Both phase 1 and 2. /Jimmy
2010/8/17 Yogesh Gawankar <[email protected]> > Cool so it will actually bring up phase 1 and phase 2 or just phase 1? > > When I said it won't work I meant I doubt any traffic would actually flow:) > > > Thanks and regards > > Yogesh Gawankar > > --- On *Tue, 8/17/10, Jimmy Larsson <[email protected]>* wrote: > > > From: Jimmy Larsson <[email protected]> > Subject: Re: [OSL | CCIE_Security] Packet tracer > To: "Farzad A. Cheema" <[email protected]> > Cc: "Yogesh Gawankar" <[email protected]>, "OSL Security" < > [email protected]> > Date: Tuesday, August 17, 2010, 4:23 AM > > > Now I have verified, and it is actually true what I heard. If you have a > VPN-tunnel configured and that is not up (no sa:s built) and you use the > packet-tracer to emulate a packet thru that tunnel, the ASA actually builds > the tunnel. > > It never send the packet of course. After bringing the ipsec sa up it is > still "#pkts encaps: 0". > > Sorry guys, but you were wrong. ;) > > /Jimmy > > > 2010/8/16 Farzad A. Cheema > <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> > > > > I have tried it too but never got accurate results. It gives me same output > for literally anything. > > > > To bring the tunnel up, you can generate the interesting traffic by pinging > from a host inside you ASA. > > > Cheers, > Farzad > > > On 16 August 2010 14:02, Yogesh Gawankar > <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> > > wrote: > > No it won't work . > > Thanks and regards > > Yogesh Gawankar > > --- On *Mon, 8/16/10, Jimmy Larsson > <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> > >* wrote: > > > From: Jimmy Larsson > <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> > > > Subject: [OSL | CCIE_Security] Packet tracer > To: "OSL Security" > <[email protected]<http://us.mc581.mail.yahoo.com/mc/[email protected]> > > > Date: Monday, August 16, 2010, 10:53 PM > > > Hi guys > > I heard someone mentioning that the packet-tracer in ASA initiates the > VPN-tunnel (SA:s) if that is needed for the tested packet-flow. I have no > resources to test that here and now, can someone confirm? > > So if I have a L2L-tunnel configured but SA:s are down, if I do > packet-trace with a local source ip and a remote destination ip that matches > the crypto acl, it will actually bring the tunnel up? > > /Jimmy > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > -----Inline Attachment Follows----- > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Regards, > Farzad A. Cheema > -------------------------------- > > > > > -- > ------- > Jimmy Larsson > Ryavagen 173 > s-26030 Vallakra > Sweden > http://blogg.kvistofta.nu > ------- > > -- ------- Jimmy Larsson Ryavagen 173 s-26030 Vallakra Sweden http://blogg.kvistofta.nu -------
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
