Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSEC L2L between Fortigate 4.0 and ASA 5540 8.2

I've recently started peering with a remote office that is running a Fortigate 100A (4.0 code) to my ASA 5540 running 8.2 code. The tunnel between us is setup as a ipsec-l2l with psk. The ASA config looks something like this:

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *****

crypto map remote-vpn 120 match address remote_office_2
crypto map remote-vpn 120 set peer 2.2.2.2
crypto map remote-vpn 120 set transform-set ESP-3DES-SHA
crypto map remote-vpn 120 set reverse-route

access-list remote_office_2 extended permit ip 10.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0

So as you can see, this is pretty much a basic IPSEC L2L.

Now for the issue/strangeness that I am seeing. I have seen a few cases where on the Fortigate side, if I add a new Phase 2 in the configuration, for say 172.16.2.0/24 to 10.0.0.0/24 , the ASA would actually go out and build the Phase 2 SA on it's side without the configuration every being added. One would think that the ASA would reject the Phase 2 because it's not defined in the remote_office_2 access-list, but it doesn't. I confirmed that the Phase 2 on the ASA is built by using the "show vpn-session db detail l2l filter name 2.2.2.2" command. I would see something like:

IPsec:

  Tunnel ID    : 1332.2

  Local Addr   : 10.0.0.0/255.255.255.0/0/0

  Remote Addr  : 172.16.1.0/255.255.255.0/0/0

  Encryption   : 3DES                   Hashing      : SHA1                  

  Encapsulation: Tunnel                

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28788 Seconds         

  Idle Time Out: 0 Minutes              Idle TO Left : 0 Minutes             

  Bytes Tx     : 26885                  Bytes Rx     : 24246                 

  Pkts Tx      : 114                    Pkts Rx      : 110                   

IPsec:

  Tunnel ID    : 1332.3

  Local Addr   : 10.0.0.0/255.255.255.0/0/0

  Remote Addr  : 172.16.2.0/255.255.255.0/0/0

  Encryption   : 3DES                   Hashing      : SHA1                  

  Encapsulation: Tunnel                

  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28794 Seconds         

  Idle Time Out: 0 Minutes              Idle TO Left : 0 Minutes             

  Bytes Tx     : 64609                  Bytes Rx     : 53554                 

  Pkts Tx      : 102                    Pkts Rx      : 102                   

Is this normal behavior for the ASA to create these undefined Phase 2 SA? Is there a way to prevent this from happening? I'm just trying to avoid any issues where an incorrect SA is built and could cause an outage.

Thanks!

Everyone's tags (5)
2305
Views
0
Helpful
0
Replies