Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
364
Views
0
Helpful
1
Replies

manual key IPSec

tuvanh
Level 1
Level 1

‎04-04-2003 03:45 AM - edited ‎02-21-2020 12:27 PM

When I create a manual crypto map, the crypto map automatically provide anti-replay service. In cisco documents, anti-replay is not provided for manual IPSec SA. How to disable anti-replay service.

Crypto Map "manualmap" 10 ipsec-manual

Peer = 150.50.3.2

Extended IP access list 103

access-list 103 permit ip 150.50.3.0 0.0.0.255 150.50.3.0 0.0.0.255

Current peer: 150.50.3.2

Transform sets={ myset, }

Inbound esp spi: 1024,

cipher key: 1234123412341234,

auth_key: 56785678567856785678567856785678,

Inbound ah spi: 1024,

key: 1111111111111111111111111111111111111111,

Outbound esp spi: 2048

cipher key: 5678567856785678,

auth key: 12341234123412341234123412341234,

Outbound ah spi: 1024,

key: 2222222222222222222222222222222222222222,

Interfaces using crypto map manualmap:

Serial0/0

inbound esp sas:

spi: 0x400(1024)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2003, flow_id: 11, crypto map: manualmap

no sa timing

IV size: 8 bytes

replay detection support: Y

Labels:
0 Helpful
1 Reply 1

drolemc
Level 6
Level 6

‎04-10-2003 07:05 AM

The anti-replay service is not available for manually established SA's (that is true for the PIX atleast). The fact that the service is enabled despite that, possibly indicates IOS corruption. I feel that reloading the OS might work. But for that I really don't see another way out since there seems to be no provision for disabling the anti-replay service.

0 Helpful
Customers Also Viewed These Support Documents