10-11-2013 01:35 PM
Hello,
I have an ASA5505 which currently connects to a remote office for both voip and data. I have added a 2nd site-to-site VPN tunnel to a vendor. It is this 2nd VPN tunnel that I am having issues with. It appears that PHASE 1 negotiates fine. However, i'm not a VPN expert! So any help would be greatly appreciated. I've attached the running_config on my box, the debug info (ipsec & isakmp), and the vendor information that they provided me today. They are using an ASA5510.
My existing VPN tunnel (which is working) is labeled "outside_1_cryptomap". It has the following as interesting traffic:
192.168.1.0/24 -> 192.168.3.0/24
192.168.2.0/24 -> 192.168.3.0/24
10.1.1.0/24 -> 192.168.3.0/24
10.1.2.0/24 -> 192.168.3.0/24
10.1.10.0/24 -> 192.168.3.0/24
10.2.10.0/24 -> 192.168.3.0/24
The new VPN tunnel (not working) is labeled "eInfomatics_1_cryptomap". It has the following as interesting traffic:
192.168.1.25/32 -> 10.10.10.83/32
192.168.1.25/32 -> 10.10.10.47/32
192.168.1.26/32 -> 10.10.10.83/32
192.168.1.26/32 -> 10.10.10.47/32
Here is the other VPN info (copy & pasted from the config)
access-list eInfomatics_1_cryptomap extended permit ip host 192.168.1.26 host 10.10.10.83
access-list eInfomatics_1_cryptomap extended permit ip host 192.168.1.25 host 10.10.10.83
access-list eInfomatics_1_cryptomap extended permit ip host 192.168.1.25 host 10.10.10.47
access-list eInfomatics_1_cryptomap extended permit ip host 192.168.1.26 host 10.10.10.47
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 24.180.14.50
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address eInfomatics_1_cryptomap
crypto map outside_map 2 set peer 66.193.183.170
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 24.180.14.50 type ipsec-l2l
tunnel-group 24.180.14.50 ipsec-attributes
pre-shared-key *****
tunnel-group 66.193.183.170 type ipsec-l2l
tunnel-group 66.193.183.170 ipsec-attributes
pre-shared-key *****
Thank you in advance
-Matt
Solved! Go to Solution.
10-11-2013 01:40 PM
Hi,
The vendor has set a Phase 2 parameter PFS Group 2 (Perfect Forward Secrecy) while you dont have it.
So you could probalby try adding the following
crypto map outside_map 2 set pfs group2
I think it will simply enter it as
crypto map outside_map 2 set pfs
Since the "group2" is the default setting
- Jouni
10-11-2013 01:40 PM
Hi,
The vendor has set a Phase 2 parameter PFS Group 2 (Perfect Forward Secrecy) while you dont have it.
So you could probalby try adding the following
crypto map outside_map 2 set pfs group2
I think it will simply enter it as
crypto map outside_map 2 set pfs
Since the "group2" is the default setting
- Jouni
10-11-2013 02:08 PM
Jouni-
Thank! That seems to have done the trick! SA are up in isakmp and ipsec and hits are showing up on ACL! Thanks again for your quick and accurate reply!
10-11-2013 02:23 PM
Hi,
Great to hear its working
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide