Re: Site to Site VPN ASA 5510

cs10232006 · ‎11-02-2009

Hello, hopefully someone can help me out with this. I'm CCNA level, but not very familiar with Site-to-Site VPN setup. I have an ASA5510 for a remote site and trying to connect to a 5520 at the main site. I am not seeing the tunnel come up at all. here is the main site config that is relevant to VPN:

interface GigabitEthernet0/0

description Trusted Internal Interface

speed 1000

duplex full

nameif inside

security-level 100

ip address x.x.x.x 255.255.0.0

interface GigabitEthernet0/3.10

description Time Warner External Interface

vlan 10

nameif TimeWarner

security-level 0

ip address y.y.y.y 255.255.255.248

access-list MATCH extended permit ip x.x.x.x 255.255.0.0 [remote network] 255.255.255.252

nat (inside) 0 access-list MATCH

service resetoutside

crypto ipsec transform-set asa2transform esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map IPSECMAP 100 match address MATCH

crypto map IPSECMAP 100 set peer [remote outside interface]

crypto map IPSECMAP 100 set transform-set asa2transform

crypto map IPSECMAP interface TimeWarner

crypto isakmp identity address

crypto isakmp enable TimeWarner

crypto isakmp policy 100

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

tunnel-group [tunnel name] type ipsec-l2l

tunnel-group [tunnel name] ipsec-attributes

pre-shared-key *

no tunnel-group-map enable ou

I have a few outside connections running into a switch and a trunk runnning into the ASA. I also have interface tracking for interface failover and the unit is a part of an active/standby cluster.

The config on the 5510 is the same except for the peer being the outside interface of the 5520 and the access-list being reversed.

Any help for a VPN newb would be much appreciated.

Collin Clark · ‎11-02-2009

One thing that is not mandatory, but suggested is to use a different ACL for NAT 0 and IPSec. Here's an excellent troubleshooting doc on VPNs.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope it helps you out.

Farrukh Haroon · ‎11-02-2009

Please post the output of the following:

debug crypto isakmp 127

debug crypto ipsec 127

debug crypto engine

Regards

Farrukh

moorelock · ‎11-03-2009

x.x.x.x is the ip of the remote peer. I did the same on the remote peer and the address of the main site peer is in there, but all other output looks about the same.

I've attached the actual output with IPs removed.

moorelock · ‎11-03-2009

Forgot to say thank you for the troubleshooting link. I did go through those steps and some points were very helpful in adding to my understanding of the VPN tunnel process. Unfortunately after going through the steps I am still having issues.

Farrukh Haroon · ‎11-03-2009

Although the debugs are not so clear, it seems you either have a pre-shared key mismatch or a phase 2 parameter mismatch (transform-set, SA timer or crypto ACL).

I would do the following:

> Enter the pre-shared key again (making sure there are no ' ' spaces at the end (Altough this is highly unlikely with the ASA tunnel-group syntax)

> Remove the security association timers, setting them to their defaults (please remove from both sides)

> Re-Check the crypto ACL again, especially the subnet mask, they should be exact mirrors of each other

> Try using another phase 2 transform set (perhaps SHA+3des)

Please clear the existing sessions if any from both side before trying again. Also if possible, please post the output of both sides.

Regards

Farrukh