For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Schrier_58326's avatar
Schrier_58326
Icon for Nimbostratus rankNimbostratus
Jan 28, 2014

F5 TMOS 11.3 L2L vpn cisco ASA 8.4<

textWe want to setup a Site-2-Site vpn tunnel from F5 TMOS to a cisco ASA. We used IKEV1, SHA, 3DES and ESP phase 2. The VPN tunnel will establish isakmp (phase1)   -- [root@F5:Active:In Sync] con...
BIG-IP Access Policy Manager (APM)
design
security
TMOS
TMSH
Schrier_58326's avatar
Schrier_58326
Icon for Nimbostratus rankNimbostratus
Jan 30, 2014

Hello Vitaliy, thanks for your feedback.. I change the traffic selector in the F5 and Phase 2 is alive. (instead on the asa) So Ipsec is ok, but didn't see any traffic through the tunnel. My next problem. Normally

See output from the Cisco

FW sh crypto ipsec sa detail interface: outside Crypto map tag: outside_map, seq num: 20, local addr: 2.2.2.2 access-list vpn-test extended permit ip host 10.10.10.10 172.16.1.0 255.255.255.0 local ident (addr/mask/prot/port): (10.10.10.10 /255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0.0/0/0) current_peer: 4.4.4.4 pkts encaps: 0, pkts encrypt: 0, pkts digest: 0 pkts decaps: 0, pkts decrypt: 0, pkts verify: 0 pkts compressed: 0, pkts decompressed: 0 pkts not compressed: 0, pkts comp failed: 0, pkts decomp failed: 0 post-frag successes: 0, post-frag failures: 0, fragments created: 0 PMTUs sent: 0, PMTUs rcvd: 0, decapsulated frgs needing reassembly: 0 pkts no sa (send): 0, pkts invalid sa (rcv): 0 pkts encaps failed (send): 0, pkts decaps failed (rcv): 0 pkts invalid prot (rcv): 0, pkts verify failed: 0 pkts invalid identity (rcv): 0, pkts invalid len (rcv): 0 pkts invalid pad (rcv): 0, pkts invalid ip version (rcv): 0, pkts replay rollover (send): 0, pkts replay rollover (rcv): 0 pkts replay failed (rcv): 0 pkts min mtu frag failed (send): 0, pkts bad frag offset (rcv): 0 pkts internal err (send): 0, pkts internal err (rcv): 0

  local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 4.4.4.4/0
  path mtu 1500, ipsec overhead 58, media mtu 1500
  current outbound spi: FEA1D5ED
  current inbound spi : 3D1BA8CC

inbound esp sas:
  spi: 0x3D1BA8CC (1025222860)
     transform: esp-3des esp-sha-hmac no compression
     in use settings ={L2L, Tunnel, }
     slot: 0, conn_id: 3203072, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (4374000/28141)
     IV size: 8 bytes
     replay detection support: Y
     Anti replay bitmap:
      0x00000000 0x00000001
outbound esp sas:
  spi: 0xFEA1D5ED (4272018925)
     transform: esp-3des esp-sha-hmac no compression
     in use settings ={L2L, Tunnel, }
     slot: 0, conn_id: 3203072, crypto-map: outside_map
     sa timing: remaining key lifetime (kB/sec): (4374000/28141)
     IV size: 8 bytes
     replay detection support: Y
     Anti replay bitmap:
      0x00000000 0x00000001

FW