Solved: ASA5505 with 2 VPN tunnels failing to bring up 2nd tunnel

Matthew Newbrough · ‎10-11-2013

Hello,

I have an ASA5505 which currently connects to a remote office for both voip and data. I have added a 2nd site-to-site VPN tunnel to a vendor. It is this 2nd VPN tunnel that I am having issues with. It appears that PHASE 1 negotiates fine. However, i'm not a VPN expert! So any help would be greatly appreciated. I've attached the running_config on my box, the debug info (ipsec & isakmp), and the vendor information that they provided me today. They are using an ASA5510.

My existing VPN tunnel (which is working) is labeled "outside_1_cryptomap". It has the following as interesting traffic:

192.168.1.0/24 -> 192.168.3.0/24

192.168.2.0/24 -> 192.168.3.0/24

10.1.1.0/24 -> 192.168.3.0/24

10.1.2.0/24 -> 192.168.3.0/24

10.1.10.0/24 -> 192.168.3.0/24

10.2.10.0/24 -> 192.168.3.0/24

The new VPN tunnel (not working) is labeled "eInfomatics_1_cryptomap". It has the following as interesting traffic:

192.168.1.25/32 -> 10.10.10.83/32

192.168.1.25/32 -> 10.10.10.47/32

192.168.1.26/32 -> 10.10.10.83/32

192.168.1.26/32 -> 10.10.10.47/32

Here is the other VPN info (copy & pasted from the config)

access-list eInfomatics_1_cryptomap extended permit ip host 192.168.1.26 host 10.10.10.83

access-list eInfomatics_1_cryptomap extended permit ip host 192.168.1.25 host 10.10.10.83

access-list eInfomatics_1_cryptomap extended permit ip host 192.168.1.25 host 10.10.10.47

access-list eInfomatics_1_cryptomap extended permit ip host 192.168.1.26 host 10.10.10.47

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 24.180.14.50

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 2 match address eInfomatics_1_cryptomap

crypto map outside_map 2 set peer 66.193.183.170

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 24.180.14.50 type ipsec-l2l

tunnel-group 24.180.14.50 ipsec-attributes

pre-shared-key *****

tunnel-group 66.193.183.170 type ipsec-l2l

tunnel-group 66.193.183.170 ipsec-attributes

pre-shared-key *****

Thank you in advance

-Matt

Jouni Forss · ‎10-11-2013

Hi,

The vendor has set a Phase 2 parameter PFS Group 2 (Perfect Forward Secrecy) while you dont have it.

So you could probalby try adding the following

crypto map outside_map 2 set pfs group2

I think it will simply enter it as

crypto map outside_map 2 set pfs

Since the "group2" is the default setting

- Jouni

View solution in original post

Jouni Forss · ‎10-11-2013

Hi,

The vendor has set a Phase 2 parameter PFS Group 2 (Perfect Forward Secrecy) while you dont have it.

So you could probalby try adding the following

crypto map outside_map 2 set pfs group2

I think it will simply enter it as

crypto map outside_map 2 set pfs

Since the "group2" is the default setting

- Jouni

Matthew Newbrough · ‎10-11-2013

Jouni-

Thank! That seems to have done the trick! SA are up in isakmp and ipsec and hits are showing up on ACL! Thanks again for your quick and accurate reply!

Jouni Forss · ‎10-11-2013

Hi,

Great to hear its working

- Jouni