cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
805
Views
5
Helpful
6
Replies
Beginner

IPsec VPN site-to-site between ASA and Cisco Router problem. Please help

Hi community,

 

I get stuck in site-to-site VPN configuration between ASA (OS 9.1) and Cisco IOS Router (IOS 15.2-4.M4)

Attachment is ASA and Router configuration. I also include the debug router output.

 

It seemed that the two sides have configuration isakmp missmatch, but I already disabled keepalives settings. I also disable PFS setting on both sides. But it doesn't work. I have no idea about this trouble.

Please help me. Any helps be appreciated.

Thanks

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

I didn't look any further,

I didn't look any further, but this can be a reason:

crypto map mymap 1 ipsec-isakmp dynamic dyn1

The dynamic CM always has to be the last sequence in a crypto map:

no crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 65000 ipsec-isakmp dynamic dyn1

Try this first, then we can look further.

6 REPLIES 6
VIP Mentor

I didn't look any further,

I didn't look any further, but this can be a reason:

crypto map mymap 1 ipsec-isakmp dynamic dyn1

The dynamic CM always has to be the last sequence in a crypto map:

no crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 65000 ipsec-isakmp dynamic dyn1

Try this first, then we can look further.

Beginner

Hi Iwen,The site-2-site VPN

Hi Iwen,

The site-2-site VPN works now. But my remote access vpn is down. I cannot reconnect to the site behind ASA device.

Please advices me.

Beginner

Hi Iwen,Last time I did "no

Hi Iwen,

Last time I did "no crypto dynamic" some command related to dynamic vpn disappear also. I have to reconfig them, and now two vpns are working. Thanks for your support.

One more question please: The site behind router can ping/telnet to site behind ASA, but the site behind ASA cannot connect to site behind router. What can cause this problem?

Please advice.

VIP Mentor

Some more potential problems:

Some more potential problems:

1) This NAT-line should always be the last:

nat (inside,outside) source dynamic Allow_Go_Internet interface

Change it to:

no nat (inside,outside) source dynamic Allow_Go_Internet interface
nat (inside,outside) after-auto source dynamic Allow_Go_Internet interface

NAT-mistakes can cause communitation problems in VPN.

2) Your VPN-crypto is from the last century. 3DES/MD5/DH2 are legacy algorithms that shouldn't be used any more if not needed for some reason. And DES/RC4 is broken and should be removed completely.

 

Beginner

Hi Iwen,Thanks for your help.

Hi Iwen,

Thanks for your help. I did all work now.

Below is the final configuration for encryption and authentication method for remote access VPN and Site-2-site VPN

!

crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac

!

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

!

In the policy 1 for remote access VPN, if I change the group to 5, the VPN will fail, and log out put show that "Miss-match in SA proposal: received 2 but configured 5". I wonder whether Cisco VPN client support diffie hellman 5?

Thanks

Highlighted
VIP Mentor

The more secure ike policy

The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

crypto ikev1 policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200

The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.

There are two (three) better options:

  1. Best option with very little needed configuration:
    Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  2. Best option with a little stronger crypto but more configuration:
    Move to AnyConnect with IPsec/IKEv2. 
  3. Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.

For option 1) and 2) there is an extra license needed, but thats not very expensive.