08-07-2012 04:35 AM
I have 2 x ASA 5505's.
I would like one to sit at my office behind an ADSL router with a static IP address, and be configured as a Server.
I would like the other to connect to an ADSL router with a dynamic IP address, and be configured as a Client.
This must be a plug & play setup, so that when the 5505 client is plugged into ANY broadband router, it automatically creates a VPN tunnel to the 5505 server.
The 5505's are to do NOTHING ELSE BUT CREATE AND PROVIDE A VPN LINK AUTOMATICALLY.
Incase it's relevant... the purpose of this link will be to stream video data back to my office from remote locations.
We have "played" around with the ASDM, EasyVPN and wizzards and still cannot get this to work!
If someone could provide us a step-by-step (idiot) guide we would be very grateful.
Please don't provide links to the official Cisco guides - we've tried these and we're obviously too stupid to understand them! : )
CLI instructions would be ideal.
Many thanks.
Matt
08-07-2012 06:05 AM
Pls share your existing config on both ends to see where it's failing.
Can you please advise which phase it's failing at? Phase 1 or phase 2?
Pls share the output of the following after attempting to pass traffic from client to server:
show cry isa sa
show cry ipsec sa
08-07-2012 07:13 AM
Hello Jennifer,
Thank you for your assistance.
From the ASDM "Easy VPN Connection Status" the VPN Client Detail shows..............
"LOCAL CONFIGURATION
vpnclient server 213.120.114.230
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup key password *****
vpnclient username tsu password *****
vpnclient enable
MISCELLANEOUS INFORMATION
- Key exchange is based on Pre-Shared Key
- Connection attempt will be automatically initiated
STORED POLICY
Secure Unit Authentication Enabled : Policy not stored
Split Tunnel Networks : None
Backup Servers : None
RELATED CONFIGURATION
global (outside) 1 interface
nat (inside) 0 access-list _vpnc_nwp_acl
nat (inside) 1 0.0.0.0 0.0.0.0
access-list _vpnc_nwp_acl extended permit ip any any
access-list _vpnc_acl extended permit ip host 192.168.2.23 host 213.120.114.230
aaa authentication match _vpnc_nwp_acl inside _vpnc_nwp_server
aaa authentication match _vpnc_nwp_acl _internal_loopback _vpnc_nwp_server
crypto ipsec transform-set _vpnc_tset_1 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_2 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_3 esp-aes-192 esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_4 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_5 esp-aes esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_6 esp-aes esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_7 esp-3des esp-sha-hmac
crypto ipsec transform-set _vpnc_tset_8 esp-3des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_9 esp-des esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_10 esp-null esp-md5-hmac
crypto ipsec transform-set _vpnc_tset_11 esp-null esp-sha-hmac
crypto map _vpnc_cm 10 match address _vpnc_acl
crypto map _vpnc_cm 10 set peer 213.120.114.230
crypto map _vpnc_cm 10 set transform-set _vpnc_tset_1 _vpnc_tset_2 _vpnc_tset_3 _vpnc_tset_4 _vpnc_tset_5 _vpnc_tset_6 _vpnc_tset_7 _vpnc_tset_8 _vpnc_tset_9 _vpnc_tset_10 _vpnc_tset_11
crypto map _vpnc_cm 10 set security-association lifetime seconds 2147483647
crypto map _vpnc_cm 10 set security-association lifetime kilobytes 2147483647
crypto map _vpnc_cm 10 set phase1-mode aggressive
crypto map _vpnc_cm interface outside
crypto isakmp enable outside
crypto isakmp policy 65001
authentication xauth-pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65002
authentication xauth-pre-share
encryption aes-256
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65003
authentication xauth-pre-share
encryption aes-192
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65004
authentication xauth-pre-share
encryption aes-192
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65005
authentication xauth-pre-share
encryption aes
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65006
authentication xauth-pre-share
encryption aes
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65007
authentication xauth-pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65008
authentication xauth-pre-share
encryption 3des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65009
authentication xauth-pre-share
encryption des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65010
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65011
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65012
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65013
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65014
authentication pre-share
encryption aes
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65015
authentication pre-share
encryption aes
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65016
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 2147483647
crypto isakmp policy 65017
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 2147483647
crypto isakmp policy 65018
authentication pre-share
encryption des
hash md5
group 2
lifetime 2147483647
tunnel-group 213.120.114.230 type ipsec-ra
tunnel-group 213.120.114.230 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 90 retry 5"
"Error: Tunnel is currently being negotiated. Please wait and try again."
Also, we have an amber VPN LED on the Client ASA, but no VPN LED on the Server ASA.
Matt
08-07-2012 08:48 AM
Pls share the full config from both ASA (show run).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: