03-23-2013 02:51 AM
dear all,
i am trying to establish a site to site ipsec vpn with asa on one end with a static ip and and ios router at the other end with a dynamic ip. iam trying to initiate the tunnel from the router side and when i debug the asa the its gng to default tunnel-group DEfaultRagroup and it sayd defaultragroup doesnt have a trustpoint defined.
i tried creating the tunnel name with the OU name of the certificate on the router and issued tunnel-group-map enable ou on the asa side. also tried to create certificate map with matching subject-name attributes like OU and CN and C but still no luck.
iam posting the config on both the ends please help.
ASA
------------------------------------
access-list vpn extended permit ip host 1.1.1.1 host 5.5.5.5
crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map vpn-map 10 match address vpn
crypto dynamic-map vpn-map 10 set pfs
crypto dynamic-map vpn-map 10 set transform-set vpn-set
crypto dynamic-map vpn-map 10 set security-association lifetime seconds 28800
crypto dynamic-map vpn-map 10 set security-association lifetime kilobytes 4608000
crypto map vpn-map1 10 ipsec-isakmp dynamic vpn-map
crypto map vpn-map1 interface outside
crypto ca trustpoint router_ca
enrollment url http://10.1.101.1:80
fqdn asa1.micronicstraining.com
subject-name CN=ASA1
serial-number
crl configure
crypto ca certificate map 1
subject-name attr cn eq r5
subject-name attr c eq us
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group IT type ipsec-l2l
tunnel-group IT ipsec-attributes
peer-id-validate nocheck
trust-point router_ca
tunnel-group-map enable rules
tunnel-group-map 1 IT
ROUTER
------------------------------------------------
certificate info
R5#sh crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 20
Certificate Usage: General Purpose
Issuer:
cn=ios_ca_r1
Subject:
Name: R5.micronicstraining.com
hostname=R5.micronicstraining.com
cn=R5 C\=US OU\=IT
Validity Date:
start date: 03:24:33 UTC Mar 1 2002
end date: 02:55:29 UTC Feb 28 2005
Associated Trustpoints: router_ca
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=ios_ca_r1
Subject:
cn=ios_ca_r1
Validity Date:
start date: 02:55:30 UTC Mar 1 2002
end date: 02:55:30 UTC Feb 28 2005
Associated Trustpoints: router_ca
RUN CONFIG
rypto pki trustpoint router_ca
enrollment url http://10.1.101.1:80
usage ike
fqdn R5.micronicstraining.com
subject-name CN=R5 C=US OU=IT
revocation-check none
crypto isakmp policy 10
encr 3des
hash md5
group 2
crypto ipsec transform-set tset esp-3des esp-md5-hmac
!
crypto map vpn-map 10 ipsec-isakmp
set peer 192.168.1.10
set transform-set tset
set pfs group2
match address 126
access-list 126 permit ip host 5.5.5.5 host 1.1.1.1
please help to identify the problem.
THanks
Manek
03-23-2013 03:43 AM
Your tunnel group on an ASA should probably be the type of remote-access, (not ipsec-l2l) in your case. I think that's why your tunnel-group never matches.
03-23-2013 03:48 AM
Thanks Andrew for the reply.
since the remote router is on a dynamic ip i should use ra tunnel-group on the asa ??
let me check this out and i vl update you ....
thanks
manek
03-23-2013 03:54 AM
You, know, now i'm not sure of that)). According to this document, the type should be l2l:
So it's probably smth else.
03-23-2013 04:11 AM
HI andew,
i tried configuring a new ipsec-ra kind of tunnel-group and mentioned the trust point in the ipsec-attributes but still the remote router when initiating the connectin is raking defaultra group.
what are we missing here from above config.
please help
THanks
manek
03-23-2013 04:47 AM
Could you present the whole debug crypto isakmp/ipsec ouptut?
03-23-2013 05:20 AM
iam getting only this nothing else.
ASA1(config)# debug crypto Mar 01 04:23:36 [IKEv1]: Connection failed with peer
'10.1.105.5', no trust-point defined for tunnel-group 'DefaultRAGroup'
Mar 01 04:23:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.1.105.5, Removing peer
from peer table failed, no match!
Mar 01 04:23:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.1.105.5, Error: Unable
to remove PeerTblEntry
i dont know why am i getting a full debug and above are logging mesgs.
03-23-2013 08:54 PM
Hi guys,
On the ASA it has to be a L2L tunnel, that's a fact.
On the other hand, please provide the following logs from the ASA:
1- debug crypto isakmp 190
2- debug crypto ipsec 190
3- debug crypto ca 255
HTH.
Portu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide