S2S vpn between cisco ASAs static to dynamic

Abdel Amyay · ‎09-18-2012

I am trying to establish a s2s vpn between two sites. one site has a staic public ip and the other has static privae ip with a a router in the middle doing natting (i have no control over that router that s placed after the asa at the remote site).

I had this working before in a test lab, but now I am having issues getting it tow work in a liveenvironement. I have verified that the passphrase is the same and policies do match. when i do show isakmp sa on remote I get (state Am_wait_MSG2) and on the main site it says no there are no isakmp sas). I can see traffic hitting outside port of the firewall coming from the public ip of the gateway. I evn allowed udp 500 on the outside interface , but still having issues.

Just to add that there is a router gateway somewhere on the way to the mainsite doing natting.

Can someone please assist with this issue.

Thanks

below are the configs (public IPs have been edited)

*****MainSite with static IP 1.1.1.1

names

name 10.81.0.0 Mainsite

name 10.21.0.0 Remotesite

!

interface Ethernet0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

interface Ethernet1
nameif inside
security-level 100
ip address 10.81.8.1 255.255.252.0

access-list inside_access_in extended permit ip MainSite 255.255.0.0 Remotesite 255.255.224.0
access-list inside_nat0_outbound extended permit ip MainSite 255.255.0.0 Remotesite 255.255.224.0
access-list outside_cryptomap_65535.1 extended permit ip MainSite 255.255.0.0 Remotesite 255.255.224.0

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.81.8.0 255.255.252.0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30

******************

Remotesite with private IP 192.168.0.2 on the satellite link and a gateway doing nat with a public ip of 2.2.2.2 (not sure if that public ip is static either)

name 10.21.0.0 Remotesite

name 10.81.0.0 Mainsite
!
interface Ethernet0/0
description Inside Network
nameif inside
security-level 100
ip address 10.21.10.1 255.255.224.0

!
interface Ethernet0/2
description Satellite link
nameif satellite
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 3.3.3.3.3 255.255.255.240

access-list inside_access_in extended permit ip 10.21.0.0 255.255.224.0 Mainsite 255.255.0.0
aaccess-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.224.0 Mainsite 255.255.0.0
access-list satellite_1_cryptomap extended permit ip 10.21.0.0 255.255.224.0 Mainsite 255.255.0.0

route satellite Mainsite 255.255.0.0 192.168.0.1 1
route satellite 1.1.1.1 255.255.255.255 192.168.0.1 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map satellite_map 1 match address satellite_1_cryptomap
crypto map satellite_map 1 set pfs
crypto map satellite_map 1 set connection-type originate-only
crypto map satellite_map 1 set peer 1.1.1.1
crypto map satellite_map 1 set transform-set ESP-AES-128-SHA
crypto map satellite_map 1 set phase1-mode aggressive
crypto map satellite_map interface satellite
crypto isakmp enable satellite

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****

group 2
lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *

Jennifer Halim · ‎09-18-2012

If you are seeing Am_wait_MSG2 on the VPN initiating end, and nothing on the other VPN peer end, that means the traffic is most probably being dropped on its way to the other end. That is why it's not working.

So the initiating end has send out MSG1, and is waiting for MSG2 from the VPN peer, hence the status of Am_wait_MSG2. And as you said, you see nothing on the remote VPN peer end, that means MSG1 that is being sent out by the initiating end does not reach the remote VPN end.

I would check the router, or get in touch with someone who manages the router to see if UDP/500, and UDP/4500 is being blocked.

Abdel Amyay · ‎09-18-2012

Jennifer, thanks for your response.

I do see traffic with the public IP address of the gateway reaching the outsude interface of the remoe site. However, I dont see any response to those requests. Below are the two log messages i get on the ASA at the main site

713903 Group = DefaultRAGroup, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry

713902 Group = DefaultRAGroup, IP = 2.2.2.2, Removing peer from peer table failed, no match!

Jennifer Halim · ‎09-18-2012

Do you have preshared key configured on the main site? I don't see that on your posted config.

Can you pls run the following debugs:

debug cry isa

debug cry ipsec

Abdel Amyay · ‎09-19-2012

Jennifer,

When running the two debug commands on the Mainsite ASA, I get the same syslog messages as above (713903 and 713902)

Thanks

Jennifer Halim · ‎09-20-2012

Can you pls remove the following line:

crypto map satellite_map 1 set phase1-mode aggressive

Abdel Amyay · ‎09-24-2012

Jennifer,

I have removed that statment and changed it to main mode and still have same issue. I believe the ISP is doing two nats on the way. How does the double natting affect the S2S vpn?

Jennifer Halim · ‎09-25-2012

Double NATing is OK as long as they are allowing UDP/500 and ESP traffic through. Are they doing NAT or PAT?

Abdel Amyay · ‎09-25-2012

Yes. They are using PAT.

Jennifer Halim · ‎09-25-2012

In that case, you would need to enable NAT-T on the ASA: crypto isakmp nat-traversal 31

Also, make sure that the ISP opens UDP/500 and UDP/4500.