted traffic between 10.0.57.0/27 and 192.168.205.0/24 subnets will be showing 0.


If that is the case, there could be a number of issues:

1) Please check if NAT exemption has been configured correctly.

2) Please check if there is any ACL that might be blocking the access

3) Please check if the 10.0.57.0/27 subnet is directly connected to the firewall, if not, please check routing (pls make sure that the 10.0.57.0/27 knows how to route to 192.168.205.0/24 subnet, ie: via the ASA)

4) Lastly, if you test with ping, please also make sure that the host 10.0.57.10 doesn't have personal firewall that might be blocking ping from different subnet, and you have "inspect icmp" enable on the ASA.


Hope that helps.

DCOPS IBS Tue, 06/29/2010 - 23:52
User Badges:

Hi Halijenn,


Finally i got this working.

There was some ACL at location 3 which was blocking the request. Thats why i was getting SYN Timeout in the firewall log.


Now, i am able to reach location 1 to loaction 3.


Thanks for yours help and suggestion.


But it has nothing to do with the IPSEC Spoof detection at location 2 using the packet trace.

I am still getting the same error.

It may be due to the 192.168.205.17 packet as source on the firewall at location 2. This may be due to non ipsec packet entering the IPSEC tunnel.

StanDamen Wed, 06/30/2010 - 06:06
User Badges:

Hi!


IPSEC spoof detected means that you are trying to send unencrypted packets over an encrypted line.


Most logical explanation for this would be that the location two VPN server does not re-encrypt the packets after recieving them from location 1.

Are you sure the included subnets in the tunnels are accurate and that the correct routes are applied?


Stan

Actions

This Discussion