cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
4943
Views
0
Helpful
15
Replies
Rockyy
Beginner

IPSec site-to-site vpn

Hi,

 

I'm trying to connect two sites using IPSec site-to-site VPN tunnel. below is my configuration for both site.

 

ASA-01

show running-config crypto 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-aes esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map UK_VPN_MAP 1 match address UK-L2L-VPN
crypto map UK_VPN_MAP 1 set pfs 
crypto map UK_VPN_MAP 1 set peer 1.1.1.1 
crypto map UK_VPN_MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
crypto map UK_VPN_MAP 1 match address UK-L2L-VPN
crypto map UK_VPN_MAP 1 set pfs 
crypto map UK_VPN_MAP 1 set peer 1.1.1.1 
crypto map UK_VPN_MAP interface outside
object-group network IPSEC-L2L-LAN
 network-object 172.16.10.0 255.255.255.0
object-group network IPSEC-L2L-REMOTE
 network-object 192.168.10.0 255.255.255.0
 network-object 192.168.100.0 255.255.255.0
Spoiler
nat (inside,outside) source dynamic any interface

nat (inside,outside) source static ANYCONNECT-LOCAL ANYCONNECT-LOCAL destination static ANYCONNECT-REMOTE ANYCONNECT-REMOTE

nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE

access-list UK-L2L-VPN line 1 extended permit ip 172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0xce8839d5 access-list UK-L2L-VPN line 2 extended permit icmp 172.16.10.0 255.255.255.0 192.168.10.0 255.255.255.0 (hitcnt=0) 0x44eb4dd0

Site B

 

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-aes esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto map US_VPN_MAP 1 match address UK-L2L-VPN

crypto map US_VPN_MAP 1 set pfs

crypto map US_VPN_MAP 1 set peer 2.2.2.1

crypto map US_VPN_MAP interface outside

crypto ca trustpool policy

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

 

tunnel-group 2.2.2.1 type ipsec-l2l

tunnel-group 2.2.2.1 ipsec-attributes

ikev1 pre-shared-key *****

 

crypto map US_VPN_MAP 1 match address UK-L2L-VPN

crypto map US_VPN_MAP 1 set pfs

crypto map US_VPN_MAP 1 set peer 2.2.2.1

crypto map US_VPN_MAP interface outside

 

object-group network IPSEC-L2L-LAN

network-object 192.168.10.0 255.255.255.0

object-group network IPSEC-L2L-REMOTE

network-object 172.16.10.0 255.255.255.0

network-object 172.16.1.0 255.255.255.0

 

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE

 

access-list UK-L2L-VPN line 1 extended permit ip 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 (hitcnt=0) 0x1d73c29a

access-list UK-L2L-VPN line 2 extended permit icmp 192.168.10.0 255.255.255.0 172.16.10.0 255.255.255.0 (hitcnt=0) 0x83d4a79d

 

I don't know what I'm missing and why I'm not be able to connect the tunnel.

 

show crypto ipsec sa peer 1.1.1.1

There are no ipsec sas

 

show crypto ikev1 sa

There are no IKEv1 SAs

 

Global IKEv1 Statistics Active Tunnels: 0 Previous Tunnels: 0 In Octets: 0 In Packets: 0 In Drop Packets: 0 In Notifys: 0 In P2 Exchanges: 0 In P2 Exchange Invalids: 0 In P2 Exchange Rejects: 0 In P2 Sa Delete Requests: 0 Out Octets: 0 Out Packets: 0 Out Drop Packets: 0 Out Notifys: 0 Out P2 Exchanges: 0 Out P2 Exchange Invalids: 0 Out P2 Exchange Rejects: 0 Out P2 Sa Delete Requests: 0 Initiator Tunnels: 0 Initiator Fails: 0 Responder Fails: 0 System Capacity Fails: 0 Auth Fails: 0

 

Encryption-DES : Enabled perpetual

Encryption-3DES-AES : Enabled perpetual

 

Please advise!

 

 

3 ACCEPTED SOLUTIONS

Accepted Solutions
Flavio Miranda
Advisor

Firewall with IP address 1.1.1.1 can ping Fw with IP 2.2.2.1?

 Also, male sure to ping from one subnet to another. VPN tunnel only establish when there's traffic initiated from networks.

View solution in original post

Hi

When you initiate there ping to remote lan, do you see the tunnel coming up?
Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

On both asa delete the following nat:
nat (inside,outside) source dynamic any interface

And replace it by :
nat (inside,outside) after-auto source dynamic any interface

On all other nat, add keyword no-proxy-arp and route-lookup at the end

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

15 REPLIES 15
Flavio Miranda
Advisor

 
Flavio Miranda
Advisor

Firewall with IP address 1.1.1.1 can ping Fw with IP 2.2.2.1?

 Also, male sure to ping from one subnet to another. VPN tunnel only establish when there's traffic initiated from networks.

View solution in original post

Yes, both sites are ping able, but when I try to ping the remote lan network it's not ping able and not initiating the traffic.

I'm not quite sure but does it have anything to do with the routes?

Hi

When you initiate there ping to remote lan, do you see the tunnel coming up?
Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

No, it doesn't come up

Your 2nd line on your crypto acl is useless as you allowed ip on the first line for same subnets

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

On both asa delete the following nat:
nat (inside,outside) source dynamic any interface

And replace it by :
nat (inside,outside) after-auto source dynamic any interface

On all other nat, add keyword no-proxy-arp and route-lookup at the end

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Ok, I will but what is the differe t above two commands look same to me and what about no-proxy-arp and route-lookup?

Hi

The after-auto means that it will be the latest nat done based on asa nat order if i explain it simply.

No-proxy-arp: disable proxy arp on the mapped ip for incoming packets.
Route-lookup: to determine the egress interface based on a route lookup instead of taking the interface specified in the nat statement.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

nat (inside,outside) source static IPSEC-L2L-LAN IPSEC-L2L-LAN destination static IPSEC-L2L-REMOTE IPSEC-L2L-REMOTE no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface

I just added these lines but unfortunately it's still the same.

UK-ASA-01(config)# packet-tracer input inside icmp 192.168.100.253 0 255 172.1$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) after-auto source dynamic any interface
Additional Information:
Forward Flow based lookup yields rule:
in id=0xae458b68, priority=6, domain=nat, deny=false
hits=4811, user_data=0xae498160, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad3546b0, priority=0, domain=nat-per-session, deny=true
hits=152131, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xadabe930, priority=0, domain=inspect-ip-options, deny=true
hits=167728, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (nat-xlate-failed) NAT failed

Finally tunnel came up online, thanks a lot guys for your help.

Now how can I make sure the tunnel is up and working perfectly?

What is this info below?

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 2.2.2.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

And what are these debug msg's?

Sep 02 09:25:03 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Sep 02 09:25:11 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0xad35a0a8, mess id 0x6d3f0112)!
Sep 02 09:25:11 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Sep 02 09:25:19 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0xad35a0a8, mess id 0x6d3f0112)!
Sep 02 09:25:19 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Sep 02 09:25:27 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0xad35a0a8, mess id 0x6d3f0112)!
Sep 02 09:25:27 [IKEv1]Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!