Oct 31, 2016

Which VPN tunnel matches my traffic?

When we manage a VPN concentrator with thousands of active tunnels, we might face conflicts between crypto maps. This is not so easy to realize and we might spend a lot of time before we figure out that another tunnel is forwarding our traffic.

Here are the steps that I would use to check which tunnel matches my packets.


First we need the output of the packet tracer for the interesting traffic:

asa# packet-tracer input inside tcp 172.16.0.10 1234 10.10.10.1 22 detailed
...
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7c185588, priority=70, domain=encrypt, deny=false
        hits=419, user_data=0x15cdf364, cs_id=0x7b8a56b8, reverse, flags=0x0, protocol=0
        src ip/id=172.16.0.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.10.10.1, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside
...


Then we look for the user_data within the VPN context table:

asa# show asp table vpn-context detail | b 0x15CDF364
...
VPN CTX  = 0x15CDF364

Peer IP  = 10.10.10.1
Pointer  = 0x7C227268
State    = UP
Flags    = ENCR+ESP
SA       = 0x0DDBD491
SPI      = 0x0D388804
Group    = 1
Pkts     = 391120
Bad Pkts = 0
Bad SPI  = 0
Spoof    = 0
Bad Crypto = 0
Rekey Pkt  = 9
Rekey Call = 9
VPN Filter =
...


Now we have the SPI and it's easy to get the SA of the tunnel that matches our traffic:

asa# show ipsec sa spi 0D388804
spi: 0x0D388804
    Crypto map tag: CMAP, seq num: 10, local addr: 192.0.2.1

      access-list VPN-test extended permit ip 172.16.0.0 255.255.255.0 host 10.10.10.1
      local ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.10.1/255.255.255.255/0/0)
      current_peer: 192.0.2.129


      #pkts encaps: 391190, #pkts encrypt: 391190, #pkts digest: 391190
      #pkts decaps: 469550, #pkts decrypt: 469550, #pkts verify: 469550
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 391190, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.0.2.1/0, remote crypto endpt.: 192.0.2.129/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0D388804
      current inbound spi : E21245D7

    inbound esp sas:
      spi: 0xE21245D7 (3792848343)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 246751233, crypto-map: CMAP
         sa timing: remaining key lifetime (kB/sec): (4373071/26078)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFF7F
    outbound esp sas:
      spi: 0x0D388804 (221808644)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 246751233, crypto-map: CMAP
         sa timing: remaining key lifetime (kB/sec): (4373649/26078)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:

          0x00000000 0x00000001


If this peer is not the right one, then you need to modify the crypto ACLs.

No comments:

Post a Comment