EazyVPN issues - IPSEC

SOL10 · ‎05-26-2011

Hi guys

ive recently setup a EazyVPN on a cisco 3g router with a ASA5520. the tunnel comes up ok and the remote users can browse the net.

The problem is accessing the lan behind the ASA. when you do a show cry ipsec sa at the ASA you get the following: (ive replaced IP's with the names of the LAN/IP

Crypto map tag: DYN_MAP, seq num: 100, local addr: ASA IP ADD

      local ident (addr/mask/prot/port): (LAN BEHIND ASA/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (LAN BEHIND 3G router/255.255.255.0/0/0)
      current_peer: 3G Router IP, username: xxxxxx
      dynamic allocated peer ip: 0.0.0.0

   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 249, #pkts decrypt: 249, #pkts verify: 249
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: ASA IP ADD/4500, remote crypto endpt.: 3G Router IP/40592
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 79BBD3C3

    inbound esp sas:
      spi: 0x483ABBD4 (1211808724)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 13179, crypto-map: DYN_MAP
         sa timing: remaining key lifetime (sec): 27555
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x79BBD3C3 (2042352579)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 13179, crypto-map: DYN_MAP
         sa timing: remaining key lifetime (sec): 27555
         IV size: 16 bytes
         replay detection support: Y

as you can see the packets are not encapsulating for some reason. On the 3G router its the opposite where the packets arent decapsulating. On a site to site VPN this is normally when the interesting traffic ACL is incorrect - but im baffled with this on an EazyVPN setup.

I have allowed the no nat statements on the router and the ASA -

any pointers?

thanks

Thotsaphon Lueangwattanaphong · ‎05-26-2011

Hi,

Please post the diagram and configurations on both routers.

Toshi

SOL10 · ‎05-27-2011

attached is the diagram and the client side config

crypto ipsec transform-set ezvpn-profile-0 esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ezvpn-profile-1 esp-aes 256 esp-sha-hmac

username ciscotest password ciscotest

crypto ipsec profile EZVPN
set transform-set ezvpn-profile-0

crypto ipsec client ezvpn ASA
connect auto
group 3GRAGroup key 3gvpn
mode network-extension
ipsec-profile EZVPN
nat acl 102
username cisco test password ciscotest
xauth userid mode local

interface Cellular 0
no ip address
no shut
ip nat outside
encapsulation ppp
dialer in-band
dialer pool-member 2
dialer-group 2
async mode interactive

interface Vlan1
ip address 10.3.0.1 255.255.255.0
ip access-group 100 out
ip nat inside
crypto ipsec client ezvpn ASA inside

interface Dialer 1
ip address negotiated
ip nat outside
dialer pool 2
dialer string 3g
dialer persistent
dialer-group 2
!output omitted----
crypto ipsec client ezvpn ASA outside

ip nat inside source route-map EzVPN interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 deny ip 10.3.0.0 0.0.0.255 10.100.1.0 0.0.0.255
access-list 102 permit ip any any

route-map EzVPN permit 1
match address 102

Thotsaphon Lueangwattanaphong · ‎05-27-2011

Hi,

Your configuration looks good to me. Please post the configuration of the other side.

Toshi

SOL10 · ‎05-31-2011

HI

here is the config from the ASA

access-list 3GSplitTunnel extended permit ip 10.100.1.0 255.255.255.0 any
access-list 3Gtraffic extended permit ip 10.100.1.0 255.255.255.0 10.3.0.0 255.255.255.0

crypto ipsec transform-set TUNN_ESP_AES_SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map DYN_MAP 100 set transform-set TUNN_ESP_AES_SHA
crypto dynamic-map DYN_MAP 100 set reverse-route

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 2147483

crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000

group-policy 3GPolicy internal
group-policy 3GPolicy attributes
vpn-tunnel-protocol IPSec
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 3GSplitTunnel
default-domain value xxx.com
nem enable

username cisco test password ciscotest

tunnel-group Sol3GRAGroup type ipsec-ra
tunnel-group Sol3GRAGroup general-attributes
authorization-server-group LOCAL
default-group-policy 3GPolicy
tunnel-group Sol3GRAGroup ipsec-attributes
pre-shared-key *

Thotsaphon Lueangwattanaphong · ‎06-02-2011

Hi,

Sorry for my late reply. Are you going to do site-to-site VPN? As far as I can see is that ASA is configured for remote access vpn.

Toshi