Site to Site VPN ASA5505 and Cisco 3825

smohur123 · ‎02-28-2010

Hi

After configuration of site to site vpn for ip 212.94.157.121(cisco 3825) to 121.243.184.199(ASA 5505), the VPN is not coming up.

I've attached both configurations. Please help.

Thanks

Shameem

Herbert Baerten · ‎03-01-2010

Hi Shameem,

I see the ASA is configured to do PFS (group 2, if no group is specified), but the router is not.

Try this:

crypto map SDM_CMAP_1 1 ipsec-isakmp
set pfs group2

If that doesn't help, enable these debugs:

on the router:

debug crypto isakmp

debug crypto ipsec

on the ASA:

debug crypto isakmp 10

debug crypto ipsec 10

Enable them all at the same time, and try to bring up the tunnel.

Get the debug output, as well as:

show crypto isakmp sa

show crypto ipsec sa peer n.n.n.n (ip address of the other side)

BTW - you are aware of the limited security DES encryption offers? Why not use 3DES or AES (both peers seem to support it) ?

hth

Herbert

smohur123 · ‎03-01-2010

Hi

It's still not working. How to bring up the tunnel.

Below are the results.

From ASA:

SYCO-ciscoasa# sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 41.212.209.215

Type : user Role : responder

Rekey : no State : AM_ACTIVE

SYCO-ciscoasa# sh crypto ipsec sa peer 212.94.157.121

There are no ipsec sas for peer 212.94.157.121

From Cisco 3825:

MAR#debug crypto isakmp

Crypto ISAKMP debugging is on

MAR#debug crypto ipsec

Crypto IPSEC debugging is on

MAR#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

IPv6 Crypto ISAKMP SA

MAR#sh crypto ipsec sa peer 121.243.184.199

interface: GigabitEthernet0/0

Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121

protected vrf: (none)

local ident (addr/mask/prot/port): (172.28.53.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.28.0.0/255.255.0.0/0/0)

current_peer 121.243.184.199 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

MAR#

Herbert Baerten · ‎03-01-2010

Well, the tunnel should come up automatically as soon as there is traffic that matches the crypto access-list (this is usually referred to as "interesting traffic"). So for example try a ping from one network to the other.

If that does not cause the tunnel to come up, please provide the debug output from both sides.

smohur123 · ‎03-01-2010

Hi

I've done logging ip address of kiwi syslog server. I've done logging trap debugging. Still cannot get debug output.

contech-nelsong · ‎03-01-2010

your local and remote encryption domains overlap, that's probably causing your problem.

local ident (addr/mask/prot/port): (172.28.53.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.28.0.0/255.255.0.0/0/0)

nat one side to prevent the overlap

smohur123 · ‎03-02-2010

Hi

I've changed the access-list as follows and got the following results for isakmp and ipsec sa:

I've attached the debug info for the 3825

access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 172.28.53.0 0.0.0.127 172.28.45.0 0.0.0.127

access-list 130 deny ip 172.28.53.0 0.0.0.127 172.28.45.0 0.0.0.127

access-list 130 permit ip 172.28.53.0 0.0.0.127 any

MAR#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

121.243.184.199 212.94.157.121 MM_NO_STATE 4012 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

MAR#sh crypto ipsec sa

interface: GigabitEthernet0/0

Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121

protected vrf: (none)

local ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

current_peer 121.243.184.199 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 50, #recv errors 0

local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

MAR#

nomair_83 · ‎03-02-2010

try removing pfs on both devices and configure same crypto isakmp policy for both.

2nd, remove ipsec over udp commands.(if this is the same vpn group which is not working)

then try..

smohur123 · ‎03-03-2010

Hi

Thanks, it's working now. Below is the results of isakmp and ipsec sa. But I don't get replies from ping and cannot ssh.

MAR#sh crypto ipsec sa

interface: GigabitEthernet0/0

Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121

protected vrf: (none)

local ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

current_peer 121.243.184.199 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 56, #recv errors 0

local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0x9690D5D7(2526074327)

inbound esp sas:

spi: 0xCDD5D3C1(3453342657)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3, flow_id: AIM-VPN/SSL-3:3, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4526118/3518)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x9690D5D7(2526074327)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 4, flow_id: AIM-VPN/SSL-3:4, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4526116/3503)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

MAR#

SYCO-ciscoasa# sh isakmp sa

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1 IKE Peer: 212.94.157.121

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

2 IKE Peer: 41.212.209.143

Type : user Role : responder

Rekey : no State : AM_ACTIVE

SYCO-ciscoasa# sh ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 3, local addr: 121.243.184.199

access-list outside_3_cryptomap permit ip 172.28.45.0 255.255.255.128 172. 28.53.0 255.255.255.128

local ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

remote ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

current_peer: 212.94.157.121

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 121.243.184.199, remote crypto endpt.: 212.94.157.121

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: CDD5D3C1

inbound esp sas:

spi: 0x9690D5D7 (2526074327)

transform: esp-des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 528384, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274999/2922)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xCDD5D3C1 (3453342657)

transform: esp-des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 528384, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/2922)

IV size: 8 bytes

replay detection support: Y

Crypto map tag: outside_dyn_map, seq num: 10, local addr: 121.243.184.199

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.28.45.75/255.255.255.255/0/0)

current_peer: 41.212.209.143, username: SYCOtelecom

dynamic allocated peer ip: 172.28.45.75

#pkts encaps: 152, #pkts encrypt: 152, #pkts digest: 152

#pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 164, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 121.243.184.199/4500, remote crypto endpt.: 41.212.209.143/2823

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: 15649486

inbound esp sas:

spi: 0x65B06151 (1706058065)

transform: esp-3des esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 532480, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 287810

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x15649486 (358913158)

transform: esp-3des esp-sha-hmac none

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 532480, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 287808

IV size: 8 bytes

replay detection support: Y

SYCO-ciscoasa# ping 172.28.53.87

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.28.53.87, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

SYCO-ciscoasa#

contech-nelsong · ‎03-03-2010

That's almost cetainly failing now because of the overlap in networks.

once the 172.28.53.0/25 network traffic hits the 172.28.0.0/16 network it wont have a return path simply because the router thinks that network is directly connected.

You have to NAT the source before it hits the 172.28.0.0/16 network.

I'm not sure how you do that in IOS, but I'm confident that it'll be possible.

Note that once you've done NAT on the source your encryption domain will no longer be valid, so you'll have to rewrite that part too.

smohur123 · ‎03-04-2010

Hi

Now that I've changed the network of the 3825 to 171.28.53.0 instead of 17228.53.0, the VPN is not coming up. Attached are my new configs.

smohur123 · ‎03-05-2010

Hi

I think that the ASA is allowing only 172.28.0.0/16 networks to go inside. Because when trying to configure other L2L also I'm are having the same problem.

Please help