cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
461
Views
0
Helpful
3
Replies

Site to site VPN and routing + sa

haraldsulmanis
Level 1
Level 1

I've scenario:

Site 1 - dynamic ip ... with subnet 10.0.1.0/24

Site 2 - static ip ... with subnet 10.0.2.0/24

1.  ping from any site 1 host to site 2 fails

2.  ping from site 2 to site 1 -- ok

3. ping from site 1 to site 2 now works.

As i understand this is something to do with  SA and dynamic crypto map.

When i first try to connect from site1 to site2, they are not created.

At connection time there is SA with external ip on both sides (host,host):

access-list OO_temp_vpnmap100 extended permit ip host xx.xx.xx.xx host xxx.xxx.xx.xx

created.

Is it possible to create SA on site1 request (get access to site2 without initial connection from site1).

If it is possible, which configuration settings affect that ?

3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

I think you have it the other way round. The site with the dynamic IP is the one that can initiate the VPN connection because the site with static IP won't be able to initiate the VPN connection to the dynamic site since it has a dynamic IP.

So if site 1 has dynamic IP, and site 2 has static IP, then it would work as follows:

1.  ping from any site 2 host to site 1 fails

2.  ping from site 1 to site 2 -- ok

3. ping from site 2 to site 1 now works.

That is the behaviour because the site with static IP won't be able to establish VPN to the dynamic IP site since the IP is "dynamic"

So, even I have:

crypto map rackmap 200 set connection-type originate-only

and connection is dialed always to static site. and

ciscoasa# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 89.234.17.146

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

is ok, and:

ciscoasa# show crypto ipsec sa

interface: outside

    Crypto map tag: rackmap, seq num: 200, local addr: 86.xxx.xxx.xx

      access-list OO_temp_rackmap200 extended permit ip host 86.xxx.xxx.xx host 89.xxx.xx.xxx

      local ident (addr/mask/prot/port): (86.xxx.xxx.xx/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (89.xxx.xx.xxx/255.255.255.255/0/0)

      current_peer: 89.xxx.xx.xxx

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 86.xxx.xxx.xx/0, remote crypto endpt.: 89.xxx.xx.xxx/0

      path mtu 1492, ipsec overhead 74, media mtu 1500

      current outbound spi: D07BB026

      current inbound spi : 0B0EBA29

    inbound esp sas:

      spi: 0x0B0EBA29 (185514537)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1425408, crypto-map: rackmap

         sa timing: remaining key lifetime (kB/sec): (3915000/28710)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000000 0x00000000 0x00000001

    outbound esp sas:

      spi: 0xD07BB026 (3497766950)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 1425408, crypto-map: rackmap

         sa timing: remaining key lifetime (kB/sec): (3915000/28710)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000000 0x00000000 0x00000001

is establised as well ... anyway i'll not be able to to make first connection from static site protected network to dynamic site networks ?

Correct, you won't be able to make the first connection from static to dynamic site, purely because the peer is dynamic, it won't know what IP address to reach the dynamic peer, and you have configure "originate-only" on the dynamic end, so it can only originate, not answer.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: