Solved: Problem with site to site VPN

holloway5 · ‎09-07-2011

Hi,

I've got a 2801 router at site 1 and a new asa5505 in site 2. Been trying to get a site to site VPN up for days now and have hit a complete brick wall. Any help would be amazing! We just need both to be chatting to each other! For the asa I've tried both the adsm and cli, both nothing. Nothing showing up in logs either..... arrrrrrrgh!

Site 1 .. local lan 192.168.24.0/24

Site 2 .. local lan 192.168.101.0/24

SITE 1 config :

!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname 2801-SITE1
!
boot-start-marker
boot-end-marker
!
logging userinfo
logging buffered 32000 informational
logging console informational
enable secret 5 $1$.umn$stT1KHfQrIV3vsNd.Zw150
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PST -8
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
network-clock-participate wic 0
network-clock-participate wic 1
dot11 syslog
no ip source-route
ip cef
!
!

!
no ip bootp server
ip domain name mydomain
ip inspect name INSPECTALL tcp router-traffic
ip inspect name INSPECTALL udp router-traffic
ip inspect name INSPECTALL icmp
!
multilink bundle-name authenticated
!

!
crypto pki trustpoint TP-self-signed-3868968814
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3868968814
revocation-check none
rsakeypair TP-self-signed-3868968814
!
!
crypto pki certificate chain TP-self-signed-3868968814
certificate self-signed 01
30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383638 39363838 3134301E 170D3038 30333235 31313131
31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38363839
36383831 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100F4E3 47E19891 40355900 23D15076 49D4AD23 EE190307 EC60DF11 565DF929
558F6F00 97596B2A 053AF798 289906C8 679EFCC1 690F7655 DB6E8E67 71F12A4F
9F19CDFB 75C6F2F7 70E32FF7 7C152BA2 4A23CF69 F18C88B4 E5BF02A4 8DB5060D
829AA554 F48F9F09 2758B16E 1E13E9AE 51414758 74650A60 FED61AE7 E3042E1C
FF810203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
551D1104 22302082 1E323830 312D494D 432D4C4F 4E444F4E 2E696D65 64696163
6173742E 6E657430 1F060355 1D230418 30168014 9EC8DC28 3E15DD1B 33FD4F41
46878CD3 40FF9A02 301D0603 551D0E04 1604149E C8DC283E 15DD1B33 FD4F4146
878CD340 FF9A0230 0D06092A 864886F7 0D010104 05000381 8100D49E 6A3E63D1
0CCED197 D0DCCED3 FE3FC5EA 8A53E585 A7D47579 590C00B5 1183DD54 D461F07C
B21746EF 1463A562 881D7B98 7692F81C B2054469 48192171 6F0E554E CD5D7CDE
ECB0407A 85F4BCF3 69413F30 452F4A19 1D7CFD3E 21087D55 EE1C5DE7 01BD60FC
66401266 AA21224F AA762F2F 899BC155 FE5B513B 688E135C 90D6
quit
!
!

username SITE1.admin privilege 15 password 7 XXXXXX
archive
log config
logging enable
logging size 500
hidekeys
!
crypto logging session
!
crypto isakmp policy 9
hash md5
authentication pre-share
group 2
crypto isakmp key qwerty12345! address SITE2_GW_IP
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set tset esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map cmap 10 ipsec-isakmp
set peer SITE2_GW_IP
set transform-set tset
match address 111
!
!
!
interface FastEthernet0/0
description *** SITE1 LAN ***$ETH-LAN$
ip address 192.168.24.1 255.255.255.0
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
load-interval 60
duplex auto
speed auto
no cdp log mismatch duplex
!
interface FastEthernet0/1
description *** WAN ***
ip address %%.%%%.40.66 255.255.255.240
ip access-group PROTECT in
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 60
duplex auto
speed auto
no cdp enable
crypto map cmap
!

!
ip local pool POOL_VPN 192.168.24.144 192.168.24.150
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 %%%.%%.40.65

