Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
0
Helpful
5
Replies

problem w IPsec L2L phase 2 (dynamic crypto map)

cashqoo
Level 1
Level 1

‎12-30-2010 02:22 AM - edited ‎02-21-2020 05:03 PM

i am setting up a IPsec L2L vpn between 2 sites over the internet

problem - vpn phase 2 seems to failed, but i do not know where

local site: cisco asa v7, static public ip address

remote site: fortigate, dynamic public ip address (i do no have access to this box)

<asa configuration>

access-list 102 extended permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto ipsec transform-set mytrans esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynvpn 100 match address 102
crypto dynamic-map dynvpn 100 set pfs
crypto dynamic-map dynvpn 100 set transform-set mytrans
crypto dynamic-map dynvpn 100 set security-association lifetime seconds 28800
crypto dynamic-map dynvpn 100 set security-association lifetime kilobytes 4608000


crypto map mymap 40 ipsec-isakmp dynamic dynvpn
crypto map mymap interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *

i have noticed that the phase 1 is completed.

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: <remote site ip address, a.b.c.d>
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

However, the phase 2 failed. i have tried the disable and reenble isakmp to capture the debugging logs

debug crypto isakmp 255

debug crypto ipsec 255

no isakmp enable outside

clear crypto isakmp sa

isakmp enable outside

I found debugging logs on the phase 1 negotiations (pkts received and sent), but not phase 2. not sure why there is no phase 2.

I have test by configuring the peer ip address using static maps, and it works (ping to the remote end was replied, and verified using "show crypto ipsec sa").

crypto map mymap 20 match address 102
crypto map mymap 20 set peer <remote site ip address, a.b.c.d>
crypto map mymap 20 set transform-set mytrans
crypto map mymap 20 set security-association lifetime seconds 28800
crypto map mymap 20 set security-association lifetime kilobytes 4608000

there was no changes to the remote vpn device during the troubleshooting.

the remote end vpn device seems to be correctly configured, since i am able to use static maps to bring up the tunnel.

appreciate if anyone can show me light on this.

thanks

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-30-2010 03:35 AM

Please remove the following line as you don't have that in your static crypto map:

crypto dynamic-map dynvpn 100 set pfs

Let us know how it goes.

0 Helpful

cashqoo
Level 1
Level 1
In response to Jennifer Halim

‎12-30-2010 04:08 AM

it is still not working after removing the pfs statement on the dynamic map. same results.

i did the same steps, disable isakmp and crypto map on "outside" interface, enable debug for both isakmp and ipsec 255. enable isakmp and crypto map on the "outside" interface.

Dec 30 19:53:13 [IKEv1]: Group = DefaultL2LGroup, IP = , PHASE 1 COMPLETED
Dec 30 19:53:13 [IKEv1]: IP = , Keep-alive type for this connection: DPD
Dec 30 19:53:13 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = , Starting phase 1 rekey timer: 64800000 (ms)

fw(config)# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer:
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
fw(config)# show crypto ipsec sa

There are no ipsec sas
fw(config)#

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to cashqoo

‎12-30-2010 04:14 AM

Can you also try to remove the match address:

crypto dynamic-map dynvpn 100 match address 102

Can you please share the whole crypto map configuration?

0 Helpful

cashqoo
Level 1
Level 1
In response to Jennifer Halim

‎01-02-2011 11:28 AM

site z is another site using static map, having no problems.

access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 192.168.133.0 255.255.255.0
access-list no-nat extended permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 extended permit ip 172.16.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 101 extended permit ip 172.16.10.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto ipsec transform-set mytrans esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynvpn 100 set transform-set mytrans
crypto dynamic-map dynvpn 100 set security-association lifetime seconds 28800
crypto dynamic-map dynvpn 100 set security-association lifetime kilobytes 4608000
crypto map mymap 10 match address 101
crypto map mymap 10 set peer
crypto map mymap 10 set transform-set mytrans
crypto map mymap 10 set security-association lifetime seconds 28800
crypto map mymap 10 set security-association lifetime kilobytes 4608000
crypto map mymap 40 ipsec-isakmp dynamic dynvpn
crypto map mymap interface outside
isakmp identity auto
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
isakmp ipsec-over-tcp port 10000
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to cashqoo

‎01-02-2011 04:07 PM

The configuration looks absolutely find on the ASA end. Can you please check if the subnets has been correctly configured on the Fortiget end?

Normally with dynamic L2L, it probably does not define the actual subnet to be encrypted. Just need to make sure that the local subnet for Fortiget is 192.168.0.0/24 and remote subnet is 172.16.10.0/24.

We would need the debug output to further investigate what the problem is as configuration seems to be fine on the ASA. Also, when it's not working, please share the output of "show cry isa sa" and "show cry ipsec sa".

0 Helpful
Customers Also Viewed These Support Documents