Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

manual key IPSec

When I create a manual crypto map, the crypto map automatically provide anti-replay service. In cisco documents, anti-replay is not provided for manual IPSec SA. How to disable anti-replay service.

Crypto Map "manualmap" 10 ipsec-manual

Peer = 150.50.3.2

Extended IP access list 103

access-list 103 permit ip 150.50.3.0 0.0.0.255 150.50.3.0 0.0.0.255

Current peer: 150.50.3.2

Transform sets={ myset, }

Inbound esp spi: 1024,

cipher key: 1234123412341234,

auth_key: 56785678567856785678567856785678,

Inbound ah spi: 1024,

key: 1111111111111111111111111111111111111111,

Outbound esp spi: 2048

cipher key: 5678567856785678,

auth key: 12341234123412341234123412341234,

Outbound ah spi: 1024,

key: 2222222222222222222222222222222222222222,

Interfaces using crypto map manualmap:

Serial0/0

inbound esp sas:

spi: 0x400(1024)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2003, flow_id: 11, crypto map: manualmap

no sa timing

IV size: 8 bytes

replay detection support: Y

  • Other Security Subjects
1 REPLY
Silver

Re: manual key IPSec

The anti-replay service is not available for manually established SA's (that is true for the PIX atleast). The fact that the service is enabled despite that, possibly indicates IOS corruption. I feel that reloading the OS might work. But for that I really don't see another way out since there seems to be no provision for disabling the anti-replay service.

195
Views
0
Helpful
1
Replies