Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
955
Views
0
Helpful
7
Replies

asa static ip to ios dynamic ip with pki

manekdamu
Beginner
Beginner

‎03-23-2013 02:51 AM

dear all,

i am trying to establish a site to site ipsec vpn with asa on one end with a static ip and and ios router at the other end with a dynamic ip. iam trying to initiate the tunnel from the router side and when i debug the asa the its gng to default tunnel-group DEfaultRagroup and it sayd defaultragroup doesnt have a trustpoint defined.

i tried creating the tunnel name with the OU name of the certificate on the router and issued tunnel-group-map enable ou on the asa side. also tried to create certificate map with matching subject-name attributes like OU and CN and C but still no luck.

iam posting the config on both the ends please help.

ASA

------------------------------------

access-list vpn extended permit ip host 1.1.1.1 host 5.5.5.5

crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map vpn-map 10 match address vpn

crypto dynamic-map vpn-map 10 set pfs

crypto dynamic-map vpn-map 10 set transform-set vpn-set

crypto dynamic-map vpn-map 10 set security-association lifetime seconds 28800

crypto dynamic-map vpn-map 10 set security-association lifetime kilobytes 4608000

crypto map vpn-map1 10 ipsec-isakmp dynamic vpn-map

crypto map vpn-map1 interface outside

crypto ca trustpoint router_ca

enrollment url http://10.1.101.1:80

fqdn asa1.micronicstraining.com

subject-name CN=ASA1

serial-number

crl configure

crypto ca certificate map 1

subject-name attr cn eq r5

subject-name attr c eq us

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group IT type ipsec-l2l

tunnel-group IT ipsec-attributes

peer-id-validate nocheck

trust-point router_ca

tunnel-group-map enable rules

tunnel-group-map 1 IT

ROUTER

------------------------------------------------

certificate info

R5#sh crypto ca certificates

Certificate

  Status: Available

  Certificate Serial Number: 20

  Certificate Usage: General Purpose

  Issuer:

    cn=ios_ca_r1

  Subject:

    Name: R5.micronicstraining.com

    hostname=R5.micronicstraining.com

    cn=R5 C\=US OU\=IT

  Validity Date:

    start date: 03:24:33 UTC Mar 1 2002

    end   date: 02:55:29 UTC Feb 28 2005

  Associated Trustpoints: router_ca

CA Certificate

  Status: Available

  Certificate Serial Number: 01

  Certificate Usage: Signature

  Issuer:

    cn=ios_ca_r1

  Subject:

    cn=ios_ca_r1

  Validity Date:

    start date: 02:55:30 UTC Mar 1 2002

    end   date: 02:55:30 UTC Feb 28 2005

  Associated Trustpoints: router_ca

RUN CONFIG

rypto pki trustpoint router_ca

enrollment url http://10.1.101.1:80

usage ike

fqdn R5.micronicstraining.com

subject-name CN=R5 C=US OU=IT

revocation-check none

crypto isakmp policy 10

encr 3des

hash md5

group 2

crypto ipsec transform-set tset esp-3des esp-md5-hmac

!

crypto map vpn-map 10 ipsec-isakmp

set peer 192.168.1.10

set transform-set tset

set pfs group2

match address 126

access-list 126 permit ip host 5.5.5.5 host 1.1.1.1

please help to identify the problem.

THanks

Manek

Labels:
0 Helpful
7 Replies 7

Andrew Phirsov
Rising star
Rising star

‎03-23-2013 03:43 AM

Your tunnel group on an ASA should probably be the type of remote-access, (not ipsec-l2l) in your case. I think that's why your tunnel-group never matches.