cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1896
Views
0
Helpful
1
Replies

VPN ASA to CISCO IOS Using Loopback IF

Hi

im trying to create a VPN between a Cisco ASA5510 and an ASR1002 when my Loopback interface is The Source IP .

( i understan d i cannot VPN ASA to CISCO IOS SVTI ... )

so if anyone could help me here it would be Legendary   -

crypto keyring KEYS-WC-TEST

  local-address 1.1.1.54

  pre-shared-key address 2.2.2.54 key test123

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp profile ISAKMP-WC-TEST

   keyring KEYS-WC-TEST

   match identity address 2.2.2.54 255.255.255.255

   local-address 1.1.1.54

virtual-template 1

crypto ipsec transform-set TRANS_SET-WC-TEST esp-aes esp-sha-hmac

mode tunnel

crypto ipsec profile VPN_S2S-WC-TEST

set transform-set TRANS_SET-WC-TEST

set pfs group2

set isakmp-profile ISAKMP-WC-TEST

interface Virtual-Template1 type tunnel

ip unnumbered Loopback777

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN_S2S-WC-TEST

crypto dynamic-map dynmap 10

set transform-set TRANS_SET-WC-TEST

set isakmp-profile ISAKMP-WC-TEST

reverse-route

match address IPSEC-WC-TEST-ACL

!

crypto map TEST-MAP local-address Loopback777

crypto map TEST-MAP 10 ipsec-isakmp dynamic dynmap

interface Loopback777

description ### TEST IPSEC ###

ip address 1.1.1.54 255.255.255.255

crypto map TEST-MAP

ip access-list extended IPSEC-WC-TEST-ACL

permit ip host 10.43.8.122 host 10.53.9.12

permit ip host 10.53.9.12 host 10.43.8.122

EC-ASR-01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

1.1.1.54    2.2.2.54    QM_IDLE          37195 ACTIVE

This is the OUtput from debug crypto isakmp and debug crypto ipsec err

*Mar 24 01:28:45.190 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:28:45.190 EST: ISAKMP:(37214): phase 2 packet is a duplicate of a previous packet.

*Mar 24 01:28:45.190 EST: ISAKMP:(37214): retransmitting due to retransmit phase 2

*Mar 24 01:28:45.190 EST: ISAKMP:(37214): ignoring retransmission,because phase2 node marked dead -263527270

*Mar 24 01:28:48.117 EST: ISAKMP:(37212):purging SA., sa=4079E61C, delme=4079E61C

*Mar 24 01:28:53.190 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:28:53.190 EST: ISAKMP: set new node -866013715 to QM_IDLE   

*Mar 24 01:28:53.191 EST: ISAKMP:(37214): processing HASH payload. message ID = 3428953581

*Mar 24 01:28:53.191 EST: ISAKMP:(37214): processing DELETE payload. message ID = 3428953581

*Mar 24 01:28:53.191 EST: ISAKMP:(37214):peer does not do paranoid keepalives.

*Mar 24 01:28:53.191 EST: ISAKMP:(37214):deleting node -866013715 error FALSE reason "Informational (in) state 1"

*Mar 24 01:28:53.192 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:28:53.192 EST: ISAKMP: set new node 218841786 to QM_IDLE   

*Mar 24 01:28:53.193 EST: ISAKMP:(37214): processing HASH payload. message ID = 218841786

*Mar 24 01:28:53.193 EST: ISAKMP:(37214): processing DELETE payload. message ID = 218841786

*Mar 24 01:28:53.193 EST: ISAKMP:(37214):peer does not do paranoid keepalives.

*Mar 24 01:28:53.193 EST: ISAKMP:(37214):deleting SA reason "No reason" state (R) QM_IDLE       (peer 2.2.2.54)

*Mar 24 01:28:53.193 EST: ISAKMP:(37214):deleting node 218841786 error FALSE reason "Informational (in) state 1"

*Mar 24 01:28:53.193 EST: ISAKMP: set new node 789219990 to QM_IDLE   

*Mar 24 01:28:53.193 EST: ISAKMP:(37214): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) QM_IDLE   

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Sending an IKE IPv4 Packet.

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):purging node 789219990

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):deleting SA reason "No reason" state (R) QM_IDLE       (peer 2.2.2.54)

*Mar 24 01:28:53.194 EST: ISAKMP: Unlocking peer struct 0x44493EC0 for isadb_mark_sa_deleted(), count 0

*Mar 24 01:28:53.194 EST: ISAKMP: Deleting peer node by peer_reap for 2.2.2.54: 44493EC0

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Mar 24 01:28:53.842 EST: ISAKMP:(0):: peer matches *none* of the profiles

*Mar 24 01:28:53.929 EST: ISAKMP (0): received packet from 2.2.2.54 dport 500 sport 500 Global (N) NEW SA

*Mar 24 01:28:53.929 EST: ISAKMP: Created a peer struct for 2.2.2.54, peer port 500

*Mar 24 01:28:53.929 EST: ISAKMP: New peer created peer = 0x44493EC0 peer_handle = 0x8000635F

*Mar 24 01:28:53.929 EST: ISAKMP: Locking peer struct 0x44493EC0, refcount 1 for crypto_isakmp_process_block

*Mar 24 01:28:53.929 EST: ISAKMP: local port 500, remote port 500

*Mar 24 01:28:53.929 EST: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 48A95210

*Mar 24 01:28:53.930 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 24 01:28:53.930 EST: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing SA payload. message ID = 0

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID is NAT-T v3

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 24 01:28:53.930 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing IKE frag vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar 24 01:28:53.930 EST: ISAKMP:(0):found peer pre-shared key matching 2.2.2.54

*Mar 24 01:28:53.930 EST: ISAKMP:(0): local preshared key found

*Mar 24 01:28:53.930 EST: ISAKMP : Scanning profiles for xauth ... ISAKMP-COMPANY ISAKMP-AMAZON-85c829ec-1 ISAKMP-AMAZON-d0d332b9-1 ISAKMP-WC-TEST

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 24 01:28:53.931 EST: ISAKMP:      default group 2

*Mar 24 01:28:53.931 EST: ISAKMP:      encryption AES-CBC

*Mar 24 01:28:53.931 EST: ISAKMP:      keylength of 128

*Mar 24 01:28:53.931 EST: ISAKMP:      hash SHA

*Mar 24 01:28:53.931 EST: ISAKMP:      auth pre-share

*Mar 24 01:28:53.931 EST: ISAKMP:      life type in seconds

*Mar 24 01:28:53.931 EST: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar 24 01:28:53.931 EST: ISAKMP:(0):atts are acceptable. Next payload is 3

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Acceptable atts:life: 0

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Returning Actual lifetime: 86400

*Mar 24 01:28:53.931 EST: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID is NAT-T v3

*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.932 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 24 01:28:53.932 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar 24 01:28:53.932 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.932 EST: ISAKMP:(0): processing IKE frag vendor id payload

*Mar 24 01:28:53.932 EST: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar 24 01:28:53.932 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 24 01:28:53.932 EST: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Mar 24 01:28:53.932 EST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 24 01:28:53.932 EST: ISAKMP:(0): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Mar 24 01:28:53.932 EST: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 24 01:28:53.933 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 24 01:28:53.933 EST: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Mar 24 01:28:54.006 EST: ISAKMP (0): received packet from 2.2.2.54 dport 500 sport 500 Global (R) MM_SA_SETUP

*Mar 24 01:28:54.007 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 24 01:28:54.007 EST: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Mar 24 01:28:54.007 EST: ISAKMP:(0): processing KE payload. message ID = 0

*Mar 24 01:28:54.010 EST: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar 24 01:28:54.010 EST: ISAKMP:(0):found peer pre-shared key matching 2.2.2.54

*Mar 24 01:28:54.010 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.010 EST: ISAKMP:(37215): vendor ID is Unity

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): vendor ID seems Unity/DPD but major 56 mismatch

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): vendor ID is XAUTH

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): speaking to another IOS box!

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.011 EST: ISAKMP:(37215):vendor ID seems Unity/DPD but hash mismatch

*Mar 24 01:28:54.011 EST: ISAKMP:received payload type 20

*Mar 24 01:28:54.011 EST: ISAKMP (37215): His hash no match - this node outside NAT

*Mar 24 01:28:54.011 EST: ISAKMP:received payload type 20

*Mar 24 01:28:54.011 EST: ISAKMP (37215): No NAT Found for self or peer

*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.

*Mar 24 01:28:54.012 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 24 01:28:54.012 EST: ISAKMP:(37215):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Mar 24 01:28:54.086 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Mar 24 01:28:54.087 EST: ISAKMP:(37215): processing ID payload. message ID = 0

*Mar 24 01:28:54.087 EST: ISAKMP (37215): ID payload

        next-payload : 8

        type         : 1

        address      : 2.2.2.54

        protocol     : 17

        port         : 0

        length       : 12

*Mar 24 01:28:54.087 EST: ISAKMP:(0):: peer matches ISAKMP-WC-TEST profile

*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Found ADDRESS key in keyring KEYS-WC-TEST

*Mar 24 01:28:54.087 EST: ISAKMP:(37215): processing HASH payload. message ID = 0

*Mar 24 01:28:54.088 EST: ISAKMP:received payload type 17

*Mar 24 01:28:54.088 EST: ISAKMP:(37215): processing keep alive: proposal=32767/32767 sec., actual=10/10 sec.

*Mar 24 01:28:54.088 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.088 EST: ISAKMP:(37215): vendor ID is DPD

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA authentication status:

        authenticated

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA has been authenticated with 2.2.2.54

*Mar 24 01:28:54.088 EST: ISAKMP: Trying to insert a peer 1.1.1.54/2.2.2.54/500/,  and inserted successfully 44493EC0.

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 24 01:28:54.088 EST: ISAKMP (37215): ID payload

        next-payload : 8

        type         : 1

        address      : 1.1.1.54

        protocol     : 17

        port         : 500

        length       : 12

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Total payload length: 12

*Mar 24 01:28:54.089 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.

*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Mar 24 01:28:54.090 EST: ISAKMP:(37215):IKE_DPD is enabled, initializing timers

*Mar 24 01:28:54.090 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 24 01:28:54.090 EST: ISAKMP:(37215):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar 24 01:28:54.094 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

*Mar 24 01:28:54.130 EST: ISAKMP:(37215):IKE_DPD is enabled, initializing timers

*Mar 24 01:28:54.130 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 24 01:28:54.130 EST: ISAKMP:(37215):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar 24 01:28:54.165 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:28:54.165 EST: ISAKMP: set new node -1638274170 to QM_IDLE   

*Mar 24 01:28:54.166 EST: ISAKMP:(37215): processing HASH payload. message ID = 2656693126

*Mar 24 01:28:54.166 EST: ISAKMP:(37215): processing SA payload. message ID = 2656693126

*Mar 24 01:28:54.166 EST: ISAKMP:(37215):Checking IPSec proposal 1

*Mar 24 01:28:54.166 EST: ISAKMP: transform 1, ESP_AES

*Mar 24 01:28:54.166 EST: ISAKMP:   attributes in transform:

*Mar 24 01:28:54.166 EST: ISAKMP:      SA life type in seconds

*Mar 24 01:28:54.166 EST: ISAKMP:      SA life duration (basic) of 28800

*Mar 24 01:28:54.166 EST: ISAKMP:      SA life type in kilobytes

*Mar 24 01:28:54.166 EST: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar 24 01:28:54.166 EST: ISAKMP:      encaps is 1 (Tunnel)

*Mar 24 01:28:54.166 EST: ISAKMP:      authenticator is HMAC-SHA

*Mar 24 01:28:54.166 EST: ISAKMP:      key length is 128

*Mar 24 01:28:54.166 EST: ISAKMP:(37215):atts are acceptable.

*Mar 24 01:28:54.166 EST: map_db_find_best did not find matching map

*Mar 24 01:28:54.166 EST: IPSEC(ipsec_process_proposal): proxy identities not supported

*Mar 24 01:28:54.166 EST: ISAKMP:(37215): IPSec policy invalidated proposal with error 32

*Mar 24 01:28:54.166 EST: ISAKMP:(37215): phase 2 SA policy not acceptable! (local 1.1.1.54 remote 2.2.2.54)

*Mar 24 01:28:54.166 EST: ISAKMP: set new node -148278355 to QM_IDLE   

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 1017571376, message ID = 4146688941

*Mar 24 01:28:54.167 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) QM_IDLE   

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):purging node -148278355

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):deleting node -1638274170 error TRUE reason "QM rejected"

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Node 2656693126, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Old State = IKE_QM_READY  New State = IKE_QM_READY

*Mar 24 01:29:02.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:29:02.161 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.

*Mar 24 01:29:02.161 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2

*Mar 24 01:29:02.161 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170

*Mar 24 01:29:10.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:29:10.160 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.

*Mar 24 01:29:10.160 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2

*Mar 24 01:29:10.160 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170

*Mar 24 01:29:10.591 EST: ISAKMP:(37213):purging node 667120255

*Mar 24 01:29:10.591 EST: ISAKMP:(37213):purging node 1131880735

*Mar 24 01:29:11.199 EST: ISAKMP:(37214):purging node -263527270

*Mar 24 01:29:18.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:29:18.160 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.

*Mar 24 01:29:18.160 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2

*Mar 24 01:29:18.160 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170

*Mar 24 01:29:20.592 EST: ISAKMP:(37213):purging SA., sa=4550D2C8, delme=4550D2C8

*Mar 24 01:29:26.771 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

and here is the ASA Side :

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto map IPSEC_map 1 match address IPSEC_cryptomap

crypto map IPSEC_map 1 set peer 2.2.2.54

crypto map IPSEC_map 1 set ikev1 transform-set ESP-AES-128-SHA

crypto map IPSEC_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map IPSEC_map 1 set reverse-route

crypto map IPSEC_map interface IPSEC

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2 

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable IPSEC

crypto ikev1 enable IPSEC

crypto ikev1 policy 9

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.54 type ipsec-l2l

tunnel-group 2.2.2.54 general-attributes

default-group-policy GroupPolicy_2.2.2.54

tunnel-group 2.2.2.54 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

group-policy GroupPolicy_2.2.2.54 internal

group-policy GroupPolicy_2.2.2.54 attributes

vpn-tunnel-protocol ikev1 ikev2

route IPSEC 2.2.2.54 255.255.255.255 1.1.1.254 1

access-list IPSEC_cryptomap extended permit ip object MONITOR-WC object MONITOR-EC

nat (VMs,IPSEC) source static MONITOR-WC MONITOR-WC destination static MONITOR-EC MONITOR-EC

object network MONITOR-WC

host 10.43.8.122

object network MONITOR-EC

host 10.53.9.12

Thanks !!!

Everyone's tags (3)
1 REPLY 1

VPN ASA to CISCO IOS Using Loopback IF

Hi Hummus,

For this to work you do not need to apply the crypto map to the loopback, it is not supported anyway.

So at this point you set up a pretty common L2L tunnel (of course not using VTI since the ASA will not accept the SA) and use the loopback as the local-address for the crypto map.

Check this out:

crypto map local-address

HTH.

Portu.