I have an ASA 5506-X on which I have configured 3 different VPN tunnels to distincts peers (also 5506-X or similar). All tunnels are coming up alright, configurations are fine.
I'm trying to replace my ASA with a RV160 and configure the same VPN tunnels (I eventually want to put that RV160 in a different location, so I first want to ensure the configuration is OK and tunnels are coming up OK).
Configurations can not be simply copied: The ASA has CLI / IOS, the RV does not, so I've had to navigate the RV's web interface and try to identify as much as possible the correct way to configure it.
problem: tunnels not coming up.
the RV is quite frustrating, as it's hard to get any kind of meaningful log, so I can hardly learn what is going on. The IPSec profile part seems to be OK (pretty straightforward to configure), so I'm rather thinking the issue is with the topology & the corresponding routing & NAT-ing.
The RV is behind a router (router1), itself connected to a modem, so NAT-T is necessary (and configured as such on the ASA). The other end is NOT behind a router.
I've properly configured port forwarding on router1 for UDP ports 500 and 4500 (pointing to the RV, not the ASA, during the test setup).
here are the interesting parts of the ASA config. I would appreciate if anyone could have a look at the config and point me to the right direction so I can try things out. Happy to experiment. I'll focus on just one tunnel.
the main questions would be:
- is it necessary to configure the ACL on the RV ? the rule on the RV at this moment seems to be allow any.
- where and how to properly configure the 2 lines related to NAT ?
- how to test / log / debug VPN connection from the RV ?
interface GigabitEthernet1/1 nameif outside security-level 0 ip address 192.168.68.100 255.255.255.0 interface BVI1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 object network siteA_NW subnet 10.10.10.0 255.255.255.0 object network siteB_NW subnet 192.168.10.0 255.255.255.0 access-list cryptomap_1 extended permit ip object siteA_NW object siteB_NW nat (inside_1,outside) source static any any destination static siteB_NW siteB_NW no-proxy-arp route-lookup nat (inside_1,outside) source dynamic any interface route outside 0.0.0.0 0.0.0.0 192.168.68.1 1 crypto map outside_map 2 match address cryptomap_1 crypto map outside_map 2 set pfs crypto map outside_map 2 set peer xxx.xxx.xxx.xxx crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA AES128-SHA AES192-SHA AES256-SHA crypto map outside_map interface outside group-policy GroupPolicy_1 internal group-policy GroupPolicy_1 attributes vpn-tunnel-protocol ikev1 dynamic-access-policy-record DfltAccessPolicy tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx general-attributes default-group-policy GroupPolicy_1 tunnel-group xxx.xxx.xxx.xxx ipsec-attributes ikev1 pre-shared-key *****
xxx.xxx.xxx.xxx is my VPN peer - it's pingable by both the ASA (obviously) and the RV too.
10.10.10.0/24 is my local network
192.168.68.0/24 is the network between the ASA/RV and router1
192.168.10.0/24 is the remote network
Thanks for any kind of input.
there is not a whole lot of documentation out there with regard to setting this up, you might want to have a look at the link below...
Hey, thanks for the link, although it's not too helpful, it just describes the usual steps to setting up a site-to-site VPN. I've done all this already, but it's not working.
Again, the topology described is not exactly what I'm dealing with, and, as explained, I think this is why there's an issue (NAT-T, routing, etc)
the NAT statement on the ASA does not look right. Where is the interface named 'inside_1' ? I only see 'inside'.
Either way, change the NAT statement to:
nat (inside,outside) source static siteA_NW siteA_NW destination static siteB_NW siteB_NW
inside_1 corresponds to port 1 only, I removed those parts of the config because it's not relevant to this specific issue.
again, the ASA configuration is OK, my issue is not with the ASA, but with the RV.
I'd like to get the RV to behave like the ASA - at least to bring the tunnels up like the ASA does.
there must be a mismatch in one of the parameters exchanged between the ASA and the RV160. Try something like the below on the ASA and match that on the RV160:
crypto isakmp policy 1
crypto ipsec transform-set TS esp-aes esp-sha-hmac
Also, on the ASA, what is the output of:
show crypto isakmp sa
--> inside_1 corresponds to port 1 only, I removed those parts of the config because it's not relevant to this specific issue.
Not really sure what you mean by that: do you have a NAT statement for the inside interface and the two obects ?
I've tried all possible parameters, including the one suggested, to no avail.
I have a "good" config (one that works) on the remote 5506X, with 3DES / MD5, group 2, no pfs.
I applied exactly the same config on the "new" remote RV160, but no success.
I have access to the logs on the initiator (5506X) and the RV:
5506X stops at MM_WAIT_MSG6, so at least it shows both boxes are talking to each other, and that message could indicate a PSK mismatch. I checked, and changed the PSK several times, no success
the RV160 logs tell me "found 1 matching config but none allows pre-shared key authentication using main mode"
This is driving me crazy. any idea ?
RV160 is supposed to be able to connect to a 5506X, right ?