cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1468
Views
0
Helpful
5
Replies

Router (static IP) to ASA (PPPoE) VPN - is it possible?

Drake22x
Level 1
Level 1

Hi everybody,

I am having troubles configuring a VPN between statically assigned router (ASR 1001) and an ASA 5505 which has a PPPoE acquired IP.

I have used the configuration below, but not even phase 1 would establish, nothing is happening. Is such configuration possible? Thank you

ASA (dynamic IP):

interface Ethernet0/1
description ** outside **
switchport access vlan 1000

interface Vlan1000
nameif outside
security-level 0
pppoe client vpdn group SITE1
ip address pppoe setroute

access-list SITE1_ACL extended permit ip object LOCAL_NET object-group REMOTE_NET

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto map OUTSIDE_MAP 1 match address SITE1_ACL
crypto map OUTSIDE_MAP 1 set pfs
crypto map OUTSIDE_MAP 1 set peer 85.x.x.x
crypto map OUTSIDE_MAP 1 set ikev1 transform-set ESP-AES-256-SHA-TRANS
crypto map OUTSIDE_MAP interface outside

crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 85.x.x.x type ipsec-l2l
tunnel-group 85.x.x.x ipsec-attributes
ikev1 pre-shared-key *****

Router (Static):

crypto keyring SITE1_KEY vrf INTERNET
pre-shared-key address 0.0.0.0 0.0.0.0 key 6 *****

crypto isakmp profile SITE1_PROFILE
vrf SERVERS
keyring SITE1_KEY
match identity address 0.0.0.0 INTERNET

crypto ipsec transform-set SITE1_TS esp-aes 256 esp-sha-hmac
mode tunnel


crypto dynamic-map DYN_MAP 60000
set isakmp profile SITE1_PROFILE
set transform-set SITE1_TS
match address SRV_TO_SITE1

crypto map CM 60000 ipsec-isakmp dynamic DYN_MAP

interface GigabitEthernet0/0/0.423
description *** INTERNET ***
encapsulation dot1Q 423
ip vrf forwarding INTERNET
ip address 85.x.x.x 255.255.255.x
crypto map CM

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

It should be possible to have a site to site VPN between the ASA and the router where the ASA uses PPPoE and the router has a static IP. The important aspect of making that work is that the device with the static IP needs to use a dynamic crypto map and accept incoming connections from any remote address, and you have that in the partial config that you posted.

It seems pretty obvious, but I will ask anyway, can you verify that both devices have access to Internet (appropriate routing, access lists, etc) and have connectivity to each other?

You might try running debug for ISAKMP and see if they recognize the incoming request and attempt any negotiation.

HTH

Rick

HTH

Rick

Thanks Richard, both devices have Internet access, and while I can ping the public IP of the static router from the dynamic firewall, I cannot vice versa.

I get nothing from the debugs.

If there is no output from the debug then it suggests that the request for negotiation is not getting through. It might be related to the fact that the static router is not able to ping the dynamic firewall. Can you check the policies on the firewall and verify that it is allowing the traffic from the static router?

HTH

Rick

HTH

Rick

Hey Rick,

Thank you, I have made progression, but I am currently stuck at Phase 2 with the following error:

Jul 18 15:29:51 [IKEv1]Group = 85.x.x.x, IP = 85.x.x.x, Removing peer from correlator table failed, no match!
Jul 18 15:29:51 [IKEv1]Group = 85.x.x.x, IP = 85.x.x.x, Session is being torn down. Reason: Lost Service
Jul 18 15:30:26 [IKEv1]Group = 85.x.x.x, IP = 85.x.x.x, QM FSM error (P2 struct &0xcc02fda8, mess id 0xf3401719)!

The other side is like this:

Jul 18 15:52:28.678: ISAKMP:(51073):SA has been authenticated with 5.x.x.xx8
Jul 18 15:52:28.678: ISAKMP: Trying to insert a peer 85.x.x.x/5.x.x.xx8/500/INTERNET, and inserted successfully 7F8EA578B4A0.
Jul 18 15:52:28.678: ISAKMP:(51073): sending packet to 5.x.x.xx8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
Jul 18 15:52:28.689: ISAKMP (51073): received packet from 5.x.x.xx8 dport 500 sport 500 INTERNET (R) QM_IDLE
(key eng. msg.) INBOUND local= 85.x.x.x:0, remote= 5.x.x.xx8:0,
Jul 18 15:52:28.690: ISAKMP:(51073): phase 2 SA policy not acceptable! (local 85.x.x.x remote 5.x.x.xx8)
Jul 18 15:52:28.690: ISAKMP:(51073): sending packet to 5.x.x.xx8 my_port 500 peer_port 500 (R) QM_IDLE
Jul 18 15:52:36.686: ISAKMP (51073): received packet from 5.x.x.xx8 dport 500 sport 500 INTERNET (R) QM_IDLE
Jul 18 15:52:44.689: ISAKMP (51073): received packet from 5.x.x.xx8 dport 500 sport 500 INTERNET (R) QM_IDLE
Jul 18 15:52:52.693: ISAKMP (51073): received packet from 5.x.x.xx8 dport 500 sport 500 INTERNET (R) QM_IDLE
Jul 18 15:53:00.697: ISAKMP (51073): received packet from 5.x.x.xx8 dport 500 sport 500 INTERNET (R) QM_IDLE
Jul 18 15:53:00.699: ISAKMP (51073): received packet from 5.x.x.xx8 dport 500 sport 500 INTERNET (R) QM_IDLE
Jul 18 15:53:00.699: ISAKMP:(51073):deleting SA reason "No reason" state (R) QM_IDLE (peer 5.x.x.xx8)
Jul 18 15:53:00.699: ISAKMP:(51073): sending packet to 5.x.x.xx8 my_port 500 peer_port 500 (R) QM_IDLE
Jul 18 15:53:00.699: ISAKMP:(51073):deleting SA reason "No reason" state (R) QM_IDLE (peer 5.x.x.xx8)

Crypto session shows as UP-IDLE, but sees the wrong profile for some reason.

This looks to be the issue as the profile it picks up is associated with a different vrf, and is also a dynamic crypto map entry.

Can you only have one dynamic map per interface?

Taking the easy one first: when you deal with a crypto map in IOS there can be a single crypto map per interface. The dynamic map is linked to the crypto map which is assigned to the interface. I have not tried two dynamic map instances within a crypto map and do not know if that would work.

In looking at your output this is the line that stands out

Jul 18 15:52:28.690: ISAKMP:(51073): phase 2 SA policy not acceptable! (local 85.x.x.x remote 5.x.x.xx8)

HTH

Rick

HTH

Rick