cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1008
Views
0
Helpful
7
Replies

asa static ip to ios dynamic ip with pki

manekdamu
Beginner
Beginner

dear all,

i am trying to establish a site to site ipsec vpn with asa on one end with a static ip and and ios router at the other end with a dynamic ip. iam trying to initiate the tunnel from the router side and when i debug the asa the its gng to default tunnel-group DEfaultRagroup and it sayd defaultragroup doesnt have a trustpoint defined.

i tried creating the tunnel name with the OU name of the certificate on the router and issued tunnel-group-map enable ou on the asa side. also tried to create certificate map with matching subject-name attributes like OU and CN and C but still no luck.

iam posting the config on both the ends please help.

ASA

------------------------------------

access-list vpn extended permit ip host 1.1.1.1 host 5.5.5.5

crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map vpn-map 10 match address vpn

crypto dynamic-map vpn-map 10 set pfs

crypto dynamic-map vpn-map 10 set transform-set vpn-set

crypto dynamic-map vpn-map 10 set security-association lifetime seconds 28800

crypto dynamic-map vpn-map 10 set security-association lifetime kilobytes 4608000

crypto map vpn-map1 10 ipsec-isakmp dynamic vpn-map

crypto map vpn-map1 interface outside

crypto ca trustpoint router_ca

enrollment url http://10.1.101.1:80

fqdn asa1.micronicstraining.com

subject-name CN=ASA1

serial-number

crl configure

crypto ca certificate map 1

subject-name attr cn eq r5

subject-name attr c eq us

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group IT type ipsec-l2l

tunnel-group IT ipsec-attributes

peer-id-validate nocheck

trust-point router_ca

tunnel-group-map enable rules

tunnel-group-map 1 IT

ROUTER

------------------------------------------------

certificate info

R5#sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: 20

  Certificate Usage: General Purpose

  Issuer:

    cn=ios_ca_r1

  Subject:

    Name: R5.micronicstraining.com

    hostname=R5.micronicstraining.com

    cn=R5 C\=US OU\=IT

  Validity Date:

    start date: 03:24:33 UTC Mar 1 2002

    end   date: 02:55:29 UTC Feb 28 2005

  Associated Trustpoints: router_ca

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=ios_ca_r1

  Subject:

    cn=ios_ca_r1

  Validity Date:

    start date: 02:55:30 UTC Mar 1 2002

    end   date: 02:55:30 UTC Feb 28 2005

  Associated Trustpoints: router_ca

RUN CONFIG

rypto pki trustpoint router_ca

enrollment url http://10.1.101.1:80

usage ike

fqdn R5.micronicstraining.com

subject-name CN=R5 C=US OU=IT

revocation-check none

crypto isakmp policy 10

encr 3des

hash md5

group 2

crypto ipsec transform-set tset esp-3des esp-md5-hmac

!

crypto map vpn-map 10 ipsec-isakmp

set peer 192.168.1.10

set transform-set tset

set pfs group2

match address 126

access-list 126 permit ip host 5.5.5.5 host 1.1.1.1

please help to identify the problem.

THanks

Manek

7 Replies 7

Andrew Phirsov
Rising star
Rising star

Your tunnel group on an ASA should probably be the type of remote-access, (not ipsec-l2l) in your case. I think that's why your tunnel-group never matches.

Thanks Andrew for the reply.

since the remote router is on a dynamic ip i should use ra tunnel-group on the asa ??

let me check this out and i vl update you ....

thanks

manek

You, know, now i'm not sure of that)). According to this document, the type should be l2l:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

So it's probably smth else.

HI andew,

i tried configuring a new ipsec-ra kind of tunnel-group and mentioned the trust point in the ipsec-attributes but still the remote router when initiating the connectin is raking defaultra group.

what are we missing here from above config.

please help

THanks

manek

Could you present the whole debug crypto isakmp/ipsec ouptut?

iam getting only this nothing else.

ASA1(config)# debug crypto Mar 01 04:23:36 [IKEv1]: Connection failed with peer

'10.1.105.5', no trust-point defined for tunnel-group 'DefaultRAGroup'

Mar 01 04:23:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.1.105.5, Removing peer

from peer table failed, no match!

Mar 01 04:23:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.1.105.5, Error: Unable

to remove PeerTblEntry

i dont know why am i getting a full debug and above are logging mesgs.

Hi guys,

On the ASA it has to be a L2L tunnel, that's a fact.

On the other hand, please provide the following logs from the ASA:

1- debug crypto isakmp 190

2- debug crypto ipsec 190

3- debug crypto ca 255

HTH.

Portu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: