Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
0
Helpful
3
Replies

L2L VPN with ASA 8.4(2) not working

jbaraona
Level 1
Level 1

‎07-11-2011 09:25 PM

I have configured L2L VPNs a thousand times, but can get them to work with version 8.4.

It seems like the NAT Statements don't work.

show isakmp sa result is ok "State   : MM_ACTIVE" but traffic don't go over the tunnel.

Again bad software from Cisco, full of bugs.....  will have to downgrade to a stable version.

I'll post the config, maybe I'm doing something wrong...

ASA5505

===================================================================================================

!

interface Vlan40

description DMZ INTERFACE

nameif DMZ

security-level 25

ip address 192.168.1.254 255.255.255.0

!

access-list INTERESTING_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 192.168.235.0 255.255.255.0

!

object-group network LOCAL_NETWORK

network-object 192.168.1.0 255.255.255.0

!

object-group network REMOTE_NETWORK

network-object 192.168.235.0 255.255.255.0

!

nat (DMZ,outside) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK

!

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map OUTSIDE_MAP 10 match address INTERESTING_TRAFFIC

crypto map OUTSIDE_MAP 10 set peer 10.10.10.1

crypto map OUTSIDE_MAP 10 set ikev1 transform-set ESP-3DES-MD5

crypto map OUTSIDE_MAP 10 set reverse-route

!

crypto map OUTSIDE_MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

tunnel-group 10.10.10.1 type ipsec-l2l

tunnel-group 10.10.10.1 ipsec-attributes

ikev1 pre-shared-key *****

!

ROUTER

===================================================================================================

!

crypto isakmp policy 70

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key ******** address 10.10.10.2 no-xauth

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

!

crypto map GigabitEthernet0_0_map client authentication list userauthen

crypto map GigabitEthernet0_0_map isakmp authorization list groupauthor

crypto map GigabitEthernet0_0_map client configuration address respond

crypto map GigabitEthernet0_0_map 10 ipsec-isakmp

!

set peer 10.10.10.2 

set transform-set ESP-3DES-MD5

match address VPN_acl

reverse-route static

!

!

interface GigabitEthernet0/0

ip address 10.10.10.1 255.255.255.252

crypto map GigabitEthernet0_0_map

!

ip access-list extended VPN_acl

permit ip 192.168.235.0 0.0.0.255 192.168.1.0 0.0.0.255

!

The VPN is UP but won't pass traffic.

thanks a lot.

Jose

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎07-11-2011 09:43 PM

Please kindly post the output of "show cry ipsec sa" from both the ASA and the router.

Also, how have you test the VPN connectivity? what source and destination ip address are you trying to bring the tunnel with.

Lastly, assuming that there is no NAT configuration on the router. Thanks.

0 Helpful

jbaraona
Level 1
Level 1
In response to Jennifer Halim

‎07-12-2011 08:08 AM

Hi Jennifer, thanks for your help.

here's the result of the show crypto ipse sa:

This is after pinging from host 192.168.1.18 to host 192.168.235.9

==========

HQ-ASA04# sh crypto ipsec sa

interface: outside

    Crypto map tag: OUTSIDE_MAP, seq num: 10, local addr: 10.10.10.2

      access-list L2L_CR_INTERESTING_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 host 1.1.1.1

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

      current_peer: 10.10.10.1

      #pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.2/0, remote crypto endpt.: 10.10.10.1/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 9286DBF9

      current inbound spi : 315BF1D3

    inbound esp sas:

      spi: 0x315BF1D3 (828109267)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 139264, crypto-map: OUTSIDE_MAP

         sa timing: remaining key lifetime (kB/sec): (4374000/3584)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x9286DBF9 (2458311673)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 139264, crypto-map: OUTSIDE_MAP

         sa timing: remaining key lifetime (kB/sec): (4373999/3584)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

===========================

ROUTER

local  ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

   current_peer 10.10.10.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 7, #recv errors 0

     local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x315BF1D3(828109267)

     inbound esp sas:

      spi: 0x9286DBF9(2458311673)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3079, flow_id: NETGX:79, crypto map: GigabitEthernet0_0_map

        sa timing: remaining key lifetime (k/sec): (4574303/3105)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x315BF1D3(828109267)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3029, flow_id: NETGX:29, crypto map: GigabitEthernet0_0_map

        sa timing: remaining key lifetime (k/sec): (4574303/3105)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jbaraona

‎07-13-2011 05:19 AM

Doesn't look right to me.

The ASA crypto ACL is between 192.168.1.0/24 to 192.168.235.0/24

and the router crypto ACL is between 192.168.235.0/24 to 192.168.1.0/24

However from the above "sh cry ipsec sa" output, the SA is built between 192.168.1.0/24 and 1.1.1.1.

Where does 1.1.1.1 come from?

Is there any NATing done on the router? Can you please share the complete router config?

0 Helpful
Customers Also Viewed These Support Documents