05-26-2011 08:53 AM
Hi guys
ive recently setup a EazyVPN on a cisco 3g router with a ASA5520. the tunnel comes up ok and the remote users can browse the net.
The problem is accessing the lan behind the ASA. when you do a show cry ipsec sa at the ASA you get the following: (ive replaced IP's with the names of the LAN/IP
Crypto map tag: DYN_MAP, seq num: 100, local addr: ASA IP ADD
local ident (addr/mask/prot/port): (LAN BEHIND ASA/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (LAN BEHIND 3G router/255.255.255.0/0/0)
current_peer: 3G Router IP, username: xxxxxx
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: ASA IP ADD/4500, remote crypto endpt.: 3G Router IP/40592
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 79BBD3C3
inbound esp sas:
spi: 0x483ABBD4 (1211808724)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 13179, crypto-map: DYN_MAP
sa timing: remaining key lifetime (sec): 27555
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x79BBD3C3 (2042352579)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 13179, crypto-map: DYN_MAP
sa timing: remaining key lifetime (sec): 27555
IV size: 16 bytes
replay detection support: Y
as you can see the packets are not encapsulating for some reason. On the 3G router its the opposite where the packets arent decapsulating. On a site to site VPN this is normally when the interesting traffic ACL is incorrect - but im baffled with this on an EazyVPN setup.
I have allowed the no nat statements on the router and the ASA -
any pointers?
thanks
05-26-2011 11:06 AM
Hi,
Please post the diagram and configurations on both routers.
Toshi
05-27-2011 09:04 AM
attached is the diagram and the client side config
crypto ipsec transform-set ezvpn-profile-0 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ezvpn-profile-1 esp-aes 256 esp-sha-hmac
username ciscotest password ciscotest
crypto ipsec profile EZVPN
set transform-set ezvpn-profile-0
crypto ipsec client ezvpn ASA
connect auto
group 3GRAGroup key 3gvpn
mode network-extension
ipsec-profile EZVPN
nat acl 102
username cisco test password ciscotest
xauth userid mode local
interface Cellular 0
no ip address
no shut
ip nat outside
encapsulation ppp
dialer in-band
dialer pool-member 2
dialer-group 2
async mode interactive
interface Vlan1
ip address 10.3.0.1 255.255.255.0
ip access-group 100 out
ip nat inside
crypto ipsec client ezvpn ASA inside
interface Dialer 1
ip address negotiated
ip nat outside
dialer pool 2
dialer string 3g
dialer persistent
dialer-group 2
!output omitted----
crypto ipsec client ezvpn ASA outside
ip nat inside source route-map EzVPN interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 deny ip 10.3.0.0 0.0.0.255 10.100.1.0 0.0.0.255
access-list 102 permit ip any any
route-map EzVPN permit 1
match address 102
05-27-2011 10:00 PM
Hi,
Your configuration looks good to me. Please post the configuration of the other side.
Toshi
05-31-2011 02:10 AM
HI
here is the config from the ASA
access-list 3GSplitTunnel extended permit ip 10.100.1.0 255.255.255.0 any
access-list 3Gtraffic extended permit ip 10.100.1.0 255.255.255.0 10.3.0.0 255.255.255.0
crypto ipsec transform-set TUNN_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map DYN_MAP 100 set transform-set TUNN_ESP_AES_SHA
crypto dynamic-map DYN_MAP 100 set reverse-route
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 2147483
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
group-policy 3GPolicy internal
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 3GSplitTunnel
default-domain value xxx.com
nem enable
username cisco test password ciscotest
tunnel-group Sol3GRAGroup type ipsec-ra
tunnel-group Sol3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group Sol3GRAGroup ipsec-attributes
pre-shared-key *
06-02-2011 10:58 AM
Hi,
Sorry for my late reply. Are you going to do site-to-site VPN? As far as I can see is that ASA is configured for remote access vpn.
Toshi
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide