Re: Dyanmic crypto map - Page 3

whiteford · ‎09-09-2009

Hello,

I have a VPN that will connect using one of 3 public IP addresses, is it possibel to setup a VPN like this? Normally I setup VPN's with a peer having a single static IP not a pool of IP's?

Thanks

andrew.prince · ‎09-11-2009

:) - no such thing as a silly question, when you don't know something; just pulling your leg.

OK - well that is a start, get studying!!

If you have anymore questions post it or drop me an email.

whiteford · ‎09-12-2009

Hi Andrw,

I have added what you suggested. Now I need to connect a remote VPN to my ASA.

I am going through the ASDM IPsec VPN wizard, but it asks me to put in a IP address of the remote peer which I don't have. Do I have to use the CLI only for this? If I use 0.0.0.0 it says not supported.

My remote network has the 64 character pre-shared key I create and is pointing to my ASA's outside IP.

IKE Encryption - AES

IKE Authentication - SHA 256

IKE DH - Group5

IKE Lifetiem - 86400

IPsec Encryption - AES

IPsec Authentication - SHA 256

IPsec DH - Group5

SA life time - 86400

andrew.prince · ‎09-12-2009

Read the previous posts - as they already cover the required information for remote VPN peers with unknown IP addresses.

Again the URL for reference, the END with the static IP should look the same as "Lion" and the remote should look the same as "Tiger"

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Ignore the VPN client config.

whiteford · ‎09-12-2009

So the END I guess would be my ASA as it has a static and the "tiger" would be this remote VPN, which is a non Cisco device - horrid GUI.

This is what I originally tried to add:

I beleive I will need to remove "crypto map dyn-map interface outside" as I already have a outside crypto map as mentioned before. Does it look ok?

crypto ipsec transform-set dynset1 esp-AES 128 esp-sha-hmac

crypto dynamic-map aw-dyn-map 1 set transform-set dynset1

crypto map dyn-map 1 ipsec-isakmp dynamic aw-dyn-map

crypto map dyn-map interface outside

crypto map dyn-map 1 set pfs group 5

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key here>

andrew.prince · ‎09-12-2009

Yes.

Just add the dynamic tunnel group and test/debug - from the last review of your config this is all you need.

whiteford · ‎09-12-2009

OK, so I don't need the crypto map part?

My earlier config contains:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

for debug I will use "degub crypto isakmp 254"

whiteford · ‎09-12-2009

Ah the debug is now showing somehthing at last:

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, IKE MM Responder FSM error history (struct &0xd0c4bf70) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG5, EV_TIMEOUT-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, IKE SA MM:53bb3ccd terminating: flags 0x01000002, refcnt 0, tuncnt 0

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, sending delete/delete with reason message

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing blank hash payload

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing IKE delete payload

Sep 12 12:57:56 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing qm hash payload

Sep 12 12:57:56 [IKEv1]: IP = 214.*.*.67, IKE_DECODE SENDING Message (msgid=73ff5505) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Sep 12 12:57:56 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Removing peer from peer table failed, no match!

Sep 12 12:57:56 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Error: Unable to remove PeerTblEntry

This remote site is on 172.181.11.0/24 and ned to get to my subnet behind the ASA on 192.168.91.0/24

whiteford · ‎09-12-2009

Hmm phase 1 is complete now, this is my output:

Sep 12 13:29:15 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0

Sep 12 13:29:15 [IKEv1]: IP = 214.*.*.67, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 72

Sep 12 13:29:15 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

Sep 12 13:29:15 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Duplicate Phase 1 packet detected. Retransmitting last packet.

Sep 12 13:29:15 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, P1 Retransmit msg dispatched to MM FSM

Sep 12 13:29:16 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Duplicate Phase 1 packet detected. Retransmitting last packet.

