10-26-2010 09:32 AM
I am trying to create site to site vpn between Cisco ASA 5510 and Linux OpenSwan, after completed the configuration from both side the VPN tunnel came but nothing is passing through the tunnel.
I am using software version 8.0(4) on my ASA firewall, so did any one faced a problem like that.
Appreciate your support
Solved! Go to Solution.
10-29-2010 09:51 AM
Both bugs are related to the outbound VPN traffic. But in your case, we saw "decrypt" count was "0" which means ASA did not receive any packet from Linux in VPN tunnel.
10-26-2010 02:13 PM
After you bring up the tunnel, can you initiate any traffic and then capture the following from ASA
show cry ipsec sa
show cry isa sa
I am not familiar with OpenSwan but I can check on ASA to see if anything is wrong.
10-28-2010 03:33 AM
the following the output for the commands:
Crypto map tag: Internet_map, seq num: 6, local addr: 196.x.x.x
access-list internet_cryptomap_2 permit ip host 192.168.169.105 host 192.168.128.4
local ident (addr/mask/prot/port): (192.168.169.105/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.128.4/255.255.255.255/0/0)
current_peer: 163.x.x.x
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 196.x.x.x, remote crypto endpt.: 163.x.x.x
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9325FE1C
inbound esp sas:
spi: 0x6C6FA0B3 (1819254963)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: Internet_map
sa timing: remaining key lifetime (sec): 27722
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x9325FE1C (2468740636)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: Internet_map
sa timing: remaining key lifetime (sec): 27720
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA# show cry isa sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 163.x.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ASA# sh vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 163.x.x.x
Index : 1 IP Addr : 192.168.128.4
Protocol : IKE IPsec
Encryption : 3DES Hashing : SHA1
Bytes Tx : 4000 Bytes Rx : 0
Login Time : 01:29:05 UTC Thu Oct 28 2010
Duration : 0h:07m:58s
10-28-2010 07:55 AM
From the output, tunnel came up fine but you could see that "decrypt" count is "0", which means the Linux did not send the packet through the tunnel. You need check your Linux box setting for the following,
1. If Linux box will do NAT, make sure vpn traffic from 192.168.128.4 to 192.168.169.105 will NOT be Nat-ed
2. Make sure you have route setup correctly.
10-29-2010 09:44 AM
thanks a lot for you support, but i was asking if the NAT and route are correct at the Linux firewall and still i can't make any traffic pass through the tunnel can one of the following bugs cased that problem(CSCtd36473, CSCtb53186)
my current ASA software is Version 8.0(4)
10-29-2010 09:51 AM
Both bugs are related to the outbound VPN traffic. But in your case, we saw "decrypt" count was "0" which means ASA did not receive any packet from Linux in VPN tunnel.
10-29-2010 10:26 AM
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide