Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN tunnel troubleshooting questions

If I have a L2L VPN tunnel configured and it is not coming up,

What is the sequence of the tunnel coming up?

For example, at what point should I see the access-lists for interesting traffic getting hits in the process?

If the tunnel does not succesfully come up, should I expect to see no hits on the access-list even though the routing is ok?

My understanding is that the interesting traffic access-list are part of phase 2, but it seems that these access-lists would have to be the first thing in the process to initiate phase 1.

Doesn't there have to be traffic destined for the remote tunnel LAN in order for phase 1 to start?

Also,I have seen several posts indicating to check the sa liftimes on both ends, my understanding is that these do not have to match, that the end with the shortest time will cause a rekey.

Is that not correct?

3 REPLIES
Hall of Fame Super Blue

Re: VPN tunnel troubleshooting questions

Richard

You are correct in what you say. The crypto access-list defines the interesting traffic so as soon as the VPN device sees traffic that matches it's access-list it initiates phase 1 which is all about setting up a secure channel between the 2 devices. Note this is a secure channel for further communication - it is not a secure channel to transfer the actual data.

The crypto access-list is also used in phase 2 where the local & remote networks are compared ie. vpn device 1 checks that vpn device 2 agrees on what the local and remote networks are.

So yes the crypto map access-list is used in both phases.

As for SA's, one of the pains with IPSEC is that although it is a standard different vendors sometimes seem to do different things. Yes they should not have to match, at least on phase 2 but i have set up L2L vpn between Cisco and other vendors where the only way to get the tunnel up was by matching them.

If you are trying to set up a L2L tunnel it is always best to make sure both ends agree on everything.

Jon

New Member

Re: VPN tunnel troubleshooting questions

Thanks jon.

So,

Phase 1 sets up a secure channel to the peer and the negotiation of phase 2 is encrypted in the phase 1 tunnel?

As far as the access-list goes, if I have traffic that matches the list and initiates phase one, but phase 2 is not successful, would I expect to see hits on the access-list?,

Or are the packets just dropped if phase 2 never comes up?

Re: VPN tunnel troubleshooting questions

Richard:

Perhaps you could refrain from posting the same question in multiple forums.

I responded to this same question in VPN | Security.

If I had seen that your question was adequately answered here by another respondent, I would have refrained from wasting my time.

259
Views
5
Helpful
3
Replies
CreatePlease to create content