10-17-2008 12:37 PM - edited 03-09-2019 09:41 PM
I had an existing network where a kentrox device was establishing an IPSEC vpn to a PIX501. The Kentrox was on a dynamic public ip. the 501 has a static public ip.
The PIX501 was set up as below. We have since switched out the 501 for an ASA5505, i used the 501 config on the 5505 which seemed to take ok, however the vpn will not come up. The 5505 interprets the isakmp key line a bit different than i would expect, it turns it into a defaultRAgroup. All i have to do it create a tunnel group using the public ip of the kentrox instead using the defaultRAgroup and it works fine. When i create the tunnel group using the ip I specify type as l2l. I would just leave it like this except the kentrox is on a dynamic public ip, meaning it will break with in a few days.
below are the 501 and 5505 configs, the kentrox is geographically out of reach, we have no one technically capable near it, and we dont have the password for it. all i have is a 501 config that i know works. I know this is rather limited :(
The configs have the vpn specific output, if anyone wants more, please let me know.
thank you
Lawrence
501:
access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip 172.20.11.0 255.255.255.0 192.168.1.0 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto map inside_map interface inside
!
isakmp enable outside
isakmp key * address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
5505:
access-list outside_cryptomap_dyn_10 extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_10 extended permit ip 172.20.11.0 255.255.255.0 192.168.1.0 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
!
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 76.88.224.96 type ipsec-l2l
tunnel-group 76.88.224.96 ipsec-attributes
pre-shared-key *
!
10-18-2008 01:14 AM
Follow the config example below:-
HTH>
10-20-2008 04:24 PM
I have seen this config and it does not work for me.
The Kentrox end is not set up so far as i can tell to do route injection.
When i do debug cry isa 255 and debug cry ips 255 i get the below error over and over
IKE Recv RAW packet dump
ff 54 ad 66 d8 0f 22 b4 11 a1 1d 6b 83 61 4b e9 | .T.f.."....k.aK.
08 10 20 01 d6 e2 fb 4e 00 00 00 9c bd f9 e6 c3 | .. ....N........
da cc e7 a5 97 11 9d bd a9 a4 ee 4b e4 eb 47 47 | ...........K..GG
db 5d e2 e1 4a b6 ae b3 a0 bb 5a 21 08 24 a4 13 | .]..J.....Z!.$..
61 fe bd d5 d6 c9 09 f5 48 53 99 f9 d6 a2 09 39 | a.......HS.....9
a5 40 37 af a2 70 eb d8 7d cd dc 52 65 67 4b 15 | .@7..p..}..RegK.
ec 7b c7 ec 13 e5 ba d1 4e 08 67 1a c7 24 75 82 | .{......N.g..$u.
b6 e9 9e 40 d6 27 33 b7 02 78 da 32 76 79 6c 8d | ...@.'3..x.2vyl.
19 d4 39 ed fa 81 03 33 f8 5c 1c bd 86 3a 05 f0 | ..9....3.\...:..
4f 66 26 3c 14 cb 1f a4 35 a6 7d c6 | Of&<....5.}.
RECV PACKET from 76.88.224.96
ISAKMP Header
Initiator COOKIE: ff 54 ad 66 d8 0f 22 b4
Responder COOKIE: 11 a1 1d 6b 83 61 4b e9
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: D6E2FB4E
Length: 156
Oct 20 17:19:21 [IKEv1]: IP = 76.88.224.96, Received encrypted packet with no matching SA, dropping
10-21-2008 12:36 AM
Firstly - the route injection should be handled by the PIX, not the Kentrox, as the PIX does not know what IP address the Kentrox will establish a VPN from.
Secondly, the above is a packet not beloinging to a SA - I suggest you double check all your configs.
HTH>
10-21-2008 12:46 PM
My comment was not that the kentrox should inject routes but that i do not know if it supports them or is configured for them, as you can see from the old configuration it was not doing rri previously, i do not see a reason to do so now. Im not trying to configure anything new and wonderful, i just need the asa to do the same thing the pix was doing.
After some googling it appears rri is cisco proprietary(someone please slap me if im wrong), i checked documentation for the kentrox device on the other end(Q2300) and it does not seem to support rri so far as i can tell.
10-22-2008 12:37 AM
You are missing the point - the remote end with no static IP address cannot reverse inject routes.
It HAS to be done at the PIX with the static IP address. As the pix does NOT know when a VPN connection will come in and what the remote IP subnet will be.
10-22-2008 10:13 AM
If that is correct how was it working with the old PIX? The old pix was not doing rri?
The old pix was using an acl, like any other l2l to determine what network was on the other side, why do i need to add rri to the asa when it was not being used in the pix?
10-22-2008 11:00 AM
Actually it kinda was:-
isakmp key * address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode
Allows ANY remote client to create an IPSEC VPN to the pix.
access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_dyn_10 permit ip 172.20.11.0 255.255.255.0 192.168.1.0 255.255.255.0
You had already defined the remote LAN IP subnets you expected to create a VPN from.
If you had a third site, say 192.168.254.0/24 and it tried to connect.....without actually being in the crypto map - it would FAIL.
Show me where in the below config example where a crypt ACL is deinfed, and bound to a crypto map? You will not find it - becuase the remote end will advertise the remote LAN, and the ASA will accept it, and create dynamic crypto acl's and RRI.
READ - READ - READ
HTH>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide