cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1836
Views
5
Helpful
6
Replies

IPsec VPN site-to-site between ASA and Cisco Router problem. Please help

tranminhc
Level 1
Level 1

Hi community,

 

I get stuck in site-to-site VPN configuration between ASA (OS 9.1) and Cisco IOS Router (IOS 15.2-4.M4)

Attachment is ASA and Router configuration. I also include the debug router output.

 

It seemed that the two sides have configuration isakmp missmatch, but I already disabled keepalives settings. I also disable PFS setting on both sides. But it doesn't work. I have no idea about this trouble.

Please help me. Any helps be appreciated.

Thanks

 

1 Accepted Solution

Accepted Solutions

I didn't look any further, but this can be a reason:

crypto map mymap 1 ipsec-isakmp dynamic dyn1

The dynamic CM always has to be the last sequence in a crypto map:

no crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 65000 ipsec-isakmp dynamic dyn1

Try this first, then we can look further.

View solution in original post

6 Replies 6

I didn't look any further, but this can be a reason:

crypto map mymap 1 ipsec-isakmp dynamic dyn1

The dynamic CM always has to be the last sequence in a crypto map:

no crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 65000 ipsec-isakmp dynamic dyn1

Try this first, then we can look further.

Hi Iwen,

The site-2-site VPN works now. But my remote access vpn is down. I cannot reconnect to the site behind ASA device.

Please advices me.

Hi Iwen,

Last time I did "no crypto dynamic" some command related to dynamic vpn disappear also. I have to reconfig them, and now two vpns are working. Thanks for your support.

One more question please: The site behind router can ping/telnet to site behind ASA, but the site behind ASA cannot connect to site behind router. What can cause this problem?

Please advice.

Some more potential problems:

1) This NAT-line should always be the last:

nat (inside,outside) source dynamic Allow_Go_Internet interface

Change it to:

no nat (inside,outside) source dynamic Allow_Go_Internet interface
nat (inside,outside) after-auto source dynamic Allow_Go_Internet interface

NAT-mistakes can cause communitation problems in VPN.

2) Your VPN-crypto is from the last century. 3DES/MD5/DH2 are legacy algorithms that shouldn't be used any more if not needed for some reason. And DES/RC4 is broken and should be removed completely.

 

Hi Iwen,

Thanks for your help. I did all work now.

Below is the final configuration for encryption and authentication method for remote access VPN and Site-2-site VPN

!

crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac

!

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

!

In the policy 1 for remote access VPN, if I change the group to 5, the VPN will fail, and log out put show that "Miss-match in SA proposal: received 2 but configured 5". I wonder whether Cisco VPN client support diffie hellman 5?

Thanks

The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

crypto ikev1 policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200

The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.

There are two (three) better options:

  1. Best option with very little needed configuration:
    Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  2. Best option with a little stronger crypto but more configuration:
    Move to AnyConnect with IPsec/IKEv2. 
  3. Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.

For option 1) and 2) there is an extra license needed, but thats not very expensive.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: