cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
701
Views
0
Helpful
7
Replies

l2l dynomap to a kentrox with dynamic IP

lawrence.brown
Level 1
Level 1

I had an existing network where a kentrox device was establishing an IPSEC vpn to a PIX501. The Kentrox was on a dynamic public ip. the 501 has a static public ip.

The PIX501 was set up as below. We have since switched out the 501 for an ASA5505, i used the 501 config on the 5505 which seemed to take ok, however the vpn will not come up. The 5505 interprets the isakmp key line a bit different than i would expect, it turns it into a defaultRAgroup. All i have to do it create a tunnel group using the public ip of the kentrox instead using the defaultRAgroup and it works fine. When i create the tunnel group using the ip I specify type as l2l. I would just leave it like this except the kentrox is on a dynamic public ip, meaning it will break with in a few days.

below are the 501 and 5505 configs, the kentrox is geographically out of reach, we have no one technically capable near it, and we dont have the password for it. all i have is a 501 config that i know works. I know this is rather limited :(

The configs have the vpn specific output, if anyone wants more, please let me know.

thank you

Lawrence

501:

access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_dyn_10 permit ip 172.20.11.0 255.255.255.0 192.168.1.0 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto map inside_map interface inside

!

isakmp enable outside

isakmp key * address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

isakmp identity address

isakmp nat-traversal 20

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

5505:

access-list outside_cryptomap_dyn_10 extended permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_dyn_10 extended permit ip 172.20.11.0 255.255.255.0 192.168.1.0 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10

crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

!

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group 76.88.224.96 type ipsec-l2l

tunnel-group 76.88.224.96 ipsec-attributes

pre-shared-key *

!

7 Replies 7

I have seen this config and it does not work for me.

The Kentrox end is not set up so far as i can tell to do route injection.

When i do debug cry isa 255 and debug cry ips 255 i get the below error over and over

IKE Recv RAW packet dump

ff 54 ad 66 d8 0f 22 b4 11 a1 1d 6b 83 61 4b e9 | .T.f.."....k.aK.

08 10 20 01 d6 e2 fb 4e 00 00 00 9c bd f9 e6 c3 | .. ....N........

da cc e7 a5 97 11 9d bd a9 a4 ee 4b e4 eb 47 47 | ...........K..GG

db 5d e2 e1 4a b6 ae b3 a0 bb 5a 21 08 24 a4 13 | .]..J.....Z!.$..

61 fe bd d5 d6 c9 09 f5 48 53 99 f9 d6 a2 09 39 | a.......HS.....9

a5 40 37 af a2 70 eb d8 7d cd dc 52 65 67 4b 15 | .@7..p..}..RegK.

ec 7b c7 ec 13 e5 ba d1 4e 08 67 1a c7 24 75 82 | .{......N.g..$u.

b6 e9 9e 40 d6 27 33 b7 02 78 da 32 76 79 6c 8d | ...@.'3..x.2vyl.

19 d4 39 ed fa 81 03 33 f8 5c 1c bd 86 3a 05 f0 | ..9....3.\...:..

4f 66 26 3c 14 cb 1f a4 35 a6 7d c6 | Of&<....5.}.

RECV PACKET from 76.88.224.96

ISAKMP Header

Initiator COOKIE: ff 54 ad 66 d8 0f 22 b4

Responder COOKIE: 11 a1 1d 6b 83 61 4b e9

Next Payload: Hash

Version: 1.0

Exchange Type: Quick Mode

Flags: (Encryption)

MessageID: D6E2FB4E

Length: 156

Oct 20 17:19:21 [IKEv1]: IP = 76.88.224.96, Received encrypted packet with no matching SA, dropping

Firstly - the route injection should be handled by the PIX, not the Kentrox, as the PIX does not know what IP address the Kentrox will establish a VPN from.

Secondly, the above is a packet not beloinging to a SA - I suggest you double check all your configs.

HTH>

My comment was not that the kentrox should inject routes but that i do not know if it supports them or is configured for them, as you can see from the old configuration it was not doing rri previously, i do not see a reason to do so now. Im not trying to configure anything new and wonderful, i just need the asa to do the same thing the pix was doing.

After some googling it appears rri is cisco proprietary(someone please slap me if im wrong), i checked documentation for the kentrox device on the other end(Q2300) and it does not seem to support rri so far as i can tell.

You are missing the point - the remote end with no static IP address cannot reverse inject routes.

It HAS to be done at the PIX with the static IP address. As the pix does NOT know when a VPN connection will come in and what the remote IP subnet will be.

If that is correct how was it working with the old PIX? The old pix was not doing rri?

The old pix was using an acl, like any other l2l to determine what network was on the other side, why do i need to add rri to the asa when it was not being used in the pix?

Actually it kinda was:-

isakmp key * address 0.0.0.0 netmask 0.0.0.0 no-xauth no-config-mode

Allows ANY remote client to create an IPSEC VPN to the pix.

access-list outside_cryptomap_dyn_10 permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list outside_cryptomap_dyn_10 permit ip 172.20.11.0 255.255.255.0 192.168.1.0 255.255.255.0

You had already defined the remote LAN IP subnets you expected to create a VPN from.

If you had a third site, say 192.168.254.0/24 and it tried to connect.....without actually being in the crypto map - it would FAIL.

Show me where in the below config example where a crypt ACL is deinfed, and bound to a crypto map? You will not find it - becuase the remote end will advertise the remote LAN, and the ASA will accept it, and create dynamic crypto acl's and RRI.

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

READ - READ - READ

HTH>