sh crypto iskamp sa on VPN ASA
I am analyzing approximately VPN nowadays.
sh crypto isakmp sa
Active SA: eight Rekey SA: zero (A tunnel will record 1 Active and 1 Rekey SA for the duration of rekey)Total IKE SA: eight
1 IKE Peer: 198.x Type : user Role : responder Rekey : no State : AM_ACTIVE2 IKE Peer: 197.x Type : consumer Role : responder Rekey : no State : AM_ACTIVE3 IKE Peer: 163.x Type : consumer Role : responder Rekey : no State : AM_ACTIVE4 IKE Peer: fifty one.x Type : user Role : responder Rekey : no State : AM_ACTIVE5 IKE Peer: seventy one.x Type : person Role : responder Rekey : no State : AM_ACTIVE6 IKE Peer: 207.x Type : user Role : responder Rekey : no State : AM_ACTIVE7 IKE Peer: seventy one.x Type : person Role : responder Rekey : no State : AM_ACTIVE8 IKE Peer: 68.x Type : person Role : responder Rekey : no State : AM_ACTIVE
Need to recognize what does this 8 friends imply right here does this imply that it has IPSEC tunnels to 8 of these gadgets?
Solved! Go to Solution.
To my information this is exactly what it way. That there’s eight VPN connections to your ASA.
This output is the choices country of the Phase 1. There will simplest be one ISAKMP SA per VPN connection at the same time as there may be multiple IPsec SAs in line with VPN connection.
Above data tells us the choices IP cope with from which user is connecting and additionally tells us that the ASA has been the choices responder to this connection. It different words the alternative stop of the VPN has opened/shaped/initiated the choices connection. It also shows that Aggressive Mode is used (AM) which in all likelihood approach that each of the above connections are VPN Client connections in place of L2L VPN connections.
View answer in unique submit
There are different instructions to get more facts about the choices connections.
You may want to as an example use
Find the only there that refers to the Remote Access Clients. It might check with Remote Access at once or mention IKEv1 RA as the following options (no longer in that specific layout even though). It relies upon on the choices ASA software program model.
The following command could provide you with a precis of which kind of connections there are alternatives on the ASA
Have a strive with the alternative commands with the way I confirmed above. I imply inserting the query mark “?” after the choices “display vpn-sessiondb” command so you can see the options.
With regards to the choices IP cope with, the choices IP cope with is the general public IP address from which the connection turned into shaped. Most of the time this is NAT IP deal with certainly at the choices far off cease wherein the consumer is connecting from. For instance if a VPN person was connecting from his/her domestic this public IP deal with would be his/her Internet router/modems public IP deal with.
If you had a L2L VPN connection then this public IP deal with visible might be that of the far off VPN device. This naturally also can be a NAT IP cope with if the choices VPN device is in the back of a NAT tool and now not without delay connected to Internet.
The Phase 1 is continually formed/negotiated. When its negotiated the choices VPN peers will use this Phase 1 connection to barter the choices Phase 2 securely and decide what visitors needs to be covered by means of the VPN.
The above is naturally a completely easy clarification of the choices VPN. There is probably lots extra records in case you are using a few cloth to look at the VPN.
View solution in authentic post
The beginning of the choices output could seem to indicate that this device has most effective been used for Client VPN. Atleast from the time whilst it was last booted as we will simplest see IPsec Remote Access Cumulative Counter accelerated.
The same section suggests that currenctly Active periods are all IPsec Remote Access connections.
With regards to the give up of the output I am not a hundred% sure.
It would seem to me that one of the VPN Clients related is using UDP as its at the back of a NAT device (IPsecOverNatT) and rest of the 7 VPN Clients are the usage of TCP to connect.
Would possibly ought to see some “show run crypto” and “show run group-policy” configurations on the tool to verify.
View solution in original publish
This command enables the usage of TCP for the VPN Client connections. The preceding 7 VPN Client connections are connecting with TCP.
crypto isakmp ipsec-over-tcp port 10000
It defines the TCP port to be TCP/10000 despite the fact that I consider it can be some thing else too. This is the default price. I could believe that your VPN Client customers might additionally have configuration below their VPN Client profiles configurations (the only they use to hook up with this tool) that selects them to apply TCP. Normally the choices default putting on a newly created profile is to my expertise UDP.
You additionally seem to have those settings for UDP
To be sincere, I even have no longer touched this putting formerly so I am not positive what the choices cause here is. To my know-how the choices VPN Client and ASA dont want any nondefault configurations to enable for the choices connection to use UDP. Maybe this units the choices values regarding the UDP port to nondefault values. I cannot virtually say except I tested this sooner or later.
View answer in unique post
To my understanding that is precisely what it method. That there’s eight VPN connections for your ASA.
This output is the choices kingdom of the Phase 1. There will simplest be one ISAKMP SA consistent with VPN connection at the same time as there can be more than one IPsec SAs consistent with VPN connection.
Above information tells us the choices IP address from which user is connecting and additionally tells us that the ASA has been the choices responder to this connection. It different phrases the other cease of the choices VPN has opened/fashioned/initiated the choices connection. It also suggests that Aggressive Mode is used (AM) which probable approach that each of the above connections are VPN Client connections rather than L2L VPN connections.
View solution in original post
So want to verify these all 8 connections are Remote Access VPN connections where clients are connecting to the
Also IP address display are of the Client PC right?
Do the choices Remote Access VPN usually live in Phase 1 only?
There are different commands to get more data approximately the choices connections.
You may want to as an instance use
Find the one there that refers to the Remote Access Clients. It might confer with Remote Access directly or point out IKEv1 RA as the next options (now not in that precise layout even though). It depends on the choices ASA software program version.
The following command would provide you with a precis of which type of connections there are alternatives on the choices ASA
Have a attempt with the alternative commands with the manner I showed above. I suggest placing the question mark “?” after the choices “show vpn-sessiondb” command so you can see the options.
With regards to the IP deal with, the IP cope with is the public IP cope with from which the connection was formed. Most of the choices time this is NAT IP address certainly at the remote quit where the choices person is connecting from. For example if a VPN user changed into connecting from his/her home this public IP deal with might be his/her Internet router/modems public IP cope with.
If you had a L2L VPN connection then this public IP deal with seen could be that of the far flung VPN tool. This clearly can also be a NAT IP address if the choices VPN tool is in the back of a NAT tool and not without delay related to Internet.
The Phase 1 is constantly fashioned/negotiated. When its negotiated the VPN peers will use this Phase 1 connection to barter the Phase 2 securely and decide what traffic wishes to be protected by using the choices VPN.
The above is clearly a totally easy clarification of the VPN. There might be plenty greater facts if you are the use of a few cloth to take a look at the choices VPN.
View solution in unique post
I ran the command
Sessions: Active : Cumulative : Peak Concurrent : Inactive SSL VPN : zero : zero : zero Clientless handiest : 0 : zero : zero With client : 0 : zero : zero : zero Email Proxy : zero : zero : 0 IPsec LAN-to-LAN : zero : zero : 0 IPsec Remote Access : 8 : 3850 : 30 VPN Load Balancing : zero : 0 : zero Totals : 8 : 3850
License Information: IPsec : 750 Configured : 750 Active : eight Load : 1% SSL VPN : 2 Configured : 2 Active : zero Load : 0% Active : Cumulative : Peak Concurrent IPsec : eight : 4797 : 30 SSL VPN : 0 : 0 : 0 AnyConnect Mobile : zero : zero : zero Linksys Phone : 0 : zero : zero Totals : 8 : 4797
Tunnels: Active : Cumulative : Peak Concurrent IKE : 8 : 3850 : 30 IPsec : zero : 4 : 1 IPsecOverNatT : 1 : 606 : 7 IPsecOverTCP : 7 : 3240 : 24 Totals : 16 : 7700
Active NAC Sessions: No NAC classes to display
Active VLAN Mapping Sessions: No VLAN Mapping sessions to show
Under Tunnels it suggests IKE eight and IPSECOver NAT 1 and IPsecOver TCP 7.
Does this additionally check with Remote Access VPN connection coming from user PC?
Are all of the above 3 terms currently discuss with Remote Access VPN?
The starting of the output could appear to suggest that this tool has best been used for Client VPN. Atleast from the time when it became remaining booted as we can only see IPsec Remote Access Cumulative Counter accelerated.
The equal section suggests that currenctly Active periods are all IPsec Remote Access connections.
