L2L IPSEC Hub (Static) and Spoke (DHCP) - Cisco Community

816

Views

0

Helpful

2

Replies

Cisco ASA 5510 Static DHCP (Hub) - Cisco ASA 5505 WAN DHCP (spoke)

L2L Tunnel is up but passing no traffic

sh cryp ipsec sa (Hub)

peer address: 187.xxx.xxx.xxx

Crypto map tag: Outside_dyn_map, seq num: 40, local addr: 38.xxx.xxx.xxx

access-list outside_cryptomap_65535.40 extended permit ip 192.168.80.0 255.255.255.0 192.168.37.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.80.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.37.0/255.255.255.0/0/0)

current_peer: 187.xxx.xxx.xxx

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 38.xxx.xxx.xxx/4500, remote crypto endpt.: 187.xxx.xxx.xxx/4500

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: 67210F88

current inbound spi : 75428968

inbound esp sas:

spi: 0x75428968 (1967294824)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }

slot: 0, conn_id: 8605696, crypto-map: Outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4373998/26389)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00FFFFFF

outbound esp sas:

spi: 0x67210F88 (1730219912)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }

slot: 0, conn_id: 8605696, crypto-map: Outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4374000/26389)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: Outside_dyn_map, seq num: 40, local addr: 38.xxx.xxx.xxx

access-list outside_cryptomap_65535.40 extended permit ip 192.168.90.0 255.255.255.0 192.168.37.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.90.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.37.0/255.255.255.0/0/0)

current_peer: 187.xxx.xxx.xxx

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 38.xxx.xxx.xxx/4500, remote crypto endpt.: 187.xxx.xxx.xxx/4500

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: E58F341D

current inbound spi : 38748ED6

inbound esp sas:

spi: 0x38748ED6 (947162838)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }

slot: 0, conn_id: 8605696, crypto-map: Outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4373999/27967)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x0000003F

outbound esp sas:

spi: 0xE58F341D (3851367453)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }

slot: 0, conn_id: 8605696, crypto-map: Outside_dyn_map

sa timing: remaining key lifetime (kB/sec): (4374000/27967)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

sh crypto ipsec sa (Spoke)

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: 10.10.10.2

access-list outside_cryptomap_1 extended permit ip 192.168.37.0 255.255.255.0 192.168.80.0 255.255.255.0

local ident (addr/mask/prot/port): (SpokeSubnet1/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (HubSubnet1/255.255.255.0/0/0)

current_peer: 38.xxx.xxx.xxx

#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 23, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 10.10.10.2/4500, remote crypto endpt.: 38.xxx.xxx.xxx/4500

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: 75428968

current inbound spi : 67210F88

inbound esp sas:

spi: 0x67210F88 (1730219912)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }

slot: 0, conn_id: 5005312, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/25751)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x75428968 (1967294824)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }

slot: 0, conn_id: 5005312, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914998/25751)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 1, local addr: 10.10.10.2

access-list outside_cryptomap_1 extended permit ip 192.168.37.0 255.255.255.0 192.168.90.0 255.255.255.0

local ident (addr/mask/prot/port): (SpokeSubnet1/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (HubSubnet4/255.255.255.0/0/0)

current_peer: 38.xxx.xxx.xxx

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 10.10.10.2/4500, remote crypto endpt.: 38.xxx.xxx.xxx/4500

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: 38748ED6

current inbound spi : E58F341D

inbound esp sas:

spi: 0xE58F341D (3851367453)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }

slot: 0, conn_id: 5005312, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3915000/27330)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x38748ED6 (947162838)

transform: esp-des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }

slot: 0, conn_id: 5005312, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914999/27330)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

<span style="text-decoration: underline;" mcestyle="text-decoration: underline;">Crypto Dyn Map (Hub)</span>

crypto dynamic-map Outside_dyn_map 40 match address outside_cryptomap_65535.40

crypto dynamic-map Outside_dyn_map 40 set pfs group1

crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-DES-SHA

crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 40 set reverse-route

<span style="text-decoration: underline;" mcestyle="text-decoration: underline;">Crypto Map (Spoke)</span>

crypto map outside_map 1 match address outside_1_cryptomap_1

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 38.109.190.210

crypto map outside_map 1 set transform-set ESP-DES-SHA

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

<span style="text-decoration: underline;" mcestyle="text-decoration: underline;">Ping from Spoke to machine behind Hub</span>

ping inside 192.168.80.240

Message from Hub logs

713042 IKE Initiator unable to find policy: Intf outside, Src: 192.168.80.240, Dst: 192.168.37.1

<span style="text-decoration: underline;" mcestyle="text-decoration: underline;">Ping from Hub to spoke's inside interface</span>

ping inside 192.168.37.1

Message from Hub logs

713041 IP = 213.xxx.xxx.xxx, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 213.xxx.xxx.xxx local Proxy Address 192.168.80.0, remote Proxy Address 192.168.37.0, Crypto map (Outside_map)

<div class="mcePaste" id="_mcePaste" style="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;" mcestyle="position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px; overflow: hidden;"></div>

2 Replies 2

This is a little more information:

The last message on the ping from the Hub to the spoke is attempting to use an Outside address of another spoke (213.xxx.xxx.xxx). The tunnel is up but there is misconfigurations in my maps and ACLs. Any help is greatly appreciated.

Thank you!

I fixed it myself by removing all entries of the 192.168.37.0/32 in other ACLs.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community