I enabled ezvpn on both local and remote sites and if I do a show crypto session detail, I see 2 connections, one of which is suspicious...
Router#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial1/0
Session status: UP-ACTIVE
Peer: 10.10.1.3 port 500 fvrf: (none) ivrf: (none)
Phase1_id: NSSOLVPN
Desc: (none)
IKE SA: local 10.10.2.1/500 remote 10.10.1.3/500 Active
Capabilities:CDX connid:505 lifetime:13:24:54
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4420431/680
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4420431/680
IPSEC FLOW: permit ip 65.189.69.56/255.255.255.248 host 10.10.1.3
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4579180/599
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4579180/599
Where 10.10.1.3 is the outside i/f of the remote router, and 10.10.2.1 is the local i/f.
The first IPSEC FLOW line is fine I believe. What I'm curious about is the second IPSEC FLOW line which is permitting 65.189.69.56 (when I did dns lookup it points to someplace in Texas) that seems to be connecting to the remote site. The remote router isn't being used for internet surfing or any other purpose other then to be an endpoint of vpn. Is this something I have to deny (access list?) on the remote router?
Router#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Serial1/0
Session status: UP-ACTIVE
Peer: 10.10.1.3 port 500 fvrf: (none) ivrf: (none)
Phase1_id: NSSOLVPN
Desc: (none)
IKE SA: local 10.10.2.1/500 remote 10.10.1.3/500 Active
Capabilities:CDX connid:505 lifetime:13:24:54
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4420431/680
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4420431/680
IPSEC FLOW: permit ip 65.189.69.56/255.255.255.248 host 10.10.1.3
Active SAs: 2, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4579180/599
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4579180/599
Where 10.10.1.3 is the outside i/f of the remote router, and 10.10.2.1 is the local i/f.
The first IPSEC FLOW line is fine I believe. What I'm curious about is the second IPSEC FLOW line which is permitting 65.189.69.56 (when I did dns lookup it points to someplace in Texas) that seems to be connecting to the remote site. The remote router isn't being used for internet surfing or any other purpose other then to be an endpoint of vpn. Is this something I have to deny (access list?) on the remote router?
