cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1607
Views
0
Helpful
10
Replies

2811:connecting two ASA5505 l2l VPN's

Hello,

We have an HQ site with a 2811 (w/ADVSECURITYK9-M) acting as the firewall. We currently have 1 ASA5505 that has an established ipsec l2l VPN.

I'm trying to connect a 2nd ASA, but I've noticed I can only add 1 cryptomap to the outside interface.

A show ver shows 1 Virtual Private Network Module... Surely that doesn't mean only 1 VPN?

Do I use one crypto map, and add a second 'set peer' & 'match address' inside the crypto map itself?

Thanks,

Jason

4 Accepted Solutions

Accepted Solutions

Tarik Admani
VIP Alumni
VIP Alumni

Yes you add another poicy to your crypto configuration.

Thanks

Tarik Admani
*Please rate helpful posts*

View solution in original post

No you would add this:

crypto map SDM_CMAP_1 2 ipsec-isakmp

  set peer 108.x.x.x

     Need to add transform set

  match address 105

Tarik Admani
*Please rate helpful posts*

View solution in original post

That is correct your end config should look like this:

crypto map SDM_CMAP_1 1 ipsec-isakmp

..

..

..

crypto map SDM_CMAP_1 2 ipsec-isakmp

..

..

..

Hope that helps!

Tarik Admani
*Please rate helpful posts*

View solution in original post

10 Replies 10

Tarik Admani
VIP Alumni
VIP Alumni

Yes you add another poicy to your crypto configuration.

Thanks

Tarik Admani
*Please rate helpful posts*

Just to make sure... I would just add the bolded lines below to the current crypto map? (ip's have been censored)

crypto map SDM_CMAP_1 1 ipsec-isakmp

  set peer 99.x.x.x

  set transform-set ESP-AES-128-SHA

  match address 103

  set peer 108.x.x.x

  match address 105

Thanks,

Jason

No you would add this:

crypto map SDM_CMAP_1 2 ipsec-isakmp

  set peer 108.x.x.x

     Need to add transform set

  match address 105

Tarik Admani
*Please rate helpful posts*

Here is a guide for reference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009463b.shtml

Thanks,

Tarik Admani
*Please rate helpful posts*

WOW YOU ARE FAST!!!

I think I see now... and it looks like I was close.

From trying to configure earlier, I currently have

crypto map SDM_CMAP_1 1 ipsec-isakmp

... and

crypto map SDM_CMAP_2 2 ipsec-isakmp

I so need to change (add/remove) the 2nd crypmap to

crypto map SDM_CMAP_1 2 ipsec-isakmp

That is correct your end config should look like this:

crypto map SDM_CMAP_1 1 ipsec-isakmp

..

..

..

crypto map SDM_CMAP_1 2 ipsec-isakmp

..

..

..

Hope that helps!

Tarik Admani
*Please rate helpful posts*

Ok, I'm getting closer, but still failing. I was close enough that a VOIP phone registered with the phone system at some point, but not sure why it wont stay connected.

The original, VPN1 is still connected though.

I've varified the preshared keys on both ends match.

Here's an error from the debug of the second ASA, VPN2

Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!

Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!

Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, QM FSM error (P2 struct &0x42436b0, mess id 0x374e49ed)!

Aug 24 10:49:45 [IKEv1]: Group = 64.X.X.X, IP = 64.X.X.X, Removing peer from correlator table failed, no match!

As far as the ASA configs, everything is the exactly the same, except;


NEW ASA VPN2 -both asa have object groups 1&2, containing other ip's of the HQ site. these ip's listed here are of VPN1's local lan.

I imagine I will need to add VPN2's local ip to VPN1's config for objectgroup 1&2, but I don't think that is the reason this wont connect to HQ

object-group network DM_INLINE_NETWORK_1
network-object 192.168.26.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2
network-object 192.168.26.0 255.255.255.0

object-group network DM_INLINE_NETWORK_3
network-object 192.168.27.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0

Working ASA VPN1  - not sure exactly how the bolded line works

no crypto isakmp nat-traversal

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

HQ 2811 -----------------------------------------------------------------------

Hope I included enough of the router config. Again, VPN1 is working.

crypto isakmp key VPN1PW address 99.x.x.x
crypto isakmp key VPN2PW address 108.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 99.x.x.x VPN1
set peer 99.x.x.x
set transform-set ESP-AES-128-SHA
match address 103
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 108.x.x.x VPN2

set peer 108.x.x.x
set transform-set ESP-AES-128-SHA
match address 105
!

****** This next section I dont recall typing in, but it refers to access group 105, but 105 was newly created for the new VPN2.  I didn't not find a corresponding command for access-group 103, which 105 is a copy of 103, except each one includes the others local lan too.

class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 105
match protocol user-protocol--2

interface FastEthernet0/1
description T1 to  Internet$FW_OUTSIDE$
ip address 64.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1

Here is some reference material to your errors:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution18

Thanks,

Tarik Admani
*Please rate helpful posts*

I've tried going through that troubleshooting doc, but I still can't figure this out.

When turning on debug for the 2811, I'm not seeing any thing.

RT#show debug

Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto ISAKMP Error debugging is on
  Crypto IPSEC debugging is on
  Crypto IPSEC Error debugging is on

show crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 108.x.x.x port 500
  IKE SA: local 64.x.x.x/500 remote 108.x.x.x/500 Active
  IPSEC FLOW: permit ip 192.168.26.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.130.15.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.131.16.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 172.20.15.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 172.21.16.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.21.0.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 10.30.18.0/255.255.255.0 192.168.27.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 99.x.x.x port 500
  IKE SA: local 64.x.x.x/500 remote 99.x.x.x/500 Active
  IPSEC FLOW: permit ip 192.168.27.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.130.15.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.131.16.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 172.20.15.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 172.21.16.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.21.0.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map
  IPSEC FLOW: permit ip 10.30.18.0/255.255.255.0 192.168.26.0/255.255.255.0
        Active SAs: 2, origin: crypto map

From the show crypto, to me, it looks like it's working, but 192.168.27.x isn't accessible..

Jason,

These ASAs arent behind the same firewall are they?

thanks,

Tarik Admani
*Please rate helpful posts*

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: