Re: asa static ip to ios dynamic ip with pki

manekdamu · ‎03-23-2013

dear all,

i am trying to establish a site to site ipsec vpn with asa on one end with a static ip and and ios router at the other end with a dynamic ip. iam trying to initiate the tunnel from the router side and when i debug the asa the its gng to default tunnel-group DEfaultRagroup and it sayd defaultragroup doesnt have a trustpoint defined.

i tried creating the tunnel name with the OU name of the certificate on the router and issued tunnel-group-map enable ou on the asa side. also tried to create certificate map with matching subject-name attributes like OU and CN and C but still no luck.

iam posting the config on both the ends please help.

ASA

------------------------------------

access-list vpn extended permit ip host 1.1.1.1 host 5.5.5.5

crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map vpn-map 10 match address vpn

crypto dynamic-map vpn-map 10 set pfs

crypto dynamic-map vpn-map 10 set transform-set vpn-set

crypto dynamic-map vpn-map 10 set security-association lifetime seconds 28800

crypto dynamic-map vpn-map 10 set security-association lifetime kilobytes 4608000

crypto map vpn-map1 10 ipsec-isakmp dynamic vpn-map

crypto map vpn-map1 interface outside

crypto ca trustpoint router_ca

enrollment url http://10.1.101.1:80

fqdn asa1.micronicstraining.com

subject-name CN=ASA1

serial-number

crl configure

crypto ca certificate map 1

subject-name attr cn eq r5

subject-name attr c eq us

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group IT type ipsec-l2l

tunnel-group IT ipsec-attributes

peer-id-validate nocheck

trust-point router_ca

tunnel-group-map enable rules

tunnel-group-map 1 IT

ROUTER

------------------------------------------------

certificate info

R5#sh crypto ca certificates

Certificate

Status: Available

Certificate Serial Number: 20

Certificate Usage: General Purpose

Issuer:

cn=ios_ca_r1

Subject:

Name: R5.micronicstraining.com

hostname=R5.micronicstraining.com

cn=R5 C\=US OU\=IT

Validity Date:

start date: 03:24:33 UTC Mar 1 2002

end date: 02:55:29 UTC Feb 28 2005

Associated Trustpoints: router_ca

CA Certificate

Status: Available

Certificate Serial Number: 01

Certificate Usage: Signature

Issuer:

cn=ios_ca_r1

Subject:

cn=ios_ca_r1

Validity Date:

start date: 02:55:30 UTC Mar 1 2002

end date: 02:55:30 UTC Feb 28 2005

Associated Trustpoints: router_ca

RUN CONFIG

rypto pki trustpoint router_ca

enrollment url http://10.1.101.1:80

usage ike

fqdn R5.micronicstraining.com

subject-name CN=R5 C=US OU=IT

revocation-check none

crypto isakmp policy 10

encr 3des

hash md5

group 2

crypto ipsec transform-set tset esp-3des esp-md5-hmac

!

crypto map vpn-map 10 ipsec-isakmp

set peer 192.168.1.10

set transform-set tset

set pfs group2

match address 126

access-list 126 permit ip host 5.5.5.5 host 1.1.1.1

please help to identify the problem.

THanks

Manek

Andrew Phirsov · ‎03-23-2013

Your tunnel group on an ASA should probably be the type of remote-access, (not ipsec-l2l) in your case. I think that's why your tunnel-group never matches.

manekdamu · ‎03-23-2013

Thanks Andrew for the reply.

since the remote router is on a dynamic ip i should use ra tunnel-group on the asa ??

let me check this out and i vl update you ....

thanks

manek

Andrew Phirsov · ‎03-23-2013

You, know, now i'm not sure of that)). According to this document, the type should be l2l:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

So it's probably smth else.

manekdamu · ‎03-23-2013

HI andew,

i tried configuring a new ipsec-ra kind of tunnel-group and mentioned the trust point in the ipsec-attributes but still the remote router when initiating the connectin is raking defaultra group.

what are we missing here from above config.

please help

THanks

manek

Andrew Phirsov · ‎03-23-2013

Could you present the whole debug crypto isakmp/ipsec ouptut?

manekdamu · ‎03-23-2013

iam getting only this nothing else.

ASA1(config)# debug crypto Mar 01 04:23:36 [IKEv1]: Connection failed with peer

'10.1.105.5', no trust-point defined for tunnel-group 'DefaultRAGroup'

Mar 01 04:23:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.1.105.5, Removing peer

from peer table failed, no match!

Mar 01 04:23:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.1.105.5, Error: Unable

to remove PeerTblEntry

i dont know why am i getting a full debug and above are logging mesgs.

Javier Portuguez · ‎03-23-2013

Hi guys,

On the ASA it has to be a L2L tunnel, that's a fact.

On the other hand, please provide the following logs from the ASA:

1- debug crypto isakmp 190

2- debug crypto ipsec 190

3- debug crypto ca 255

HTH.

Portu.