Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1904
Views
5
Helpful
6
Replies

IPsec VPN site-to-site between ASA and Cisco Router problem. Please help

Go to solution
tranminhc
Level 1
Level 1

‎01-07-2015 11:58 PM - edited ‎02-21-2020 08:00 PM

Hi community,

 

I get stuck in site-to-site VPN configuration between ASA (OS 9.1) and Cisco IOS Router (IOS 15.2-4.M4)

Attachment is ASA and Router configuration. I also include the debug router output.

 

It seemed that the two sides have configuration isakmp missmatch, but I already disabled keepalives settings. I also disable PFS setting on both sides. But it doesn't work. I have no idea about this trouble.

Please help me. Any helps be appreciated.

Thanks

 

Labels:
Preview file
9 KB
Preview file
17 KB
Preview file
34 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-08-2015 12:38 AM

I didn't look any further, but this can be a reason:

crypto map mymap 1 ipsec-isakmp dynamic dyn1

The dynamic CM always has to be the last sequence in a crypto map:

no crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 65000 ipsec-isakmp dynamic dyn1

Try this first, then we can look further.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎01-08-2015 12:38 AM

I didn't look any further, but this can be a reason:

crypto map mymap 1 ipsec-isakmp dynamic dyn1

The dynamic CM always has to be the last sequence in a crypto map:

no crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap 65000 ipsec-isakmp dynamic dyn1

Try this first, then we can look further.

0 Helpful

Go to solution
tranminhc
Level 1
Level 1
In response to Karsten Iwen

‎01-08-2015 01:30 AM

Hi Iwen,

The site-2-site VPN works now. But my remote access vpn is down. I cannot reconnect to the site behind ASA device.

Please advices me.

0 Helpful

Go to solution
tranminhc
Level 1
Level 1
In response to tranminhc

‎01-08-2015 02:07 AM

Hi Iwen,

Last time I did "no crypto dynamic" some command related to dynamic vpn disappear also. I have to reconfig them, and now two vpns are working. Thanks for your support.

One more question please: The site behind router can ping/telnet to site behind ASA, but the site behind ASA cannot connect to site behind router. What can cause this problem?

Please advice.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tranminhc

‎01-08-2015 05:30 AM

Some more potential problems:

1) This NAT-line should always be the last:

nat (inside,outside) source dynamic Allow_Go_Internet interface

Change it to:

no nat (inside,outside) source dynamic Allow_Go_Internet interface
nat (inside,outside) after-auto source dynamic Allow_Go_Internet interface

NAT-mistakes can cause communitation problems in VPN.

2) Your VPN-crypto is from the last century. 3DES/MD5/DH2 are legacy algorithms that shouldn't be used any more if not needed for some reason. And DES/RC4 is broken and should be removed completely.

 

Go to solution
tranminhc
Level 1
Level 1
In response to Karsten Iwen

‎01-08-2015 08:09 PM

Hi Iwen,

Thanks for your help. I did all work now.

Below is the final configuration for encryption and authentication method for remote access VPN and Site-2-site VPN

!

crypto ipsec ikev1 transform-set myset esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac

!

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

!

In the policy 1 for remote access VPN, if I change the group to 5, the VPN will fail, and log out put show that "Miss-match in SA proposal: received 2 but configured 5". I wonder whether Cisco VPN client support diffie hellman 5?

Thanks

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to tranminhc

‎01-09-2015 02:20 AM

The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800

crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

crypto ikev1 policy 30
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200

The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.

There are two (three) better options:

  1. Best option with very little needed configuration:
    Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  2. Best option with a little stronger crypto but more configuration:
    Move to AnyConnect with IPsec/IKEv2. 
  3. Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.

For option 1) and 2) there is an extra license needed, but thats not very expensive.

 

0 Helpful
Customers Also Viewed These Support Documents