08-05-2011 10:34 AM
Hello Everyone,
A few days ago, We configure a von between a router and asa, where the asa is ther server and the router is the remote client, who takes the public´s dhcp address.
In the remote client i have two subnets (192.168.6.0/24 and 192.168.8.0/24).
I can do ping to the subnet 192.168.6.0 but i can´t do ping the other (192.168.8.0)
Here is the config on router:
crypto ipsec client ezvpn M-I
connect auto
group VPN key 12345
mode network-extension
peer x.x.x.x (Por security we don´t put the public´s address)
username router password cisco123
xauth userid mode local
interface FastEthernet0/0
description $ETH-WAN$
ip address dhcp client-id FastEthernet0/0
ip nat outside
crypto ipsec client ezvpn M-I
interface Vlan100
description Vlan de Datos
ip address 192.168.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
crypto ipsec client ezvpn M-I inside
interface Vlan400
description Vlan de Voz
ip address 192.168.8.1 255.255.255.0
ip virtual-reassembly
crypto ipsec client ezvpn M-I inside
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.8.1
ip nat inside source list NAT interface FastEthernet0/0 overload
ip access-list extended NAT
remark ***NAT***
deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.6.0 0.0.0.255 192.168.3.0 0.0.0.255
deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
deny ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
===================================================================================================
And this is the config on asa:
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp identity address
crypto isakmp enable outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map DYN-MAP 1 set transform-set ESP-3DES-SHA
crypto map conexion-vpn 50 ipsec-isakmp dynamic DYN-MAP
crypto map conexion-vpn interface outside
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list VPN extended permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list VPN extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list VPN extended permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_nat0_outbound remark NAT0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.6.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.8.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.8.0 255.255.255.0
group-policy VPN internal
group-policy VPN attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
nem enable
username router password cisco123
username router attributes
vpn-group-policy VPN
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
default-group-policy VPN
tunnel-group VPN ipsec-attributes
pre-shared-key 12345
Any idea???
KC
08-05-2011 01:31 PM
Katherine,
When configuring EzVPN the Split tunneling ACLs must be Standard ACLs not extended.
Change your ACLs to Standard, and give it a try, they should look something like this:
access-list VPN standard permit 192.168.1.0 255.255.255.0
access-list VPN standard permit 192.168.3.0 255.255.255.0
If it still doesnt work, please paste the output of the show crypto ipsec sa from the router and ASA.
Thanks.
Raga
08-05-2011 01:52 PM
Thanks Raga,
I make that test and still doesnt work,
Here the output the show crypto ipsec sa on ASA:
ASAMPC# sh crypto ipsec sa
interface: outside
Crypto map tag: DYN-MAP, seq num: 1, local addr: x.x.x.x
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
current_peer: 200.8.3.24, username: router
dynamic allocated peer ip: 0.0.0.0
#pkts encaps: 54884, #pkts encrypt: 54890, #pkts digest: 54890
#pkts decaps: 60752, #pkts decrypt: 60752, #pkts verify: 60752
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 54884, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 6, #pre-frag failures: 0, #fragments created: 12
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 18
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: 200.8.3.24
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7703D824
inbound esp sas:
spi: 0x4011C84D (1074907213)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 36864, crypto-map: DYN-MAP
sa timing: remaining key lifetime (sec): 1820
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7703D824 (1996740644)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 36864, crypto-map: DYN-MAP
sa timing: remaining key lifetime (sec): 1818
IV size: 8 bytes
replay detection support: Y
===================================================================================
Router:
Router#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 200.8.3.24
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 66897, #pkts encrypt: 66897, #pkts digest: 66897
#pkts decaps: 54801, #pkts decrypt: 54801, #pkts verify: 54801
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 2
local crypto endpt.: 200.8.3.24, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x4011C84D(1074907213)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x7703D824(1996740644)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: FastEthernet0/0-head-0
sa timing: remaining key lifetime (k/sec): (4468076/1606)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4011C84D(1074907213)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: FastEthernet0/0-head-0
sa timing: remaining key lifetime (k/sec): (4467114/1606)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 200.8.3.24, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.6.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.:
200.8.3.24, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.:
200.8.3.24, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
==================================================================================
Besides checking the logs I found the following:
Router
Aug 5 12:22:37.227: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=router Group=VPN Client_public_addr=200.8.3.24 Server_public_addr=x.x.x.x NEM_Remote_Subnets=192.168.6.0/255.255.255.0 192.168.8.0/255.255.255.0
Aug 5 13:54:20.463: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed
connection id=1, sequence number=7173
===================================================================================
Thks,
KC
08-05-2011 02:13 PM
Hm The config looks good however you are not getting an SA created for tthe second subnet. What happens if you remove the "crypto ipsec client ezvpn M-I inside" from VLAN 100 and rebuild the tunnel? Perhaps in NEM you can only have one subnet behind the client side.
08-09-2011 10:39 AM
Thanks Luis for your answer!! If we can´t use NEM, what implementation of VPN can we use?
Regards,
08-09-2011 10:48 AM
Katherine, if you need to tunnel more than one subnet you can try a dynamic to static tunnel.
I looked for a config example, Router to ASA, dynamic to static but there isnt. So Take the ASA (static) part from here:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
BTW you dont need the "tunnel-group unity" config they mention, that is for VPN software clients. What you need is the DefaultL2LGroup config and then rest of the VPN config such as crypto maps and policies.
Then configure your dynamic router as mentioned on this document:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093f86.shtml
That should should do it.
Have fun .
08-09-2011 10:54 AM
Another thing
When you try to do:
tunnel-group DefaultL2LGroup general-attributes authentication-server-group none
The authenticagtion server group none command might not be available, instead you have to use this one:
isakmp ikev1-user-authentication none
That depends on the ASA version you are running.
08-10-2011 09:29 AM
Thanks Luis!!!
Today I will work in that!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide