L2L issue, the tunnel does not getting up from one direction

kflampouras · ‎03-14-2012

Hello,

We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.

The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.

Router 1841 Config:

crypto isakmp policy 100

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key * address 213.249.XX.XX

crypto ipsec transform-set XXXXX esp-3des esp-md5-hmac

crypto map EKO_BG 100 ipsec-isakmp

set peer 213.249.x.x

set security-association lifetime seconds 28800

set transform-set XXXXX

set pfs group2

match address 111

interface FastEthernet0/0.2

encapsulation dot1Q 3338

ip address 212.200.30.130 255.255.255.252

ip nat outside

ip virtual-reassembly

crypto map XXXXX

ip nat pool nat_pool 93.87.XX.XX 93.87.XX.XX prefix-length 29

ip nat inside source list 101 pool nat_pool overload

ip nat inside source static 10.70.2.10 93.87.18.161

ip nat inside source static 10.70.25.10 93.87.18.162

ip nat inside source static 10.70.36.5 93.87.18.163

ip nat inside source static 10.70.39.10 93.87.18.164

ip nat inside source static 10.70.5.10 93.87.18.165

access-list 101 deny ip 10.70.200.0 0.0.0.255 any

access-list 101 permit ip 10.70.0.0 0.0.255.255 any

access-list 111 permit ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3

Asa Config:

access-list inside_nat0_outbound extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0

access-list outside_cryptomap_320 remark xxxxxxx

access-list outside_cryptomap_320 extended permit ip 172.40.10.100 255.255.255.252 10.70.200.0 255.255.255.0

access-list inside_pnat_outbound_V5 extended permit ip host 10.8.x.x 10.70.200.0 255.255.255.0

pager lines 24

nat (inside) 9 access-list inside_pnat_outbound_V5

crypto ipsec transform-set xxxxx esp-3des esp-md5-hmac

crypto map mymap 150 match address

crypto map mymap 150 set pfs

crypto map mymap 150 set peer XXXXXX

crypto map mymap 150 set transform-set XXX

crypto map mymap 150 set security-association lifetime seconds 28800

crypto map mymap 150 set security-association lifetime kilobytes 10000

crypto map mymap 320 match address outside_cryptomap_320

crypto map mymap 320 set pfs

crypto map mymap 320 set peer XXXXX

crypto map mymap 320 set transform-set XXXXX

crypto map mymap 320 set security-association lifetime seconds 28800

crypto map mymap 320 set security-association lifetime kilobytes 4608000

crypto map mymap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map mymap interface outside

isakmp policy 150 authentication pre-share

isakmp policy 150 encryption 3des

isakmp policy 150 hash md5

isakmp policy 150 group 2

tunnel-group 212.200.x.x type ipsec-l2l

tunnel-group 212.200.x.x ipsec-attributes

pre-shared-key *

Please advise.

Thank you.

mudjain · ‎03-14-2012

Please add the following initiating tunnel from either side:

from router:

debug crypto isakmp

debug crypto ipsec

from ASA:

debug crypto isakmp 127

debug crypto ipsec sa 127

after everyattemp please collect show crypto isakmp sa and show crypto ipsec sa from either side.

Ashley Sahonta · ‎03-14-2012

Have you setup your no NAT rule on your router correctly? You would need:

deny ip 10.70.200.0 0.0.0.255 172.40.10.100 0.0.0.3

kflampouras · ‎03-14-2012

hello Ashley,

thank you for this info. Now from the router site the tunneling is getting up and I can see packets but althought the tunnel is up it can not make telnet to our server (172.40.10.100) on a specific port.

We from ASA site can ping router Site and make telnet.

Any ideas???

Thank you all from your answers!

mudjain · ‎03-14-2012

Hope that helps.

http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_3.html#wp18426