cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2043
Views
0
Helpful
17
Replies

ASA5505 VPN IPSEC Config Issue

I am trying to connect my onsite ASA to a remote ASA and without success. I have done the before to another 3rd Party and it works.

Does anybody see anything wrong with the configuration that was sent to me to input into my ASA other than what I XXX out.

 

crypto isakmp policy 132
   auth pre-share
   enc aes-256
   hash sha
   group 2
   lifetime 28800


access-list ACL-USIDBReplication permit ip 192.168.100.32 255.255.255.255 172.27.123.20 255.255.255.255

crypto ipsec transform-set USITransform esp-aes-256 esp-sha-hmac

crypto map Outside_map 10 match address ACL-USIDBReplication
crypto map Outside_map 10 set peer 54.XXX.XXX.XXX
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set transform-set USITransform
crypto map Outside_map 10 set security-association lifetime seconds 28800
crypto map Outside_map 10 set security-association lifetime kilobytes 4608000


tunnel-group 54.XXX.XXX.XXX type ipsec-l2l
tunnel-group 54.XXX.XXX.XXX ipsec-attrib
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

17 Replies 17

Richard Burts
Hall of Fame
Hall of Fame

What you have posted seems fairly reasonable. You do not show enabling isakmp on the interface or assigning the crypto map to an interface, you do not show exempting the VPN traffic from encryption, are these things in your configuration? are you really going through VPN for a single host address to a single host address?

 

If none of that indicates a problem then I would suggest starting with debug for isakmp. Is the negotiation starting? Does the negotiation encounter a problem? Is the isakmp security association negotiated?

 

HTH

 

Rick

HTH

Rick

That is the config that was sent to me. I do have another VPN connection from the same ASA that is working correctly. I did see it finish Phase 1, one time.

Yes, we are do a VPN from a single IP to IP for database replication.

I am getting this in my log.

4|Aug 29 2014|10:33:44|713903|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, Error: Unable to remove PeerTblEntry
3|Aug 29 2014|10:33:44|713902|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, Removing peer from peer table failed, no match!
6|Aug 29 2014|10:33:28|713905|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, P1 Retransmit msg dispatched to MM FSM
5|Aug 29 2014|10:33:28|713201|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Aug 29 2014|10:33:18|713172|||||Group = 54.213.xxx.xxx, IP = 54.213.xxx.xxx, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT device


4|Aug 29 2014|10:33:18|713903|||||IP =54.213.xxx.xxx, Header invalid, missing SA payload! (next payload = 4)
5|Aug 29 2014|10:33:18|713041|||||IP = 54.213.54.244, IKE Initiator: New Phase 1, Intf inside, IKE Peer 54.213.54.244  local Proxy Address 192.168.100.32, remote Proxy Address 172.27.123.20,  Crypto map (Outside_map)

 

Thanks for the additional information. It does address most of the questions that I asked. And since we seem to be having an issue with ISAKMP negotiation it does not yet matter whether the NAT exemption is in place.

 

I am puzzled about this message

5|Aug 29 2014|10:33:18|713041|||||IP = 54.213.54.244, IKE Initiator: New Phase 1, Intf inside,

and most especially why it mentions Intf inside. Can you provide any clarification about that?

 

HTH

 

Rick

HTH

Rick

Here is my run config. I think I have everything for the new connection highlighted.

 

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.100.220 255.255.255.0
!
interface Vlan11
 nameif DMZ
 security-level 10
 ip address 172.16.0.1 255.255.255.240
!
interface Vlan21
 nameif Outside
 security-level 0
 ip address 10.255.255.2 255.255.255.0
!
interface Ethernet0/0
 shutdown
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 21
!
interface Ethernet0/7
 switchport access vlan 11
!
dns server-group DefaultDNS
 domain-name ASA
object-group service RDP tcp
 port-object eq 1433
object-group service SQLClient tcp
 port-object eq 1433
object-group service DM_INLINE_SERVICE_1
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
 service-object esp
object-group service DM_INLINE_SERVICE_2
 service-object icmp
 service-object tcp eq www
 service-object tcp eq https
 service-object esp
object-group service VPNPorts udp
 port-object eq 4500
 port-object eq isakmp
access-list DMZ_access_in extended permit object-group DM_INLINE_SERVICE_1 any any
access-list DMZ_access_in extended permit tcp any 192.168.100.0 255.255.255.0 object-group SQLClient
access-list DMZ_access_in extended permit udp any any object-group VPNPorts
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any object-group SQLClient
access-list Outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any 172.16.0.0 255.255.255.240
access-list Outside_access_in extended permit udp any any object-group VPNPorts
access-list Outside_access_in extended permit ip host 216.XXX.XXX.72 any
access-list Outside_access_in extended permit ip host 54.XXX.XX.244 any
access-list Outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.192.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 any
access-list ACL-USIDBReplication extended permit ip host 192.168.100.32 host 172.27.123.20
ip verify reverse-path interface inside
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 10.255.255.1 1
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set USITransform esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 216.XXX.XXX.72
crypto map Outside_map 1 set transform-set ESP-AES128-SHA
crypto map Outside_map 10 match address ACL-USIDBReplication
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set peer 54.XXX.XX.244
crypto map Outside_map 10 set transform-set USITransform

crypto map Outside_map interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 132
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 100
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 216.XXX.XX.72 type ipsec-l2l
tunnel-group 216.XXX.XX.72 ipsec-attributes
 pre-shared-key *
tunnel-group 54.XXX.XX.244 type ipsec-l2l
tunnel-group 54.XXX.XX.244 ipsec-attributes
 pre-shared-key *

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global

 

I think that you can execute the following command :

no crypto isakmp policy 132
crypto isakmp 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800
 

Unfortunately I cannot change the isakmp 10, it is being used by a separate VPN connection to a different 3rd Party.

In your configuration there is

crypto map Outside_map 10 match address ACL-USIDBReplication
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set peer 54.XXX.XX.244
crypto map Outside_map 10 set transform-set USITransform

Why can't you use crypto isakmp policy 10 ?

Policy 10 is set at a different encryption level than Policy 132

You must set the IKE phase 2 with this command :

 

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

Would that break the VPN connection policy 10 that uses aes-128 currently?

If you write IKE phase 1 as :

crypto map Outside_map 10 match address ACL-USIDBReplication
crypto map Outside_map 10 set pfs
crypto map Outside_map 10 set peer 54.XXX.XX.244
crypto map Outside_map 10 set transform-set USITransform

then you must write IKE Phase 2 as :

crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

What is your configuration about IKE Phase 2 crypto isakmp policy 10 ?

What is your configuration about IKE Phase 1 crypto map Outside_map 10 ?

What is your configuration about IKE Phase 1 crypto map Outside_map 132?

Would something like this work.

 

crypto map Outside_map 132 match address ACL-USIDBReplication
crypto map Outside_map 132 set pfs
crypto map Outside_map 132 set peer 54.XXX.XX.244
crypto map Outside_map 132 set transform-set USITransform

crypto isakmp policy 132
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

 

Sorry guys, this is fairly new to me. Kind of got thrown in my lap.

I am not sure why Walter is so hung up on isakmp policy 10 other than to assume that he believes that there is a relationship between the crypto map number and the isakmp policy number. But that is not the case. As the VPN peers negotiate they compare their configured policies until they find a policy that is configured on both peers.

 

You could re-write the crypto map and make your new entry Outside_map 132 but I would be absolutely amazed if that made any difference.

 

I have looked through the config that you posted and do not see obvious issues. So my advice is to run debug crypto isakmp, let the tunnel attempt to initiate (may require being sure that the host in your network attempts to communicate with the host in the remote network), let it run a bit and then post the output.

 

HTH

 

Rick

HTH

Rick