Sep 12 13:29:16 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, P1 Retransmit msg dispatched to MM FSM

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, IKE MM Responder FSM error history (struct &0xd0c4bf70) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG5, NullEvent-->MM_SND_MSG4, EV_CRYPTO_ACTIVE-->MM_SND_MSG4, EV_SND_MSG-->MM_SND_MSG4, EV_START_TMR-->MM_SND_MSG4, EV_RESEND_MSG-->MM_WAIT_MSG5, EV_RESEND_MSG

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, IKE SA MM:d0eb2626 terminating: flags 0x01000002, refcnt 0, tuncnt 0

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, sending delete/delete with reason message

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing blank hash payload

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing IKE delete payload

Sep 12 13:29:16 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 214.*.*.67, constructing qm hash payload

Sep 12 13:29:16 [IKEv1]: IP = 214.*.*.67, IKE_DECODE SENDING Message (msgid=b5bcb867) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Sep 12 13:29:16 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Removing peer from peer table failed, no match!

Sep 12 13:29:16 [IKEv1]: Group = DefaultL2LGroup, IP = 214.*.*.67, Error: Unable to remove PeerTblEntry

Sep 12 13:29:16 [IKEv1]: IP = 214.*.*.67, Received encrypted packet with no matching SA, dropping

whiteford · ‎09-14-2009

Hi Andrew,

It seemed what ever I added stopped VPN client users from access our network, could the changes I added of affected them in anyway?

I'm set the config back to thursdays now and all can connect.

andrew.prince · ‎09-14-2009

It could have affected them, if you change your config for dynamic connections, other than the default l2l config.

I again - suggest that you read the url, and compare the diff's between your current config and the suggested config; then intergrate.

whiteford · ‎09-14-2009

Am I right in saying Cisco VPN client users are also dynamic connections?

Think I will need to read that link again as you suggested

I simply added:

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key here>

This the config for users on the ASA which seemd to stop users logging on, they would get the logon screen on the VPN client and it would then go and try authenticate the user and fail:

tunnel-group DefaultL2LGroup general-attributes

default-group-policy AW-L2L

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key <64 char key>

tunnel-group DefaultRAGroup ipsec-attributes

isakmp ikev1-user-authentication (outside) none

tunnel-group corp_users type remote-access

tunnel-group corp_users general-attributes

address-pool CLIENT_VPN_POOL

authentication-server-group RADIUS

default-group-policy corp_users

tunnel-group corp_users ipsec-attributes

pre-shared-key

tunnel-group corp_users ppp-attributes

no authentication chap

no authentication ms-chap-v1

tunnel-group corp_admins type remote-access

tunnel-group corp_admins general-attributes

address-pool ADMIN_VPN_POOL

authentication-server-group RADIUS

default-group-policy corp_admins

tunnel-group corp_admins ipsec-attributes

pre-shared-key

Maybe addeding those settings change the config for the remote users.

apdatasoft · ‎09-14-2009

Hi,

Whiteford can you tell me what encrytion would you use for dynamic VPN in phase1/2. So that i can build the configuration for you

Cheers

AP

whiteford · ‎09-14-2009

Hi,

Well I normally use AES/SHA 256.

Networks:

Remote: 172.18.1.0/24

Local:192.168.90.0/24

Thanks

apdatasoft · ‎09-14-2009

Hi Whitefor,

Could you tell me what encryption would you use for Phase1/2 Dynamic VPN, so that i can build the configuration for you,

Cheers

AP

andrew.prince · ‎09-10-2009

I can understand that - but to some minds to rest.....even if the phase 1/2 encryption key was captured in a man in the middle attack, the hacker would need to decrypt it and use it.....in the time frame it takes for the session to establish - as anti replay is a major factor in IPSEC.

So this means the hacker needs to break an 128bit AES encrypted key, the last time I checked no computer exists on the planet earth that can compute or even brute force it in under 50 million years.

If you use PFS as I suggested, this means the ecnryption key is re-negotiated anyway so the same encryption key's are never used more thant the specific time period.