cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
608
Views
0
Helpful
7
Replies

2 IPSEC sessions for 1 Tunnel

marshall.blanco
Level 1
Level 1

3002-->5520.

Under system status of the 3002. I have:

IKE | public ip of 5520 | etc....

IPSEC | public ip of 5520 | 3DES | HMAC/SHA-1| 0 | 0 | 0 | 0

IPSEC | 0.0.0.0/0.0.0.0 | etc....

Why do i have an ipsec tunnel with a remote address for the public interface of my ASA? I don't have any split tunneling configured either?

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

Marshall

Perhaps there is something that I am not understanding correctly. I thought that you were indicating that the 3002 has a VPN connection to the ASA (when you say 3002-->5520)

So why are you surprised that the 3002 has an IKE (ISAKMP) and an IPSec SA to the ASA?

If I have failed to understand some aspect of the question then please clarify.

HTH

Rick

HTH

Rick

Correct. The 3002 hardware client connects to an ASA 5520. Once the tunnel is established, i see 1 IKE session and 2 IPSEC sessions.

For a regular VPN user, i have 1 IKE and 1 IPSEC session...

Looks like you have multiple security assocations defined for the tunnel.

How do i define what SA's go with each tunnel? Is this done through the ASA or the hardware client?

In the ASA, each sa would be a separate entry in the crytpo match access list. The example below would be 2 sa's.

access-list outside_cryptomap_1 extended permit ....

access-list outside_cryptomap_1 extended permit ....

crypto map outside_map 1 match address outside_cryptomap_1

Attached is what is currently configured as far as access-list outside_cryptomaps and crypto maps.

the subnet in question would be the 10.0.29.0 subnet? I just noticed there was 2 entries for that subnet as well?

Would that be the reason why?

If there are no corresponding lines like these...

crypto map outside_map x match address Outside_cryptomap_2

or

crypto map outside_map x match address Outside_cryptomap_3

...then these lines are doing nothing at all.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: