Solved: Re: IPSec between ASA and 2900 Not working but tunnel is up and Active

Jesutofunmi O · ‎05-23-2018

Hello All,

So I just concluded the configuration of a IPSec VPN between two sites. when I do the "show crypto ipsec sa" command (+ other commands) I see that the tunnel is up but for some reason, I am unable to send traffic through the tunnel, I can't ping or do anything. I have adjusted the ACL a few times but all to no avail. The VPN is between a Cisco ASA 5515x and a Cisco 2900. Please see config below and assist.

I tried to reduce the configuration so that it can be easily read. However, attached is the full configuration on both routers.

Thank you.

ASA 5515

interface GigabitEthernet0/0
description ###Internet Link###
nameif outside
security-level 0
ip address XX.XX.XX.XX 255.255.255.248
!
interface GigabitEthernet0/1
description ###Internal MEMBER-1 Link###
nameif INSIDE
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet0/2
<--- More --->
description ###Internal MEMBER-2 Link###
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
no ip address
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
name-server XX.XX.XX.XX
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LWB-VI3
subnet 172.16.120.0 255.255.248.0
object network KANO
subnet 172.16.128.0 255.255.255.0
object network VI-FOR-KANO1
subnet 172.16.120.0 255.255.254.0
object network VI-FOR-KANO2
subnet 192.168.0.0 255.255.255.0
object-group network LWB-ILUPEJU
network-object object LWB-ILUPEJU1
network-object object LWB-ILUPEJU2
object-group network LWB-VI
network-object object LWB-VI2
network-object object LWB-VI3
object-group network LWB-VI-FOR-KANO
network-object object VI-FOR-KANO1
network-object object VI-FOR-KANO2
access-list VI-Kano extended permit ip 192.168.0.0 255.255.255.0 172.16.128.0 255.255.255.0
access-list VI-Kano extended permit ip 172.16.120.0 255.255.248.0 172.16.128.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu INSIDE 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,outside) source static VI-FOR-KANO2 VI-FOR-KANO2 destination static KANO KANO
nat (INSIDE,outside) source static LWB-VI3 LWB-VI3 destination static KANO KANO
!
object network LWB-VI2
nat (INSIDE,outside) dynamic interface
object network LWB-VI1
nat (INSIDE,outside) static interface
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1
route INSIDE 10.10.1.0 255.255.255.0 192.168.10.1 1
route INSIDE 172.16.120.0 255.255.248.0 192.168.10.1 1
route INSIDE 192.168.0.0 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 172.16.120.0 255.255.248.0 INSIDE
http 0.0.0.0 0.0.0.0 INSIDE
http 192.168.0.0 255.255.255.0 INSIDE
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set KANOSET esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside-map 4 match address VI-Kano
crypto map outside-map 4 set pfs group5
crypto map outside-map 4 set peer XX.XX.XX.XX
crypto map outside-map 4 set ikev1 transform-set KANOSET
crypto map outside-map interface outside
crypto ca trustpool policy
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 am-disable
crypto ikev1 policy 12
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.255.0 INSIDE
ssh 172.16.0.0 255.255.0.0 INSIDE
ssh 192.168.0.0 255.255.255.0 INSIDE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
username admin password gWe.oMSKmeGtelxS encrypted privilege 15
tunnel-group XX.XX.XX.XX type ipsec-l2l
tunnel-group XX.XX.XX.XX ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:aa767b4b4b46e6b76441cdbb15314275
: end

CISCO 2900 ROUTER

BWL_KANO#
BWL_KANO#
BWL_KANO#show run
Building configuration...

boot-start-marker
warm-reboot
boot-end-marker
!
!
!
ip dhcp excluded-address 172.16.128.1 172.16.128.10
!
ip dhcp pool bwl-kano
network 172.16.128.0 255.255.255.0
default-router 172.16.128.1
dns-server XX.XX.XX.XX
lease 2
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key ******** address 172.16.33.225
crypto isakmp key ******** address XX.XX.XX.XX
crypto isakmp keepalive 12
!
!
crypto ipsec transform-set BWLKANO esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
!
crypto map BWVPN 30 ipsec-isakmp
set peer XX.XX.XX.XX
set transform-set LAGOSSET
set pfs group5
match address Kano-VI
!
!
!
!
!
interface Tunnel0
description CONNECTION TO MARINA_KANO
ip address 172.16.33.230 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 0224055500031D745B4F1B1C0D18075E09
ip ospf 1 area 10
tunnel source XX.XX.XX.XX
tunnel destination XX.XX.XX.XX
!
interface Tunnel1
description CONNECTION TO ILUPEJU_KANO
ip address 172.16.33.226 255.255.255.252
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 002612080F5E195318205E4B0116104217
ip ospf mtu-ignore
ip ospf 1 area 10
tunnel source XX.XX.XX.XX
tunnel destination XX.XX.XX.XX
!
interface Tunnel2
description CONNECTION TO KANO_ABUJA
ip address 172.16.33.234 255.255.255.252
tunnel source XX.XX.XX.XX
tunnel destination XX.XX.XX.XX
!
interface GigabitEthernet0/0
description CONNECTION TO LAN
ip address 172.16.128.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 7 03265A050D0A331959080B001F1D1E5901
ip ospf 1 area 10
duplex auto
speed auto
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 172.16.127.1 255.255.255.0
!
interface GigabitEthernet0/1
description CONNECTION TO IPNX
no ip address
ip virtual-reassembly in
duplex full
speed 100
!
interface GigabitEthernet0/1.120
description INTERNET
encapsulation dot1Q 120
ip address XX.XX.XX.XX 255.255.255.252
ip nat outside
ip virtual-reassembly in
crypto map BWVPN
!
interface GigabitEthernet0/1.121
description VPN to LAGOS
encapsulation dot1Q 121
ip address 10.160.1.2 255.255.255.252
!
interface GigabitEthernet0/2
ip address 172.16.129.1 255.255.255.0
duplex auto
speed auto
!
router ospf 1
router-id 172.16.33.226
area 10 nssa
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map nonat interface GigabitEthernet0/1.120 overload
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
ip route 172.16.130.0 255.255.254.0 Tunnel2
!
ip access-list extended Kano-VI
permit ip 172.16.128.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 172.16.128.0 0.0.0.255 172.16.120.0 0.0.7.255
!
access-list 100 deny ip 172.16.128.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 deny ip 172.16.128.0 0.0.0.255 172.16.120.0 0.0.7.255
access-list 100 permit ip 172.16.128.0 0.0.15.255 any
access-list 111 permit ip host 172.16.129.254 host 172.16.15.49
!
!
!
!
route-map nonat permit 10
match ip address 100
!
!
!
control-plane
!
!
!
line con 0
password 7 06240E2F474B1B4C1216000E040B3F7E21
login
line aux 0
password 7 06240E2F474B1B4C1216000E040B3F7E21
login
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 1327161C0009167F3C253A363D2D065213
login
transport input all
!
scheduler allocate 20000 1000
end

Jesutofunmi O · ‎05-24-2018

RJI,

Thanks for your response. The solution was quite simpler than i thought.

From the phase 1 configuration at both ends, i changed the lifetime from 3600 to 7200 and voila, the link was up!

Many thanks for your assistance.

View solution in original post

Rob Ingram · ‎05-23-2018

Hi,
Can you provide the debug information please? Ideally from both ends, please upload in separate text files.
When you run a ping what IP address are you sourcing this from? Do you see any pkts enc'ed on the output router/asa when you run the ping?

Jesutofunmi O · ‎05-24-2018

RJI,

Thanks for your response. The solution was quite simpler than i thought.

From the phase 1 configuration at both ends, i changed the lifetime from 3600 to 7200 and voila, the link was up!

Many thanks for your assistance.