cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4946
Views
9
Helpful
5
Replies

VPN between ASA not working

Alvaro Rugama
Level 1
Level 1

Hi everyone

hope you can help us with an issue.

We're trying to create a site to site vpn tunnel between various office in different countries. We need to create 4 vpn tunnel, 3 of them are working right now, however there is one ASA that is not allowing us to stablish the connection.

On our side we have a ASA 5516 running firmware version 9.5(1) that has this configuration:

access-list ti_jamaica extended permit ip any object host_10.10.10.252

nat (inside,outside) 1 source dynamic any host_10.111.0.10 destination static host 10.10.10.252 host_10.10.10.252

crypto ipsec ikev1 transform-set ts_jamaica esp-aes-256 esp-md5-hmac

crypto map vpnpbs 1 match address ti_jamaica
crypto map vpnpbs 1 set peer XXX.XXX.XXX.XXX
crypto map vpnpbs 1 set ikev1 transform-set ts_jamaica

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key vpn1234

group-policy GroupPolicy_xxx internal
group-policy GroupPolicy_xxx attributes
vpn-tunnel-protocol ikev1

crypto ikev1 enable outside
crypto ikev1 policy 11
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400

On the other side our office has a ASA (do not know the model) running firmware verion 8.2 with this configuration

access-list Outside_21_cryptomap extended permit ip host 10.10.10.252 host 10.111.0.10

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto map Outside_map 21 match address Outside_21_cryptomap
crypto map Outside_map 21 set pfs
crypto map Outside_map 21 set peer XXX.XXX.XXX.XXX
crypto map Outside_map 21 set transform-set ESP-AES-256-MD5

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key vpn1234

crypto isakmp policy 170
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400

but I'm receiving this error on "show debug ikev1"

Feb 11 15:32:06 [IKEv1]Group = XXX.XXX.XXX.XXX IP = XXX.XXX.XXX.XXX, Session is being torn down. Reason: User Requested

Feb 11 15:32:11 [IKEv1]Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, Removing peer from correlator table failed, no match!

I already check this error message, it states that there is a misconfiguration between both sides of the VPN, according to the manual, there the encryption and hash does not match on them, but we believe that we have the right configuration.

I appreciate any help or guidance from you.

Best regards

1 Accepted Solution

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

First your crypto domains do not match, so correct that first.  Make them the same on both sides.

This is what one says.

access-list ti_jamaica extended permit ip any object host_10.10.10.252

And the other.

access-list Outside_21_cryptomap extended permit ip host 10.10.10.252 host 10.111.0.10

View solution in original post

5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

First your crypto domains do not match, so correct that first.  Make them the same on both sides.

This is what one says.

access-list ti_jamaica extended permit ip any object host_10.10.10.252

And the other.

access-list Outside_21_cryptomap extended permit ip host 10.10.10.252 host 10.111.0.10

Thank you for your reply Philip

I forget to mention that on my inside network I have a totally different subnet.

What we are doing is translating our inside network into 10.111.0.10, that is why we have 

access-list ti_jamaica extended permit ip any object host_10.10.10.252

great observation about the md5 hash, will see if we can move to sha1 at least.

Even if you are translating, the encryption domains on both sides should match.

Thank you again for the information.

One issue was this, the other, it seems that the other side was not using the right hash and encryption too.

Regards

Philip D'Ath
VIP Alumni
VIP Alumni

This has nothing to do with your problem.  It makes me cringe when I see people still using MD5.  If you care even slightly about security please at least move to SHA1.

Better still get everything onto 9.x mode and move to SHA256 or better.  Even SHA1 is not good anymore.  But MD5 is really really not good.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: