Easy VPN somethimg simple missing ?

manuscript1 · ‎02-03-2017

Hi

I am having fun connecting an easy VPN client ( on an asa 5505 ) to a core asa back at HQ. The debug shows that crypto map is failing . Ikev1 /PSK completes ok. On my core asa I have a dynamic crypto map as follows on the HQ asa

crypto dynamic-map Outside_dyn_map 101 match address Outside_cryptomap_65535.101_1
crypto dynamic-map Outside_dyn_map 101 set ikev1 transform-set ESP-AES-256-SHA

access-list Outside_cryptomap_65535.101_1 extended permit ip any4 object NET-10.184.0.0

The remote easyvpn set up seems to just have generic access lists and no crypto set specific so I am unsure what to change and what it is using for its crypto map to match the HQ crypto ??? there are no specific crypto commands ( as an aside this remote device works to another asa with any any in the Crypto dynamic map but I cannot use any any on my new asa as it stops other elements from working it seems )

config on remote that I think relevant is

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0

access-group inside_access_in in interface inside
access-group outside_access_in in interface outside

access-list inside_access_in extended permit ip any any
access-list outside_access_in extended deny ip any any log

vpnclient server HQFW
vpnclient mode network-extension-mode
vpnclient vpngroup Pleasework password *****
vpnclient username Pleasework password *****
vpnclient management tunnel 10.0.0.0 255.0.0.0
vpnclient enable

name 2x.x.x.x HQFW

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Any thoughts ?

Thank you community !

Rahul Govindan · ‎02-04-2017

Do you have debug when the failure happens? try attaching the output of the following debugs from the ASA's:

debug cry isakmp 127

debug cry ipsec 127

Also, you really don't need a crypto ACL on the dynamic-map on the server. Concept of the dynamic map is that you accept proxies from the remote side. Try doing the test by removing the crypto ACL in the dynamic map.

The remote ASA will propose the LAN network as the source proxy for the tunnel. You can restrict what destination traffic gets encrypted over the tunnel by using split-tunneling on the Tunnel-Group (Server ASA).

manuscript1 · ‎02-06-2017

Hi

will have debugs later on as i cant get to kit right now. The debug disd however show a crypto map mismatch on teh encryption domains I beleive . I will update when i have more detail .

regards

manuscript1 · ‎02-06-2017

as an aside when i had any any any on the dynmaic map it all worked ( however all other traffic through the asa took a swan dive ). Rahul i am not sure what you mean by "removing the crypto acl "

Config on the asa vpn server is :

crypto dynamic-map Outside_dyn_map 101 match address Outside_cryptomap_65535.101_1
crypto dynamic-map Outside_dyn_map 101 set ikev1 transform-set ESP-AES-256-SHA

access-list Outside_cryptomap_65535.101_1 extended permit ip any4 object NET-10.184.0.0( changing thsi to any any killed my asa )

Rahul Govindan · ‎02-06-2017

Sorry should have been clearer :) I meant removing the line "crypto dynamic-map Outside_dyn_map 101 match address Outside_cryptomap_65535.101_1". You really don't need this as the remote ASA should propose the proxies. The server ASA would accept any proxies that the remote ASA requests.

Also, you have "vpnclient management tunnel 10.0.0.0 255.0.0.0", which will create an additional set of proxies from the public ip address of the remote ASA, which may be why you are seeing proxy mismatch on your server ASA.

Marius Gunnerud · ‎02-06-2017

I agree with Rahul. remove the crypto ACL from the dynamic crypto map.

Also, would be good to see the full (sanitized) VPN configuration on the EZVPN server as it would make troubleshooting much easier.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

manuscript1 · ‎02-08-2017

Gents

i removed all config and started again - now have a tunnel up on Ikev1 .so all great - thanks all for help

no idea why the opther was not working im afraid but suspect no relationship

Marius Gunnerud · ‎02-08-2017

Just out of curiousity, was this setup in a virtual lab?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

manuscript1 · ‎02-09-2017

Hi Marius

no this was a real scenario . I think the problem was I was using adsm and creating elements on their own ( ie a crypto map independent of the vpn config. ) I stripped all the related config and started again - this time just using Ikev1 element of the VPN GUI in adsm. I used to be a command line kid as thsi is always sold but have got lazy in my old age :)

Marius Gunnerud · ‎02-04-2017

It looks like you are missing the vpnclient server command. The following link is a pretty good example for setting this up between two ASAs.

http://www.pearsonitcertification.com/articles/article.aspx?p=2140098&seqNum=2

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts