Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
4
Helpful
2
Replies

Queery regarding phase 1 and 2

prashantrecon
Level 1
Level 1

‎03-23-2012 12:39 AM - edited ‎03-11-2019 03:46 PM

Queery regarding vpn tunnel on router

say on site A below are isakmp policy

crypto isakmp policy 10

authentication pre-share

group 2

encryption 3des

hash sha

lifetime 86400

crypto isakmp policy 20

authentication pre-share

group 2

encrption aes

hash md5

lifetime 86400

from site A i have created a site to site  vpn with site B with policy 10

from site A i have created site to site vpn with site c with policy 20

But when i checked on site c router there was no policy matching with 20.But ther was a policy matching 10

Is it site c has used policy 10 and has brought the phase 1 up.If so how can i check it has used policy 10

Let say on site A has used 10.x.x.x lan ip for interseting traffic in vpn and has done natting with 202.x.x.x

ip nat inside source static 10.x.x.x  202.x.x.x

ip access-list extended test  permit ip host 10.x.x.x  172.x.x.x

172.x.x.x is far end lan ip

Here i have used 10.x.x.x range in interseting traafic and it is natted to 202.x.x.x

If with far end i have told that my inetrseting traffic is 10.x.x.x .  will there be any data transfer with site B

since i have natted with 202.x.x.x and i have given 10.x.x.x as inetrseting to far end.

Or shall i need to share the public ip as interseting traffic.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎03-23-2012 02:26 AM

Hi,

I'm not sure if you can see the Phase1 parameters that were used. Though you can see the Phase1 parameters used if you debug the ISAKMP during the VPN connection forming.

To my understanding the number after isakmp policy is the order/sequence number in which the device tries negotiate the parameters with the remote device to find the matching settings. As I said before, using debug while the connection is forming is a good way check what is happening regards the Phase1 policy beeing chosen.

Regarding the interesting traffic I think you need to use the public network range in the VPN configurations (202.x.x.x). The encryption domain access-list have to be mirror images of eachother.

prashantrecon
Level 1
Level 1
In response to Jouni Forss

‎03-26-2012 02:34 AM

Hi  JouniForss

I have out one way without debugging you can find phase 1 and phase 2 policy negioated by peers.ie by asdm

In asdm version 6.4

Click Monitoring tab. select vpn .In filter select ipsec site-to site

You will find the peer ip .Righ click peer ip click details you will find phase 1 policy and phase 2 plocy negioted.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card