With regards to the choices stop of the output I am not 100% sure.
It might appear to me that one of the VPN Clients linked is the usage of UDP as its at the back of a NAT device (IPsecOverNatT) and relaxation of the 7 VPN Clients are using TCP to connect.
Would possibly ought to see some “display run crypto” and “show run group-policy” configurations on the device to affirm.
View solution in unique publish
sh run cryptocrypto ipsec remodel-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmaccrypto ipsec rework-set ESP-DES-SHA esp-des esp-sha-hmaccrypto ipsec remodel-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto ipsec remodel-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmaccrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto ipsec remodel-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmaccrypto ipsec remodel-set ESP-AES-128-SHA esp-aes esp-sha-hmaccrypto ipsec remodel-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmaccrypto ipsec remodel-set ESP-AES-128-MD5 esp-aes esp-md5-hmaccrypto ipsec remodel-set strong esp-aes esp-sha-hmaccrypto ipsec remodel-set most powerful esp-aes-256 esp-sha-hmaccrypto ipsec protection-affiliation lifetime seconds 28800crypto ipsec safety-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set rework-set most powerful strongcrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set safety-affiliation lifetime kilobytes 4608000crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp coverage 1 authentication pre-percentage encryption aes-256 hash sha institution 2 lifetime 86400crypto isakmp coverage 5 authentication pre-percentage encryption 3des hash sha organization 2 lifetime 86400crypto isakmp policy 10 authentication pre-percentage encryption des hash sha institution 2 lifetime 86400crypto isakmp ipsec-over-tcp port 10000
sh run institution-policygroup-policy XGroupPolicy internalgroup-coverage XGroupPolicy attributes wins-server none dns-server price 192.168.50.1 dhcp-network-scope none vpn-get entry to-hours none vpn-simultaneous-logins three vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-garage disable ip-comp disable re-xauth allow group-lock none pfs disable ipsec-udp permit ipsec-udp-port ten thousand split-tunnel-coverage tunnelall split-tunnel-network-listing none default-domain fee corp.com break up-dns none intercept-dhcp disable steady-unit-authentication disable user-authentication disable user-authentication-idle-timeout 15 ip-smartphone-bypass disable soar-pass disable nem disable backup-servers keep-customer-config msie-proxy server none msie-proxy approach no-regulate msie-proxy besides-listing none msie-proxy local-bypass disable msie-proxy percent-url none vlan none nac-settings none address-pools price PoolCorp smartcard-removal-disconnect permit client-firewall none client-access-rule none webvpn homepage none svc dtls permit svc mtu 1406 svc maintain-installer hooked up svc keepalive none svc rekey time none svc rekey approach none svc dpd-c programming language purchaser 30 svc dpd-c program languageperiod gateway 30 svc compression deflate svc modules price vpngina svc profiles none svc ask none default webvpn customization cost DfltCustomization institution-coverage DfltGrpPolicy attributes wins-server fee 192.168.50.1 dns-server cost 192.168.50.1 vpn-tunnel-protocol IPSec svc ipsec-udp allow default-area value corp.com user-authentication-idle-timeout 15 cope with-pools fee PoolDefaultgroup-policy YGroupPolicy internalgroup-policy YGroupPolicy attributes wins-server value 192.168.50.1 dns-server price 192.168.50.1 dhcp-network-scope none vpn-tunnel-protocol IPSec default-area price corp.com deal with-pools price PoolDefault
Thanks for helping me out.
This command allows the usage of TCP for the choices VPN Client connections. The preceding 7 VPN Client connections are connecting with TCP.
crypto isakmp ipsec-over-tcp port ten thousand
It defines the choices TCP port to be TCP/ten thousand even though I imagine it could be some thing else too. This is the choices default value. I might consider that your VPN Client users would additionally have configuration underneath their VPN Client profiles configurations (the only they use to hook up with this tool) that selects them to use TCP. Normally the choices default putting on a newly created profile is to my knowledge UDP.
You additionally appear to have those settings for UDP
To be honest, I have not touched this placing formerly so I am no longer positive what the choices purpose right here is. To my understanding the VPN Client and ASA dont want any nondefault configurations to allow for the connection to apply UDP. Maybe this sets the choices values concerning the choices UDP port to nondefault values. I can’t actually say unless I examined this at some point.
View answer in unique publish