!
ip flow-top-talkers
top 20
sort-by bytes
match protocol udp
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 150 interface FastEthernet0/1 overload
ip nat inside source static 192.168.24.6 %%%.%%.40.67
ip nat inside source static tcp 192.168.24.8 443 %%%.%%.40.68 443 extendable
ip nat inside source static tcp 192.168.24.8 8000 %%%.%%.40.68 8000 extendable
ip nat inside source static tcp 192.168.24.8 8001 %%%.%%.40.68 8001 extendable
ip nat inside source static tcp 192.168.24.8 8002 %%%.%%.40.68 8002 extendable
ip nat inside source static 192.168.24.14 %%%.%%.40.69
ip nat inside source static tcp 192.168.24.20 8980 %%%.%%.40.70 8980 extendable
ip nat inside source static 192.168.24.96 %%%.%%.40.71 extendable
ip nat inside source static tcp 192.168.24.25 80 %%%.%%.40.72 80 extendable
ip nat inside source static tcp 192.168.24.26 80 %%%.%%.40.73 80 extendable
ip nat inside source static tcp 192.168.24.26 443 %%%.%%.40.73 443 extendable
ip nat inside source static tcp 192.168.24.225 80 %%%.%%.40.74 80 extendable
ip nat inside source static 192.168.24.92 %%%.%%.40.77
ip nat inside source static tcp 192.168.24.3 80 %%%.%%.40.78 80 extendable
ip nat inside source static tcp 192.168.24.3 443 %%%.%%.40.78 443 extendable
ip nat outside source static tcp 192.168.24.26 80 %%%.%%.40.73 80 extendable
ip nat outside source static tcp 192.168.24.26 443 %%%.%%.40.73 443 extendable
!
ip access-list extended PROTECT

permit icmp any any
permit udp any eq domain any
permit tcp any any established
permit tcp any eq ftp-data any syn
permit udp any host %%%.%%.40.66 range 1024 65535
permit tcp host %%%.%%.40.66 host %%%.%%.40.66 eq 1720
permit tcp any host %%%.%%.40.67 eq 443
permit tcp any host %%%.%%.40.67 eq 143
permit tcp any host %%%.%%.40.67 eq 220
permit tcp any host %%%.%%.40.67 eq 585
permit tcp any host %%%.%%.40.67 eq 993
permit tcp any host %%%.%%.40.67 eq smtp
permit tcp any host %%%.%%.40.67 eq www
permit tcp any host %%%.%%.40.67 eq pop3
permit tcp any host %%%.%%.40.67 eq 995
permit tcp any host %%%.%%.40.68 eq 443
permit tcp any host %%%.%%.40.69 eq ftp
permit udp any host %%%.%%.40.69 eq isakmp
permit tcp any host %%%.%%.40.69 eq 443
permit tcp any host %%%.%%.40.69 eq 1723
permit tcp any host %%%.%%.40.69 eq 22
permit tcp any host %%%.%%.40.69 eq www
permit udp any host %%%.%%.40.69 eq non500-isakmp
permit udp any host %%%.%%.40.69 eq 1701
permit tcp any host %%%.%%.40.70 eq 8980
permit tcp any host %%%.%%.40.78 eq 443
permit tcp any host %%%.%%.40.78 eq www
permit tcp any host %%%.%%.40.68 eq 8000
permit tcp any host %%%.%%.40.68 eq 8001
permit tcp any host %%%.%%.40.68 eq 8002
permit gre any host %%%.%%.40.69
permit tcp any host %%%.%%.40.71 eq 22
permit tcp any host %%%.%%.40.71 eq ftp
permit tcp any host %%%.%%.40.71 eq ftp-data
permit tcp any host %%%.%%.40.71 range 1024 65535
permit tcp any host %%%.%%.40.72 eq 22
permit tcp any host %%%.%%.40.72 eq www
permit tcp any host %%%.%%.40.73 eq www
permit tcp any host %%%.%%.40.73 eq 443
permit tcp any host %%%.%%.40.74 eq www
permit tcp any host %%%.%%.40.77 eq ftp
permit tcp any host %%%.%%.40.77 eq ftp-data
permit tcp any host %%%.%%.40.77 range 1024 65535
deny ip any any
ip access-list extended PRTECT
!
access-list 111 permit ip 192.168.24.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 150 permit ip 192.168.24.0 0.0.0.255 any
snmp-server community public RO 23
!
!
!
route-map STATIC permit 10
match ip address 110 150
!
!
alias exec session sh ip inspect session | i
alias exec traffic sh ip nbar protocol-discovery stats bit-rate top-n 15
alias exec srb show running-config | begin
alias exec sri show running-config | include
alias exec sre show running-config | exclude
alias exec srs show running-config | section
alias exec ssla sh ip sla statistics | include Index|operation
alias exec shisa show crypto isakmp sa
alias exec ships show crypto ipsec sa | include ident|peer|#
alias exec top show ip nbar protocol-discovery stats byte-rate top-n 20
alias exec whodid show archive log config all
privilege exec level 10 show startup-config
privilege exec level 10 show running-config
privilege exec level 10 show
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 0 0
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp clock-period 17177773
ntp peer 69.143.208.242
ntp peer 138.96.64.10
ntp server 192.168.24.6
!
webvpn install svc flash:/webvpn/svc.pkg
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
!
webvpn context vpnssl
ssl authenticate verify all
!
no inservice
!
end

Site 2:

: Saved
: Written by enable_15 at 05:18:23.838 UTC Wed Sep 7 2011
!
ASA Version 8.4(2)
!
hostname SITE2-fw01
enable password *** encrypted
passwd *** encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.101.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address %%%.%%%.124.39 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0

object network SITE1_OfficeINT
subnet 192.168.24.0 255.255.255.0

object network SITE2-pc01
host 192.168.101.20

object network EXT_43
host %%%.%%%.124.43

access-list outside_cryptomap extended permit ip 192.168.101.0 255.255.255.0 object SITE1_OfficeINT
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network obj_any
nat (inside,outside) dynamic interface
object network SITE2-pc01
nat (inside,outside) static EXT_43

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 %%%.%%%.124.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.101.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer SITE1_FW_IP
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5 ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime none
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.101.0 255.255.255.0 inside
ssh timeout 60
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy GroupPolicy_%%%.%%%.40.66 internal
group-policy GroupPolicy_%%%.%%%.40.66 attributes
vpn-tunnel-protocol ikev1 ikev2
username xxx password xxx encrypted
tunnel-group %%%.%%%.40.66 type ipsec-l2l
tunnel-group %%%.%%%.40.66 general-attributes
default-group-policy GroupPolicy_%%%.%%%.40.66
tunnel-group %%%.%%%.40.66 ipsec-attributes
ikev1 pre-shared-key qwerty12345!
ikev2 remote-authentication pre-shared-key qwerty12345!
ikev2 local-authentication pre-shared-key qwerty12345!
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:58ce0263a86930a5ccbc3e17b0b8eebf
: end

raga.fusionet · ‎09-07-2011

Ok, you dont need to open any ports on the ASA, the crypto ikev1 enable outside, should do it and the nat (inside,outside) that I suggested has the same effect as the deny on the Router's NAT ACL.

Now, I see that you have an ACL on the Router's outside interface. You might need to add the following lines to it:

permit udp any x.x.40.66 eq 500

permit udp any x.x.40.66 eq 4500

permit esp any x.x.40.66

After opening those ports try again.

If that still fails check what happens if you try to start the tunnel from the ASA Side. Do you get any debugs on the ASA?

Also, please attach ( you can add them as attachments using the advance editor btw) the latest configs and any relavant debugs if you still cant get the tunnel up.

Thx.

View solution in original post

Collin Clark · ‎09-07-2011

Here are a couple of good links to help you out-

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

Search CCO for Document ID: 112153 (I can't paste the link in the windows for some reason.)

holloway5 · ‎09-07-2011

I did follow those earlier but sitll no luck! Ended up wiping the changes and trying again.

Collin Clark · ‎09-07-2011

What is it saying in your logs? Can you tell where it is failing?

holloway5 · ‎09-07-2011

It's not saying anything. I've turned on all crypto debugging, but nothing is happening!

raga.fusionet · ‎09-07-2011

Hi,

On the ASA remove this:

crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

Also this:

ikev2 remote-authentication pre-shared-key qwerty12345!

ikev2 local-authentication pre-shared-key qwerty12345!

To remove that you need to get into the ipsec attributes config mode for that tunnel group:

tunnel-group %%%.%%%.40.66 ipsec-attributes

And add this:

crypto ikev1 policy 3

authentication pre-share

encryption des

hash md5

group 2

object network LOCAL_LAN

subnet 192.168.101.0 255.255.255.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SITE1_OfficeINT SITE1_OfficeINT

On the router use the following command to add a line before the existing line on your NAT ACL:

ip access-list ext 150

1 deny 192.168.24.0 0.0.0.255 192.168.101.0 0.0.0.255

exit

Then try to start the tunnel again by pinging from one LAN to the other one.

See if you get anything on the logs.

HTH

Raga

holloway5 · ‎09-07-2011

thanks for taking the time to help me...

So after I modified the 150 acl, the console on the 2801 started up and is now trying to connect ..

