05-12-2014 06:56 AM
Hello Guys,
I need a help with this scenario.
Branch --> HQ --> Site Remote, where:
Branch: Internal = 192.168.50.0/24
HQ: Internal = 192.168.40.0/24
Site Remote = 10.175.26.0/24
Branch + HQ = Both ASA with ESP-3DES-MD5. (Here, we are using the real LAN IP range for encryption domain)
HQ + Site Remote = My side ASA with ESP-AES-256-SHA. (Here, to reach the Site remote 10.175.26.0/24 we are NAT our LAN IP range to 172.18.0.10, so the encryption domain is 172.18.0.10 --> 10.175.26.0/24)
Now, we need that Branch reachs the Remote Site, under the VPN with Branch to HQ and HQ to Remote Site.
My actions:
Branch Firewall:
- In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.
- I added the EXEMPT for 10.175.26.0/24 in the inside.
HQ Firewall:
- In the VPN Site to Site configuration I added the 10.175.26.0/24 for Tunnel between Branch and HQ in the Remote Network.
- I created a Dynamic Policy in the outside from source = Branch IP range to = Site Remote IP range translated to 172.18.0.10.
I already have it working for another Site Remote, but that another has IPsec proposal ESP-3DES-MD5. (the same of Branch) I do not know if it is the problem, but I tried to use both proposal, together, 3DES-MD5 and AES-256-SHA.
Firewall rules are ok too.
Where are the mistake in that configuration?
Thanks,
Diego
Solved! Go to Solution.
05-14-2014 08:31 AM
05-12-2014 12:11 PM
hi
post your config
05-13-2014 09:35 AM
05-13-2014 10:33 AM
hi seg
I looked very quick HQ config
and I saw that your peer(vpn_client) dont match any crypto map.
and this dont allow phase2.
I have not seen anything else
you double-check the config on both sides first.
05-13-2014 11:30 AM
My bad. I forgot to change it. The crypto map is number 4
05-13-2014 12:35 PM
diego, your config is wrong also in branch config.
you have only an tunnel group whit ip 177.7.7.7 but crypto map is blind to 177.135.122.70 FWL_Matriz.
05-13-2014 01:24 PM
In the HQ log I can see it...
3 | May 13 2014 | 17:23:08 | 713061 | Group = 189.7.7.7, IP = 189..7.7.7, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.90.0/255.255.255.0/0/0 local proxy 10.175.26.23/255.255.255.255/0/0 on interface outside |
05-14-2014 01:28 AM
What do you want me to say
you have posted a different conf,than your debug
05-14-2014 07:50 AM
yeah, probably because I changed it before send...
well... I recreated the tunnels and now it is working fine....
I think when we changed the outside IP and recreate the tunnels, maybe some dirty kept in the config... so I removed all and created it again..
thanks!!!
05-14-2014 08:31 AM
good
put solved in this post
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: