Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1707
Views
0
Helpful
4
Replies

L2L VPN Hub and Spoke using ASA 5510

john.dejesus
Level 1
Level 1

‎02-19-2012 09:20 PM

Hi,

I'm setting up a L2L VPN Hub and Spoke. I have 3 sites (1 HUB and 2 SPOKES).

HUB-----------SPOKE1

   |

   |

   |

SPOKE 2

HUB and SPOKE 1 is okay. My problem was the communication between HUB and SPOKE 2. PING failed on both directions. BTW, I am simulating this only in GNS3. :-). The configuration for HUB and SPOKE 1 are the same also for HUB and SPOKE 2. I kinda lost here. Can someone give me a light on this? Thank you in advance.

Here is my show isakmp sa and ipsec sa on HUB

ciscoasa# sh isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 210.24.x.x

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

ciscoasa# sh ipsec sa

interface: outside

    Crypto map tag: VPN-MAP, seq num: 20, local addr: 58.145.x.x

      access-list 30 permit ip 10.21.99.0 255.255.255.0 10.21.0.0 255.255.255.0 log

      local ident (addr/mask/prot/port): (10.21.99.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.21.0.0/255.255.255.0/0/0)

      current_peer: 210.24.x.x

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

show isakmp sa and show ipsec sa on SPOKE2

ciscoasa# show isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 58.145.x.x

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

ciscoasa# show ipsec sa

interface: outside

    Crypto map tag: VPN-MAP, seq num: 10, local addr: 210.24.x.x

      access-list 20 permit ip 10.21.0.0 255.255.255.0 10.21.99.0 255.255.255.0 log

      local ident (addr/mask/prot/port): (10.21.0.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.21.99.0/255.255.255.0/0/0)

      current_peer: 58.145.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

Labels:
0 Helpful
4 Replies 4

Matt Lang
Level 1
Level 1

‎02-22-2012 07:37 PM

From the output you provided, SPOKE2 is decrypting traffic received from the hub, but traffic going back to the hub doesn't appear to be getting encrypted and sent back across the tunnel.  There are two reasons this could happen.  The first reason is maybe a missing route, but since this is a spoke, I am guessing that there is a default route on the ASA pointing toward the ISP.

The second reason is that you haven't applied any NAT bypass rules for this specific traffic.  Can you verify you have something such as the following:

--------------------------------------------------

access-list nonat permit ip 10.21.0.0 255.255.255.0 10.21.99.0 255.255.255.0

nat (inside) 0 access-list nonat

--------------------------------------------------

Matt

0 Helpful

rizwanr74
Level 7
Level 7
In response to Matt Lang

‎02-22-2012 07:50 PM

please copy your confi on the forum.

0 Helpful

john.dejesus
Level 1
Level 1
In response to rizwanr74

‎02-22-2012 11:03 PM

yes those lines are in my configurations. I think this is a bug in gns3. It's working now (on real ASA though).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents