Dear All,
I am trying to establish an IPsec tunnel between two ASA but is it not working, the first phase ISAKMP itself not coming up, I checked all the documentation and every thing but still not able to solve the issue.
Below is the Configuration of ASA-1 and ASA-2
ASA-1:
ASA-1# show runn
: Saved
:
ASA Version 8.0(2)
!
hostname ASA-1
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 212.93.199.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list LAN_Traffic extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 1 192.168.1.0 255.255.255.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map L2L 10 match address LAN_Traffic
crypto map L2L 10 set peer 209.165.200.1
crypto map L2L 10 set transform-set TS
crypto map L2L interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map ICMP-CLASS
match default-inspection-traffic
!
!
policy-map ICMP-POLICY
class ICMP-CLASS
inspect icmp
!
service-policy ICMP-POLICY global
tunnel-group 209.165.200.1 type ipsec-l2l
tunnel-group 209.165.200.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ASA-1#
---------------------------------------------------------------------------------------
ASA-2:
ASA-2# show runn
: Saved
:
ASA Version 8.0(2)
!
hostname ASA-2
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/1
nameif outside
security-level 0
ip address 209.165.200.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list LAN_Traffic extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list NO_NAT extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NO_NAT
nat (inside) 1 192.168.2.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 209.165.200.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set L2Lesp-aes-256 esp-3des esp-sha-hmac
crypto ipsec transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map L2L 10 match address LAN_Traffic
crypto map L2L 10 set peer 212.93.199.1
crypto map L2L 10 set transform-set TS
crypto map L2L interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map ICMP-CLASS
match default-inspection-traffic
!
!
policy-map ICMP-POLICY
class ICMP-CLASS
inspect icmp
!
service-policy ICMP-POLICY global
tunnel-group 212.93.199.1 type ipsec-l2l
tunnel-group 212.93.199.1 ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
---------------------------------------------------------------------------------------
The Log Messages I am receiving are:
ASA-1# Nov 30 02:26:13 [IKEv1]: IP = 209.165.200.1, Removing peer from peer table failed, no match!
Nov 30 02:26:13 [IKEv1]: IP = 209.165.200.1, Error: Unable to remove PeerTblEntry
Nov 30 02:26:15 [IKEv1]: IP = 209.165.200.1, Removing peer from peer table failed, no match!
Nov 30 02:26:15 [IKEv1]: IP = 209.165.200.1, Error: Unable to remove PeerTblEntry
