cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
835
Views
0
Helpful
9
Replies

Help with VPN site-to-site under other VPN

Hello Guys,

 

I need a help with this scenario.

 

Branch --> HQ --> Site Remote, where:

Branch: Internal = 192.168.50.0/24

HQ: Internal = 192.168.40.0/24

Site Remote = 10.175.26.0/24

 

Branch + HQ = Both ASA with ESP-3DES-MD5. (Here, we are using the real LAN IP range for encryption domain)

HQ + Site Remote = My side ASA with ESP-AES-256-SHA. (Here, to reach the Site remote 10.175.26.0/24 we are NAT our LAN IP range to 172.18.0.10, so the encryption domain is 172.18.0.10 --> 10.175.26.0/24)

 

Now, we need that Branch reachs the Remote Site, under the VPN with Branch to HQ and HQ to Remote Site.

My actions:

Branch Firewall:

 - In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.

 - I added the EXEMPT for 10.175.26.0/24 in the inside.

HQ Firewall:

 - In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.

 - I created a Dynamic Policy in the outside from source = Branch IP range to = Site Remote IP range translated to 172.18.0.10.

 

I already have it working for another Site Remote, but that another has IPsec proposal ESP-3DES-MD5. (the same of Branch) I do not know if it is the problem, but I tried to use both proposal, together, 3DES-MD5 and AES-256-SHA.

 

Firewall rules are ok too.

 

Where are the mistake in that configuration?

 

Thanks,

 

Diego

1 Accepted Solution

Accepted Solutions

good


put solved in this post

View solution in original post

9 Replies 9

marziano77
Level 1
Level 1

hi

post your config

Hello,

Follow attached!

The network that I need to reach from Branch is "name 10.175.26.0 REDE_Client"

The Tunnel group of the Client is 200.200.200.200

The NAT IP from my network to reach client is 172.19.0.5

hi seg

I looked very quick HQ config

and I saw that your peer(vpn_client) dont match any crypto map.

and this dont allow phase2.

I have not seen anything else
you double-check the config on both sides first.

 

My bad. I forgot to change it. The crypto map is number 4

diego, your config is wrong also in branch config.

you have only an tunnel group whit ip 177.7.7.7 but crypto map is blind to 177.135.122.70 FWL_Matriz.

 

In the HQ log I can see it...

3May 13 201417:23:08713061    Group = 189.7.7.7, IP = 189..7.7.7, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.90.0/255.255.255.0/0/0 local proxy 10.175.26.23/255.255.255.255/0/0 on interface outside

What do you want me to say 
 you have posted a different conf,than your debug

yeah, probably because I changed it before send...

well... I recreated the tunnels and now it is working fine....

I think when we changed the outside IP and recreate the tunnels, maybe some dirty kept in the config... so I removed all and created it again..

 

thanks!!!

good


put solved in this post

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: