Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
2
Replies

Only one sides of IPSec tunnel encrypting packets

techsupport
Level 1
Level 1

‎06-24-2009 07:26 AM - edited ‎03-11-2019 08:47 AM

Any ideas as to how onside of the tunnel is not encrypting traffic thanks

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 26731, #pkts decrypt: 26731,

show crypto isakmp sa

18 IKE Peer: Vendor

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

show crypto ipsec sa

Crypto map tag: vpn_map, seq num: 4, local addr: 198.X.227.X

access-list VPN_TO_Vendor permit ip host 10.20.12.127 host 192.168.13.3

local ident (addr/mask/prot/port): (10.20.12.127/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.13.3/255.255.255.255/0/0)

current_peer: Vendor

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 26731, #pkts decrypt: 26731, #pkts verify: 26731

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 198.X.227.X, remote crypto endpt.: Vendor

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 1205B666

inbound esp sas:

spi: 0x0B404729 (188761897)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 119238656, crypto-map: vpn_map

sa timing: remaining key lifetime (kB/sec): (4274991/27948)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x1205B666 (302364262)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 119238656, crypto-map: vpn_map

sa timing: remaining key lifetime (kB/sec): (4275000/27948)

IV size: 8 bytes

replay detection support: Y

Labels:
0 Helpful
2 Replies 2

John Blakley
VIP Alumni
VIP Alumni

‎06-24-2009 08:04 AM

Can you post your crypto map config and acl's on the ASA? What are you connecting to on the other end, and can you post those configs as well?

Also, looking at this map, you're encrypting traffic from one host. This has to match on your "vendors" end the opposite direction.

Your side:

access-list VPN_TO_Vendor permit ip host 10.20.12.127 host 192.168.13.3

Vendors side:

access-list VPN_TO_Vendor permit ip host 192.168.13.3 host 10.20.12.127

And you also need to make sure that you're not natting that connection with an acl:

access-list NONAT permit ip host 10.20.12.127 host 192.168.13.3

nat (inside) 0 access-list NONAT

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

francisco_1
Level 7
Level 7
In response to John Blakley

‎06-24-2009 08:34 AM

looks like your tunnel is up but you are only receiving traffic only one direction so the device above is receiving trafic and decrypting it but nothing behind this device is sending traffic out so there is nothing to encrypt on the tunnel. Best to have a PC at both end and test sending ICMP data across the tunnel and look at the stats again.

Francisco

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card