01-07-2015 11:58 PM - edited 02-21-2020 08:00 PM
Hi community,
I get stuck in site-to-site VPN configuration between ASA (OS 9.1) and Cisco IOS Router (IOS 15.2-4.M4)
Attachment is ASA and Router configuration. I also include the debug router output.
It seemed that the two sides have configuration isakmp missmatch, but I already disabled keepalives settings. I also disable PFS setting on both sides. But it doesn't work. I have no idea about this trouble.
Please help me. Any helps be appreciated.
Thanks
Solved! Go to Solution.
01-08-2015 12:38 AM
I didn't look any further, but this can be a reason:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
The dynamic CM always has to be the last sequence in a crypto map:
no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
Try this first, then we can look further.
01-08-2015 12:38 AM
I didn't look any further, but this can be a reason:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
The dynamic CM always has to be the last sequence in a crypto map:
no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
Try this first, then we can look further.
01-08-2015 01:30 AM
Hi Iwen,
The site-2-site VPN works now. But my remote access vpn is down. I cannot reconnect to the site behind ASA device.
Please advices me.
01-08-2015 02:07 AM
Hi Iwen,
Last time I did "no crypto dynamic" some command related to dynamic vpn disappear also. I have to reconfig them, and now two vpns are working. Thanks for your support.
One more question please: The site behind router can ping/telnet to site behind ASA, but the site behind ASA cannot connect to site behind router. What can cause this problem?
Please advice.
01-08-2015 05:30 AM
Some more potential problems:
1) This NAT-line should always be the last:
nat (inside,outside) source dynamic Allow_Go_Internet interface
Change it to:
no nat (inside,outside) source dynamic Allow_Go_Internet interface nat (inside,outside) after-auto source dynamic Allow_Go_Internet interface
NAT-mistakes can cause communitation problems in VPN.
2) Your VPN-crypto is from the last century. 3DES/MD5/DH2 are legacy algorithms that shouldn't be used any more if not needed for some reason. And DES/RC4 is broken and should be removed completely.
01-08-2015 08:09 PM
Hi Iwen,
Thanks for your help. I did all work now.
Below is the final configuration for encryption and authentication method for remote access VPN and Site-2-site VPN
!
crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
!
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
!
In the policy 1 for remote access VPN, if I change the group to 5, the VPN will fail, and log out put show that "Miss-match in SA proposal: received 2 but configured 5". I wonder whether Cisco VPN client support diffie hellman 5?
Thanks
01-09-2015 02:20 AM
The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 28800 crypto ikev1 policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 crypto ikev1 policy 30 authentication pre-share encryption aes hash sha group 2 lifetime 43200
The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
There are two (three) better options:
For option 1) and 2) there is an extra license needed, but thats not very expensive.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: