ASA 5505 to 5510 Site-to-Site VPN IPSec don`t go

Hans Juergen Guenter · ‎09-30-2012

I just try to build a Site-to-Site VPN over IPSec between a ASA5505 and a ASA5510.

But it don`t want to work. Here are the config`s of the ASA 5505 and ASA5510:

ASA5505:

: Saved

: Written by enable_15 at 20:02:51.175 UTC Wed Apr 7 2010

!

ASA Version 7.2(2)

!

hostname asa5505

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.178.254 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list Inside_ICMP extended permit icmp any any echo-reply

access-list Inside_ICMP extended permit icmp any any source-quench

access-list Inside_ICMP extended permit icmp any any unreachable

access-list Inside_ICMP extended permit icmp any any time-exceeded

access-list outside_cryptomap_10 remark ACL to encrypt traffic from Muenchen to Frankfurt

access-list outside_cryptomap_10 extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list inside_nat_outbound remark Ausnahme Policy IPSec Encryption

access-list inside_nat_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-522.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat_outbound

static (inside,outside) interface 192.168.1.254 netmask 255.255.255.255

access-group Inside_ICMP in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.178.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set FRA-AES256SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set peer 192.168.178.230

crypto map outside_map 10 set transform-set FRA-AES256SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 192.168.178.230 type ipsec-l2l

tunnel-group 192.168.178.230 ipsec-attributes

pre-shared-key Cisco1234

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:469da4f90cebc4e460849caade472273

: end

ASA5510:

: Saved

: Written by enable_15 at 15:26:19.983 UTC Sun Sep 30 2012

!

ASA Version 7.2(3)

!

hostname asa5510

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 192.168.178.230 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list Inside_ICMP extended permit icmp any any echo-reply

access-list Inside_ICMP extended permit icmp any any source-quench

access-list Inside_ICMP extended permit icmp any any unreachable

access-list Inside_ICMP extended permit icmp any any time-exceeded

access-list outside_cryptomap_10 remark ACL to encrypt traffic from Frankfurt to Muenchen

access-list outside_cryptomap_10 extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat_outbound remark Ausnahme Policy IPSec Encryption

access-list inside_nat_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list inside_nat_outbound

static (inside,outside) interface 192.168.10.50 netmask 255.255.255.255

access-group Inside_ICMP in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.178.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set MUC-AES256SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 10 match address outside_cryptomap_10

crypto map outside_map 10 set peer 192.168.178.254

crypto map outside_map 10 set transform-set MUC-AES256SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn username blub password blub store-local

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

tunnel-group 192.168.178.254 type ipsec-l2l

tunnel-group 192.168.178.254 ipsec-attributes

pre-shared-key Cisco1234

prompt hostname context

Cryptochecksum:0b1021940edf26ed0e32a84b18a4a888

: end

I hope that somebody can tell me what I am doing wrong.

Harish Balakrishnan · ‎09-30-2012

Hello Hans

it looks to be good to me.. except the default routes.. can you change them as follows and try to initiate traffic from inside pc to other end lan

ASA5505

-------------

route outside 0.0.0.0 0.0.0.0 192.168.178.230

ASA5510

-----------

route outside 0.0.0.0 0.0.0.0 192.168.178.254

let me know the result

Harish.

Hans Juergen Guenter · ‎09-30-2012

I changed the route but I can not Ping from one PC to a other PC over the VPN Tunnel.

I just set a debug crypto isakmp 127 and get the followed:

at the ASA5510:

CryptoSep 30 18:11:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Sep 30 18:11:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!

Sep 30 18:11:53 [IKEv1]: Removing peer from peer table failed, no match!

Sep 30 18:11:53 [IKEv1]: Error: Unable to remove PeerTblEntry

at the ASA5505:

12Apr 07 22:45:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 07 22:45:31 [IKEv1]: IP = 192.168.178.230, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

7

Could it be the Time diffrence that no VPN Tunnel will go?

Harish Balakrishnan · ‎09-30-2012

Hello ,

What's the output for' show crypto isakmp sa'. When you initiate the traffic?

Harish.

Sent from Cisco Technical Support iPhone App

Hans Juergen Guenter · ‎09-30-2012

asa5505# show crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 192.168.178.230

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

asa5505#

asa5510# show cry

asa5510# show crypto is

asa5510# show crypto isakmp sa

There are no isakmp sas

asa5510#

It seems to that the ASA5510 had the problem.

Harish Balakrishnan · ‎09-30-2012

Hi,

Just for a testing purpose can you remove the static(inside, outside) ... Line from both end have try to initiate traffic .

Harish

Sent from Cisco Technical Support iPhone App

Hans Juergen Guenter · ‎09-30-2012

After remove the static (inside,outside) ... I can`t ping into the Internet oder the Router for the internet.

Harish Balakrishnan · ‎09-30-2012

Hello Hans,

You can put that back in.

I just tried to test your config in my lab and is working perfectly without any issues..! can you run the following command and see 'sysopt connection permit-vpn' is present

show running-config all sysopt

regards

Harish.

Hans Juergen Guenter · ‎10-01-2012

Hi Harrish,

if I run the command, I get the following:

on the ASA5505:

asa5505# sh running-config all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

sysopt connection permit-vpn

asa5505#

on the ASA5510:

asa5510# sh running-config all sysopt

no sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

sysopt connection permit-ipsec

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

no sysopt noproxyarp outside

no sysopt noproxyarp inside

asa5510#

I am now trying to clean on both ASA the config and then try to do take all commands

new to get a clean config on both ASA. Could it be a fault maybe that I use a switch

between the both ASA to simulate the Internet?

regards

Hans-Juergen Guenter

Harish Balakrishnan · ‎10-01-2012

Hello Hans,

Can you give 'sysopt connection permit-vpn' global configuration command on 5510 and try again,

regarding you switch in between to simulate internet, no fault on doing that except he static router..

what you can do in that case o create route as follows

route outside 0.0.0.0 0.0.0.0 192.168.178.1

route outside 255.255.255.0 192.168.178.

regards

Harish.

Hans Juergen Guenter · ‎10-01-2012

Hi Harrish,

I tryed to take the "sysopt connection permit-vpn" but there ist only the permit-ipsec.

So I thing so I don`t can take a Site-to-Site VPN because the ASA5510 need a other IOS

or I need a other Licence so that I get the right commands to make a VPN between the

ASA5505 and the ASA5510.

regards

Hans-juergen Guenter

cadet alain · ‎10-01-2012

Hi,

I just set a debug crypto isakmp 127 and get the followed:

at the ASA5510:

CryptoSep 30 18:11:53 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Sep 30 18:11:53 [IKEv1]: There is no valid IKE proposal available, check IPSec SA configuration!

Sep 30 18:11:53 [IKEv1]: Removing peer from peer table failed, no match!

Sep 30 18:11:53 [IKEv1]: Error: Unable to remove PeerTblEntry

at the ASA5505:

12Apr 07 22:45:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Apr 07 22:45:31 [IKEv1]: IP = 192.168.178.230, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

7

Can you provide output on both ASAs of sh run crypto isakmp

Regards.

Alain

Don't forget to rate helpful posts.

Hans Juergen Guenter · ‎10-01-2012

Hi Alain, here are the outpu of sh run crypto isakmp:

ASA5510:

asa5510# sh run crypto isakmp

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 65535 authentication pre-share

isakmp policy 65535 encryption 3des

isakmp policy 65535 hash sha

isakmp policy 65535 group 2

isakmp policy 65535 lifetime 86400

asa5510#

ASA5505

asa5505# sh run crypto isakmp

crypto isakmp enable outside

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

asa5505#

Regards,

Hans-Juergen Guenter

cadet alain · ‎10-01-2012

Hi,

post sh run crypto ipsec

Regards.

Alain

Don't forget to rate helpful posts.

Hans Juergen Guenter · ‎10-01-2012

ASA5505:

asa5505# sh run crypto ipsec

crypto ipsec transform-set FRA-3DESSHA esp-3des esp-sha-hmac

asa5505#

ASA5510:

asa5510# sh run crypto ipsec

crypto ipsec transform-set MUC-3DESSHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

asa5510#