cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
100
Views
0
Helpful
9
Replies

Help with VPN site-to-site under other VPN

Hello Guys,

 

I need a help with this scenario.

 

Branch --> HQ --> Site Remote, where:

Branch: Internal = 192.168.50.0/24

HQ: Internal = 192.168.40.0/24

Site Remote = 10.175.26.0/24

 

Branch + HQ = Both ASA with ESP-3DES-MD5. (Here, we are using the real LAN IP range for encryption domain)

HQ + Site Remote = My side ASA with ESP-AES-256-SHA. (Here, to reach the Site remote 10.175.26.0/24 we are NAT our LAN IP range to 172.18.0.10, so the encryption domain is 172.18.0.10 --> 10.175.26.0/24)

 

Now, we need that Branch reachs the Remote Site, under the VPN with Branch to HQ and HQ to Remote Site.

My actions:

Branch Firewall:

 - In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.

 - I added the EXEMPT for 10.175.26.0/24 in the inside.

HQ Firewall:

 - In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.

 - I created a Dynamic Policy in the outside from source = Branch IP range to = Site Remote IP range translated to 172.18.0.10.

 

I already have it working for another Site Remote, but that another has IPsec proposal ESP-3DES-MD5. (the same of Branch) I do not know if it is the problem, but I tried to use both proposal, together, 3DES-MD5 and AES-256-SHA.

 

Firewall rules are ok too.

 

Where are the mistake in that configuration?

 

Thanks,

 

Diego

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

goodput solved in this post

good


put solved in this post

9 REPLIES 9
Beginner

hipost your config

hi

post your config

Highlighted

Hello,Follow attached!The

Hello,

Follow attached!

The network that I need to reach from Branch is "name 10.175.26.0 REDE_Client"

The Tunnel group of the Client is 200.200.200.200

The NAT IP from my network to reach client is 172.19.0.5

Beginner

hi segI looked very quick HQ

hi seg

I looked very quick HQ config

and I saw that your peer(vpn_client) dont match any crypto map.

and this dont allow phase2.

I have not seen anything else
you double-check the config on both sides first.

 

My bad. I forgot to change it

My bad. I forgot to change it. The crypto map is number 4

Beginner

diego, your config is wrong

diego, your config is wrong also in branch config.

you have only an tunnel group whit ip 177.7.7.7 but crypto map is blind to 177.135.122.70 FWL_Matriz.

 

In the HQ log I can see it..

In the HQ log I can see it...

3May 13 201417:23:08713061    Group = 189.7.7.7, IP = 189..7.7.7, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.90.0/255.255.255.0/0/0 local proxy 10.175.26.23/255.255.255.255/0/0 on interface outside
Beginner

What do you want me to say 

What do you want me to say 
 you have posted a different conf,than your debug

yeah, probably because I

yeah, probably because I changed it before send...

well... I recreated the tunnels and now it is working fine....

I think when we changed the outside IP and recreate the tunnels, maybe some dirty kept in the config... so I removed all and created it again..

 

thanks!!!

Beginner

goodput solved in this post

good


put solved in this post