cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1487
Views
0
Helpful
9
Replies

S2S vpn between cisco ASAs static to dynamic

Abdel Amyay
Level 1
Level 1

I am trying to  establish a s2s vpn between two sites. one site has a staic public ip and the other has static privae ip with a a router in the middle doing natting (i have no control over that router that s placed  after the  asa at the remote site).

I had  this working before in a test lab,  but now I am having issues  getting it tow work in a liveenvironement. I have verified that the passphrase is the same and policies  do match. when i  do show isakmp sa on remote I get (state Am_wait_MSG2)  and on the main site it says no there are no isakmp sas). I  can  see traffic hitting outside port of the firewall coming from the public ip of the gateway. I evn allowed udp 500  on the outside interface , but still having issues.

Just to add that there is a router gateway somewhere on  the way to the mainsite doing natting.

Can someone please assist with this  issue.

Thanks

below are the configs (public IPs have  been edited)

*****MainSite with static IP 1.1.1.1

names

name 10.81.0.0 Mainsite

name 10.21.0.0 Remotesite

!

interface Ethernet0

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.248

interface Ethernet1
nameif inside
security-level 100
ip address 10.81.8.1 255.255.252.0

access-list inside_access_in extended permit ip MainSite 255.255.0.0 Remotesite 255.255.224.0
access-list inside_nat0_outbound extended permit ip MainSite 255.255.0.0 Remotesite 255.255.224.0
access-list outside_cryptomap_65535.1 extended permit ip MainSite 255.255.0.0 Remotesite 255.255.224.0

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.81.8.0 255.255.252.0

access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 1 match address outside_cryptomap_65535.1
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30

******************

Remotesite with private IP  192.168.0.2 on the satellite  link   and a gateway doing nat with  a public ip of 2.2.2.2 (not  sure if that public ip is  static either)

name 10.21.0.0 Remotesite

name 10.81.0.0 Mainsite
!
interface Ethernet0/0
description Inside Network
nameif inside
security-level 100
ip address 10.21.10.1 255.255.224.0


!
interface Ethernet0/2
description Satellite link
nameif satellite
security-level 0
ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3
nameif outside
security-level 0
ip address 3.3.3.3.3 255.255.255.240

access-list inside_access_in extended permit ip 10.21.0.0 255.255.224.0 Mainsite 255.255.0.0
aaccess-list inside_nat0_outbound extended permit ip 10.21.0.0 255.255.224.0 Mainsite 255.255.0.0
access-list satellite_1_cryptomap extended permit ip 10.21.0.0 255.255.224.0 Mainsite 255.255.0.0


route satellite Mainsite 255.255.0.0 192.168.0.1 1
route satellite 1.1.1.1 255.255.255.255 192.168.0.1 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map satellite_map 1 match address satellite_1_cryptomap
crypto map satellite_map 1 set pfs
crypto map satellite_map 1 set connection-type originate-only
crypto map satellite_map 1 set peer 1.1.1.1
crypto map satellite_map 1 set transform-set ESP-AES-128-SHA
crypto map satellite_map 1 set phase1-mode aggressive
crypto map satellite_map interface satellite
crypto isakmp enable satellite

crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****

group 2
lifetime 86400

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

If you are seeing Am_wait_MSG2 on the VPN initiating end, and nothing on the other VPN peer end, that means the traffic is most probably being dropped on its way to the other end. That is why it's not working.

So the initiating end has send out MSG1, and is waiting for MSG2 from the VPN peer, hence the status of Am_wait_MSG2. And as you said, you see nothing on the remote VPN peer end, that means MSG1 that is being sent out by the initiating end does not reach the remote VPN end.

I would check the router, or get in touch with someone who manages the router to see if UDP/500, and UDP/4500 is being blocked.

Jennifer, thanks for your response.

I do see traffic with the public IP address of the gateway reaching the outsude interface  of the remoe site. However, I dont see any response to those requests. Below are the two log messages i get on the ASA at the main site

713903  Group = DefaultRAGroup, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry

713902 Group = DefaultRAGroup, IP = 2.2.2.2, Removing peer from peer table failed, no match!

Do you have preshared key configured on the main site? I don't see that on your posted config.

Can you pls run the following debugs:

debug cry isa

debug cry ipsec

Jennifer,

When running the two debug commands on the Mainsite ASA, I get the same syslog messages as above (713903 and 713902)

Thanks

Can you pls remove the following line:

crypto map satellite_map 1 set phase1-mode aggressive

Jennifer,

I have removed that statment and changed it to main mode and still have same issue. I believe the ISP is doing two nats on the way. How does the double natting affect the S2S vpn?

Double NATing is OK as long as they are allowing UDP/500 and ESP traffic through. Are they doing NAT or PAT?

Yes. They are using PAT.

In that case, you would need to enable NAT-T on the ASA: crypto isakmp nat-traversal 31

Also, make sure that the ISP opens UDP/500 and UDP/4500.