07-03-2012 11:38 AM
I've scenario:
Site 1 - dynamic ip ... with subnet 10.0.1.0/24
Site 2 - static ip ... with subnet 10.0.2.0/24
1. ping from any site 1 host to site 2 fails
2. ping from site 2 to site 1 -- ok
3. ping from site 1 to site 2 now works.
As i understand this is something to do with SA and dynamic crypto map.
When i first try to connect from site1 to site2, they are not created.
At connection time there is SA with external ip on both sides (host,host):
access-list OO_temp_vpnmap100 extended permit ip host xx.xx.xx.xx host xxx.xxx.xx.xx
created.
Is it possible to create SA on site1 request (get access to site2 without initial connection from site1).
If it is possible, which configuration settings affect that ?
07-03-2012 07:45 PM
I think you have it the other way round. The site with the dynamic IP is the one that can initiate the VPN connection because the site with static IP won't be able to initiate the VPN connection to the dynamic site since it has a dynamic IP.
So if site 1 has dynamic IP, and site 2 has static IP, then it would work as follows:
1. ping from any site 2 host to site 1 fails
2. ping from site 1 to site 2 -- ok
3. ping from site 2 to site 1 now works.
That is the behaviour because the site with static IP won't be able to establish VPN to the dynamic IP site since the IP is "dynamic"
07-04-2012 01:06 AM
So, even I have:
crypto map rackmap 200 set connection-type originate-only
and connection is dialed always to static site. and
ciscoasa# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 89.234.17.146
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
is ok, and:
ciscoasa# show crypto ipsec sa
interface: outside
Crypto map tag: rackmap, seq num: 200, local addr: 86.xxx.xxx.xx
access-list OO_temp_rackmap200 extended permit ip host 86.xxx.xxx.xx host 89.xxx.xx.xxx
local ident (addr/mask/prot/port): (86.xxx.xxx.xx/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (89.xxx.xx.xxx/255.255.255.255/0/0)
current_peer: 89.xxx.xx.xxx
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 86.xxx.xxx.xx/0, remote crypto endpt.: 89.xxx.xx.xxx/0
path mtu 1492, ipsec overhead 74, media mtu 1500
current outbound spi: D07BB026
current inbound spi : 0B0EBA29
inbound esp sas:
spi: 0x0B0EBA29 (185514537)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1425408, crypto-map: rackmap
sa timing: remaining key lifetime (kB/sec): (3915000/28710)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
outbound esp sas:
spi: 0xD07BB026 (3497766950)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1425408, crypto-map: rackmap
sa timing: remaining key lifetime (kB/sec): (3915000/28710)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000000 0x00000000 0x00000001
is establised as well ... anyway i'll not be able to to make first connection from static site protected network to dynamic site networks ?
07-04-2012 01:27 AM
Correct, you won't be able to make the first connection from static to dynamic site, purely because the peer is dynamic, it won't know what IP address to reach the dynamic peer, and you have configure "originate-only" on the dynamic end, so it can only originate, not answer.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: