- Cisco Community
- Technology and Support
- Security
- VPN
- IPSEC VPN CONF
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
IPSEC VPN CONF
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2016 01:38 AM - edited 02-21-2020 08:55 PM
Hi Team,
I am trying to configure IPSEC L2L between on 2 ASAs. There configuration is mentioned below but I am facing problem anyone can guide me.
Firewall logs and configuration is mentioned below :-
%ASA-5-752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = VPNMAP. Map Sequence Number = 111.
%ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
%ASA-5-713041: IP = 192.168.0.11, IKE Initiator: New Phase 1, Intf Inside, IKE Peer 192.168.0.11 local Proxy Address 192.168.102.0, remote Proxy Address 192.168.101.0, Crypto map (VPNMAP)
%ASA-7-715046: IP = 192.168.0.11, constructing ISAKMP SA payload
%ASA-7-715046: IP = 192.168.0.11, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: IP = 192.168.0.11, constructing NAT-Traversal VID ver 03 payload
%ASA-7-715046: IP = 192.168.0.11, constructing NAT-Traversal VID ver RFC payload
%ASA-7-715046: IP = 192.168.0.11, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
%ASA-7-609001: Built local-host identity:192.168.0.12
%ASA-7-609001: Built local-host Outside:192.168.0.11
%ASA-6-302015: Built outbound UDP connection 672 for Outside:192.168.0.11/500 (192.168.0.11/500) to identity:192.168.0.12/500 (192.168.0.12/500)(any)
%ASA-7-713906: IKE Receiver: Packet received on 192.168.0.12:500 from 192.168.0.11:500
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
%ASA-7-715047: IP = 192.168.0.11, processing SA payload
%ASA-7-713906: IP = 192.168.0.11, Oakley proposal is acceptable
%ASA-7-715047: IP = 192.168.0.11, processing VID payload
%ASA-7-715049: IP = 192.168.0.11, Received NAT-Traversal RFC VID
%ASA-7-715047: IP = 192.168.0.11, processing VID payload
%ASA-7-715049: IP = 192.168.0.11, Received Fragmentation VID
%ASA-7-715064: IP = 192.168.0.11, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
%ASA-7-715046: IP = 192.168.0.11, constructing ke payload
%ASA-7-715046: IP = 192.168.0.11, constructing nonce payload
%ASA-7-715046: IP = 192.168.0.11, constructing Cisco Unity VID payload
%ASA-7-715046: IP = 192.168.0.11, constructing xauth V6 VID payload
%ASA-7-715048: IP = 192.168.0.11, Send IOS VID
%ASA-7-715038: IP = 192.168.0.11, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
%ASA-7-715046: IP = 192.168.0.11, constructing VID payload
%ASA-7-715048: IP = 192.168.0.11, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-715046: IP = 192.168.0.11, constructing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.0.11, computing NAT Discovery hash
%ASA-7-715046: IP = 192.168.0.11, constructing NAT-Discovery payload
%ASA-7-713906: IP = 192.168.0.11, computing NAT Discovery hash
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
%ASA-7-609001: Built local-host Inside:192.168.102.6
%ASA-7-609001: Built local-host Outside:192.168.101.6
%ASA-7-609002: Teardown local-host Inside:192.168.102.6 duration 0:00:00
%ASA-7-609002: Teardown local-host Outside:192.168.101.6 duration 0:00:00
%ASA-7-752008: Duplicate entry already in Tunnel Manager
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
%ASA-7-713906: IKE Receiver: Packet received on 192.168.0.12:500 from 192.168.0.11:500
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 192.168.0.11, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 192.168.0.11, Information Exchange processing failed
%ASA-7-609001: Built local-host Inside:192.168.102.6
%ASA-7-609001: Built local-host Outside:192.168.101.6
%ASA-7-609002: Teardown local-host Inside:192.168.102.6 duration 0:00:00
%ASA-7-609002: Teardown local-host Outside:192.168.101.6 duration 0:00:00
%ASA-7-752008: Duplicate entry already in Tunnel Manager
%ASA-7-609001: Built local-host Inside:192.168.102.6
%ASA-7-609001: Built local-host Outside:192.168.101.6
%ASA-7-609002: Teardown local-host Inside:192.168.102.6 duration 0:00:00
%ASA-7-609002: Teardown local-host Outside:192.168.101.6 duration 0:00:00
%ASA-7-752008: Duplicate entry already in Tunnel Manager
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 304
%ASA-7-713906: IKE Receiver: Packet received on 192.168.0.12:500 from 192.168.0.11:500
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-7-713236: IP = 192.168.0.11, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
%ASA-5-713904: IP = 192.168.0.11, Received an un-encrypted INVALID_COOKIE notify message, dropping
%ASA-4-713903: IP = 192.168.0.11, Information Exchange processing failed
ASA A
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.168.0.12 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.102.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif Management
security-level 100
ip address 172.16.0.92 255.255.255.0
!
dns domain-lookup Management
dns server-group DefaultDNS
name-server 172.16.0.3
name-server 172.16.0.253
access-list 100 extended permit ip 192.168.102.0 255.255.255.0 192.168.101.0 255.255.255.0 log
access-list Outside_access_in extended permit ip any any
pager lines 23
logging enable
logging buffer-size 52428800
logging console debugging
logging monitor debugging
logging asdm debugging
mtu Outside 1500
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.0.11 1
http 172.16.0.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set VPNT esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VPNMAP 111 match address 100
crypto map VPNMAP 111 set pfs
crypto map VPNMAP 111 set peer 192.168.0.11
crypto map VPNMAP 111 set ikev1 transform-set VPNT
crypto map VPNMAP interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto isakmp identity hostname
crypto ikev1 enable Outside
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 300
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.0.0 255.255.255.0 Management
ssh timeout 50
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside
dhcp-client client-id interface Management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
dynamic-access-policy-record DfltAccessPolicy
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
tunnel-group TGROUP type ipsec-l2l
tunnel-group TGROUP ipsec-attributes
ikev1 pre-shared-key *****
!
--------------------------------------------------------------------------------------------------------
ASA B
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 192.168.0.11 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif Managment
security-level 100
ip address 172.16.0.91 255.255.255.0
!
ftp mode passive
dns domain-lookup Managment
dns server-group DefaultDNS
name-server 172.16.0.3
access-list 100 extended permit ip 192.168.101.0 255.255.255.0 192.168.102.0 255.255.255.0 log
access-list Outside_access_in extended permit ip any any
pager lines 23
logging enable
logging console debugging
logging monitor debugging
logging asdm debugging
mtu Outside 1500
mtu Inside 1500
mtu Managment 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 192.168.0.12 1
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 50
http 172.16.0.0 255.255.0.0 Managment
no snmp-server location
no snmp-server contact
no sysopt connection permit-vpn
crypto ipsec ikev1 transform-set VPNT esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VPNMAP 111 match address 100
crypto map VPNMAP 111 set pfs
crypto map VPNMAP 111 set peer 192.168.0.12
crypto map VPNMAP 111 set ikev1 transform-set VPNT
crypto map VPNMAP interface Outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto isakmp identity hostname
crypto ikev1 enable Outside
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 300
telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.0.0 255.255.255.0 Managment
ssh timeout 50
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access Inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
dynamic-access-policy-record DfltAccessPolicy
username admin password eY/fQXw7Ure8Qrz7 encrypted
tunnel-group TGROUP type ipsec-l2l
tunnel-group TGROUP ipsec-attributes
ikev1 pre-shared-key *****
!
- Labels:
-
IPSEC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2016 12:29 PM
Hi uniquewaheed,
If you are going to use the hostname as a crypto isakmp identity and also use a name on the tunnel-group you need to make sure aggresive mode is enable:
crypto map VPNMAP 111 set ikev1 phase1-mode aggressive
Now aggressive mode is not recommended so i would recommend you to change the crypto isakmp identity to auto and configure the tunnel group with the peer ip instead of the name:
ASA A
tunnel-group 192.168.0.11 type ipsec-l2l
tunnel-group 192.168.0.11 ipsec-attributes
ikev1 pre-shared-key *****
ASA B
tunnel-group 192.168.0.12 type ipsec-l2l
tunnel-group 192.168.0.12 ipsec-attributes
ikev1 pre-shared-key *****
Hope this info helps!!
Rate if helps you!!
-JP-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide