Solved: Help with VPN site-to-site under other VPN

Diego Maciel Gomes · ‎05-12-2014

Hello Guys,

I need a help with this scenario.

Branch --> HQ --> Site Remote, where:

Branch: Internal = 192.168.50.0/24

HQ: Internal = 192.168.40.0/24

Site Remote = 10.175.26.0/24

Branch + HQ = Both ASA with ESP-3DES-MD5. (Here, we are using the real LAN IP range for encryption domain)

HQ + Site Remote = My side ASA with ESP-AES-256-SHA. (Here, to reach the Site remote 10.175.26.0/24 we are NAT our LAN IP range to 172.18.0.10, so the encryption domain is 172.18.0.10 --> 10.175.26.0/24)

Now, we need that Branch reachs the Remote Site, under the VPN with Branch to HQ and HQ to Remote Site.

My actions:

Branch Firewall:

- In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.

- I added the EXEMPT for 10.175.26.0/24 in the inside.

HQ Firewall:

- In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.

- I created a Dynamic Policy in the outside from source = Branch IP range to = Site Remote IP range translated to 172.18.0.10.

I already have it working for another Site Remote, but that another has IPsec proposal ESP-3DES-MD5. (the same of Branch) I do not know if it is the problem, but I tried to use both proposal, together, 3DES-MD5 and AES-256-SHA.

Firewall rules are ok too.

Where are the mistake in that configuration?

Thanks,

Diego

marziano77 · ‎05-14-2014

good

put solved in this post

View solution in original post

marziano77 · ‎05-12-2014

hi

post your config

Diego Maciel Gomes · ‎05-13-2014

Hello,

Follow attached!

The network that I need to reach from Branch is "name 10.175.26.0 REDE_Client"

The Tunnel group of the Client is 200.200.200.200

The NAT IP from my network to reach client is 172.19.0.5

marziano77 · ‎05-13-2014

hi seg

I looked very quick HQ config

and I saw that your peer(vpn_client) dont match any crypto map.

and this dont allow phase2.

I have not seen anything else
you double-check the config on both sides first.

Diego Maciel Gomes · ‎05-13-2014

My bad. I forgot to change it. The crypto map is number 4

marziano77 · ‎05-13-2014

diego, your config is wrong also in branch config.

you have only an tunnel group whit ip 177.7.7.7 but crypto map is blind to 177.135.122.70 FWL_Matriz.

Diego Maciel Gomes · ‎05-13-2014

In the HQ log I can see it...

3

May 13 2014

17:23:08

713061

Group = 189.7.7.7, IP = 189..7.7.7, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.90.0/255.255.255.0/0/0 local proxy 10.175.26.23/255.255.255.255/0/0 on interface outside

marziano77 · ‎05-14-2014

What do you want me to say
you have posted a different conf,than your debug

Diego Maciel Gomes · ‎05-14-2014

yeah, probably because I changed it before send...

well... I recreated the tunnels and now it is working fine....

I think when we changed the outside IP and recreate the tunnels, maybe some dirty kept in the config... so I removed all and created it again..

thanks!!!

marziano77 · ‎05-14-2014

good

put solved in this post