Sep 7 17:26:01: ISAKMP:(0): beginning Main Mode exchange

*Sep 7 17:26:01: ISAKMP:(0): sending packet to %%%.%%%.124.39 my_port 500 peer_port 500 (I) MM_NO_STATE

*Sep 7 17:26:01: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Sep 7 17:26:11: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Sep 7 17:26:11: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Sep 7 17:26:11: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Sep 7 17:26:11: ISAKMP:(0): sending packet to %%%.%%%.124.39 my_port 500 peer_port 500 (I) MM_NO_STATE

*Sep 7 17:26:11: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Sep 7 17:26:21: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Sep 7 17:26:21: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

*Sep 7 17:26:21: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Sep 7 17:26:21: ISAKMP:(0): sending packet to %%%.%%%.124.39 my_port 500 peer_port 500 (I) MM_NO_STATE

*Sep 7 17:26:21: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Sep 7 17:26:31: IPSEC(key_engine): request timer fired: count = 2,

(identity) local= %%%.%%%.40.66, remote= %%%.%%%.124.39,

local_proxy= 192.168.24.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.101.0/255.255.255.0/0/0 (type=4)

*Sep 7 17:26:31: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

*Sep 7 17:26:31: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

*Sep 7 17:26:31: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE

*Sep 7 17:26:31: ISAKMP:(0): sending packet to %%%.%%%.124.39 my_port 500 peer_port 500 (I) MM_NO_STATE

*Sep 7 17:26:31: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Sep 7 17:26:31: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= %%%.%%%.40.66, remote= %%%.%%%.124.39,

local_proxy= 192.168.24.0/255.255.255.0/0/0 (type=4),

remote_proxy= 192.168.101.0/255.255.255.0/0/0 (type=4),

protocol= ESP, transform= esp-des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Sep 7 17:26:31: ISAKMP: set new node 0 to QM_IDLE

*Sep 7 17:26:31: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local %%%.%%%.40.66, remote %%%.%%%.124.39)

*Sep 7 17:26:31: ISAKMP: Error while processing SA request: Failed to initialize SA

*Sep 7 17:26:31: ISAKMP: Error while processing KMI message 0, error 2.

The asa 5505 says :

4

Sep 07 2011

17:29:40

752012

IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 1.

3

Sep 07 2011

17:29:40

752015

Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1.

Any help would be really great!

raga.fusionet · ‎09-07-2011

That's good at least you are now seeing debugs.

I would advice you to clean up your config on the ASA before trying to move on. I know you attempted this several times thru ASDM and that genarated a lot stuff you dont need.

So why dont you remove everything that has to do with the tunnel and start from scratch.

You can use the following three commands and they should take care of pretty much everything (regarding the VPN)

clear conf crypto

clear conf tunnel-group

clear conf group-policy

Check the config and see if anything was missed. Then start over with the following config:

crypto ikev1 enable outside

crypto ikev1 policy 3

authentication pre-share

encryption des

hash md5

group 2

object network LOCAL_LAN

subnet 192.168.101.0 255.255.255.0

`nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static SITE1_OfficeINT SITE1_OfficeINT

access-list outside_cryptomap extended permit ip object LOCAL_LAN object SITE1_OfficeINT

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer %.%.40.66

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map interface outside

tunnel-group %%%.%%%.40.66 type ipsec-l2l

tunnel-group %%%.%%%.40.66 general-attributes

tunnel-group %%%.%%%.40.66 ipsec-attributes

ikev1 pre-shared-key qwerty12345!

Then try to start the tunnel again. If you still having problems gather some fresh debugs from both sides and upload them.

Have a good one.

holloway5 · ‎09-07-2011

cleaned everything up and sadly still the same. Seems the 2801 in site 1 is trying hard, but the asa in site 2 doesn't do very much.

*Sep 8 00:09:24: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Sep 8 00:09:34: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...

The 2801 is still sending a packet out and not getting a response.

I don't have to open port 500 up or anything like that do I??!

Also, do I need to put in a deny acl on the asa like I had to for the 2801?

raga.fusionet · ‎09-07-2011

Ok, you dont need to open any ports on the ASA, the crypto ikev1 enable outside, should do it and the nat (inside,outside) that I suggested has the same effect as the deny on the Router's NAT ACL.

Now, I see that you have an ACL on the Router's outside interface. You might need to add the following lines to it:

permit udp any x.x.40.66 eq 500

permit udp any x.x.40.66 eq 4500

permit esp any x.x.40.66

After opening those ports try again.

If that still fails check what happens if you try to start the tunnel from the ASA Side. Do you get any debugs on the ASA?

Also, please attach ( you can add them as attachments using the advance editor btw) the latest configs and any relavant debugs if you still cant get the tunnel up.

Thx.

holloway5 · ‎09-08-2011

As soon as I read your post I knew it would be that.... amazing how you forget these things when you've been staring at it for long enough!!!

Thanks so much for your help, I can finally sleep !!!!

raga.fusionet · ‎09-08-2011

haha .. yeah it happens, you keep thinking VPN VPN VPN .. and forget the basics .. such as ACLs .. no mean to blame you .. I've just been there many many times .

Have good one!