topic Re: IPSEC VPN With DYNAMIC IP ADDRESS in Network Security

IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco — Mon, 11 Mar 2019 16:35:31 GMT

i have ASA 8.0 with static ip address and remote site has a ADSL ROuter with dynamic IP address.

I am not able to make the Site to site vpn connection. I have tried dynamic map and standard site to site vpn

connection but nothing is working for me.

Please help me out. I am tottally stuck.I have attached the router and firewall configuration and below error I am getting.

Nov 3 18:08:34.606: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)

Nov 3 18:08:34.606: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

RISTAR-JXB#

Nov 3 18:08:34.810: IPSEC(key_engine): got a queue event with 1 KMI message(s)

If I give 0.0.0.0 in tunnel group configuraion it gave me following error.

ENOCDC-FW03(config)# tunnel-group 0.0.0.0 type ipsec-l2l

WARNING: L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digitial Certificates and/or The peer is

configured to use Aggressive Mode

I have change the rotuer configuration to aggressive mode but still no luck

Re: IPSEC VPN With DYNAMIC IP ADDRESS

acomiskey — Tue, 03 Nov 2009 21:43:08 GMT

You want to use the DefaultL2LGroup for your tunnel group name, not 0.0.0.0.

Re: IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco — Wed, 04 Nov 2009 15:39:42 GMT

Yes Right and i even tried this but still not working. I am getting following errors on router.

my head office firewall has mulitple site to site VPP connection and remote access vpn and it is working fine but only this VPN connection is giving me problem. I have tried all.

Re: IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco — Thu, 05 Nov 2009 08:29:57 GMT

Can anybody help me out.

Re: IPSEC VPN With DYNAMIC IP ADDRESS

acomiskey — Thu, 05 Nov 2009 13:56:23 GMT

First off, your crypto acl's should be mirrors of each other. This is how they are now...

Router

access-list 115 permit ip host 172.17.245.210 192.168.0.0 0.0.255.255

ASA

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

This is what they should be...

Router

access-list 115 permit ip host 172.17.245.0 0.0.0.255 192.168.0.0 0.0.255.255

ASA

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

Re: IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco — Thu, 05 Nov 2009 15:08:03 GMT

On ASA firewall I am making dynamic map. like

Dynamic IPsec Between a Statically addressed PIX and a Dynamically addressed IOS Router with NAT Configuration Example

In dynanic map I dont have any option to recall the interesting traffic.

Re: IPSEC VPN With DYNAMIC IP ADDRESS

acomiskey — Thu, 05 Nov 2009 15:12:01 GMT

Sure you do, it's right here...

crypto dynamic-map TRJXB_MAP 151 match address TRJXB

Re: IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco — Thu, 05 Nov 2009 15:53:25 GMT

I have configured this

crypto dynamic-map TRI_MAP 17 match address TRJXB

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 17.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 6.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 6.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 172.17.245.0 255.255.255.0

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7

but still not working.

Re: IPSEC VPN With DYNAMIC IP ADDRESS

acomiskey — Thu, 05 Nov 2009 16:05:56 GMT

Those aren't exact mirrors of eachother and the crypto acl on your router isn't acl-nonat, it's acl 115.

Re: IPSEC VPN With DYNAMIC IP ADDRESS

acomiskey — Thu, 05 Nov 2009 16:14:07 GMT

Can you get the log from the ASA?

Re: IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco — Thu, 05 Nov 2009 16:26:29 GMT

Please find attached. I am really thankful for your support and time that you are giving me to solving this issue.

Re: IPSEC VPN With DYNAMIC IP ADDRESS

acomiskey — Thu, 05 Nov 2009 16:40:05 GMT

Try this on the ASA.

crypto dynamic-map TRJXB-MAP 151 set pfs

Re: IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco — Thu, 05 Nov 2009 21:49:31 GMT

Tried but still not working. Even reconfigure the complete router. This time configure with the Aggressive mode on the router.

Re: IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco — Thu, 05 Nov 2009 22:13:39 GMT

See the fresh log after reconfiguration of Router as aggressive mode and ASA with PFS.