More than one site to site IP Sec Tunnel ASA 8.4

JDMJeffy84 · ‎09-18-2013

Hi Guys,

Need some expert assistance and help!

I currently have a Cisco ASA running 8.4 configured up for a IP Sec Tunnel to a 3rd PArty and is working no problem. However, I want to add another IP Sec Tunnel to a different vendor. Last time I tried this it took down the working one, wonder if someone can advise on the following config snippet?

***Working****
crypto map OutsideMap 1 match address VPNtoNet
crypto map OutsideMap 1 set peer 1.1.1.1
crypto map OutsideMap 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map OutsideMap interface outside
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key blahblah

!
access-list in_outside extended permit ip host 1.1.1.1 any
access-list VPNtoNet extended permit ip object-group SVRS host 1.1.1.1
!
object-group network SVRS network-object host 192.168.22.22
!
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 30
!
***END****

***Adding new IPSec Tunnel****
//I think to create to create multiple IPSec Tunnels I increment the number for OutsideMap? since OutsideMap has been applied to Outside Interface?

- Configure crypto map and attach to interface
crypto map OutsideMap 2 match address VPNtoNet2

crypto map OutsideMap 2 set peer 1.2.3.4

- Configure transform-set
crypto map OutsideMap 2 set ikev1 transform-set ESP-AES-256-SHA
crypto map OutsideMap interface outside

- Configure Tunnel group
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
ikev1 pre-shared-key TESTTEST

- Confiure ACLs
object network Int_SVRs
subnet 192.168.1.0 255.255.255.0
description VLAN to be IPSec tunnel to 3rd Party
access-list in_outside extended permit ip host 1.2.3.4 any
access-list VPNtoNet2 extended permit ip object-group IntCloud_SVRs host 1.2.3.4

Thanks in advance!

Jouni Forss · ‎09-18-2013

Hi,

Yes you enter the new L2L VPN connections parameters with the new number. However you dont need to issue the "crypto map interface outside" again since the Crypto Map is already attached there.

Especially since this connections is configured with a higher number than the original L2L VPN configuration it shouldnt affect it.

I would imagine that the more likely reason adding a new connection caused problem for the existing is some missconfigured NAT perhaps?

I find it strange though that on both of your L2L VPN configurations you have the Encyption domain ACL configured so that the remote VPN gateway peer IP address is the only network/host on the remote end. Unless the changed IP address for the post are following the correct logic.

It would probably be easier to troubleshoot if we could see the configuration in its form when you had problems with the existing L2L VPN.

- Jouni

JDMJeffy84 · ‎09-20-2013

Hi Jouni,

Thanks for the info. I will try the configuration out this weekend and let you know the outcome.

I looked through the configuration for the ASA and I can't find any NAT for this L2L VPN...

Yeah I took out some config, but what I'm trying to achieve is:

Site1 LAN: 192.168.1.0/24

to be able to communicate to:

Site 2 LAN: 172.16.1.0/24

So my ACL will be:

object network Int_SVRs

subnet 192.168.1.0 255.255.255.0

description VLAN to be IPSec tunnel to 3rd Party

!

object network Remote_SVRs

subnet 172.16.1.0 255.255.255.0

description VLAN to be IPSec tunnel to 3rd Party

!

access-list in_outside extended permit ip host 1.2.3.4 any

access-list VPNtoNet2 extended permit ip object-group Int_SVRs object-group Remote_SVRs

!

// This creates interesting traffic to be tunneled to other side

rest of the VPN config:

- Configure crypto map and attach to interface
crypto map OutsideMap 2 match address VPNtoNet2

crypto map OutsideMap 2 set peer 1.2.3.4

- Configure transform-set
crypto map OutsideMap 2 set ikev1 transform-set ESP-AES-256-SHA

- Configure Tunnel group
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
ikev1 pre-shared-key TESTTEST

Sorry I'm not a pro on VPNs/ Security yet

Thanks

JDMJeffy84 · ‎09-21-2013

hi Jouni,

I ran the commands and used ICMP to bring up the tunnel but failed =(

sh crypto isakmp sa

2 IKE Peer: 1.2.3.4 Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

debug crypto isakmp 3
VPN02# Sep 22 00:28:57 [IKEv1]IP = 1.2.3.4, IKE Initiator: New Phase 1, Intf inside, IKE Peer 1.2.3.4 local Proxy Address 192.168.1.0, remote Proxy Address 172.16.0.0, Crypto map (OutsideMap)
Sep 22 00:28:57 [IKEv1]IP = 1.2.3.4, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Sep 22 00:28:57 [IKEv1]IP = 1.2.3.4, Information Exchange processing failed
Sep 22 00:29:05 [IKEv1]IP = 1.2.3.4, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Sep 22 00:29:05 [IKEv1]IP = 1.2.3.4, Information Exchange processing failed
Sep 22 00:29:13 [IKEv1]IP = 1.2.3.4, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Sep 22 00:29:13 [IKEv1]IP = 1.2.3.4, Information Exchange processing failed
Sep 22 00:29:21 [IKEv1]IP = 1.2.3.4, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Sep 22 00:29:21 [IKEv1]IP = 1.2.3.4, Information Exchange processing failed
Sep 22 00:29:47 [IKEv1]IKE Receiver ikev2 disabled on

Sep 22 00:29:48 [IKEv1]IKE Receiver ikev2 disabled on

Any suggestions? Could it be the peer is configured incorrectly?

Thanks