show crypto commands

Steven Williams · ‎01-16-2014

I have configured, well i attempted to configure my side of the tunnel for a site to site vpn, The other side is waiting on configuration. Someone else is doing the other side, but is there a way I can see if my side is even trying to connect?

show crypto isakmp sa shows nothing...

Jouni Forss · ‎01-16-2014

Hi,

If you are generating constant traffic that is supposed to match the L2L VPN configurations then the output of the command you mention should show some output

If you are not seeing anything I would imagine that you might either be missing some essential configuration related to the VPN Connection or there might be some NAT/ACL related configuration that is stopping the connection attempt before reaching the VPN Phase or changing the packet so (NAT) that it doesnt match the VPN configurations.

I usually tend to use "packet-tracer" command to test if the traffic matches the VPN configurations and naturally also because the use of "packet-tracer" command actually initiates the VPN negotiation without having to use any internal host for that purpose.

In a normal working L2L VPN setup your first "packet-tracer" test would end up with the VPN Phase DROP and the second time entering the command would result with an ALLOW

Naturally if there is no VPN Phase in the output then the packet wouldnt match any VPN configuration on the device. If the "packet-tracer" keeps resulting in VPN Phase DROP it means that the VPN negotiations simply dont complete.

On the newer software levels you are also able to use TCP Ping for example to generate traffic to the actual L2L VPN connection. The command format for that would be

ping tcp source

- Jouni

Steven Williams · ‎01-16-2014

Packet-tracer is where i get a bit confused...

What should the interface be, I assume outside?

also so I select the public IP of the other end of the tunnel as the destination or a private IP i am trying to hit/>

Jouni Forss · ‎01-16-2014

Hi,

Basically the "packet-tracer" in this case should use the information corresponding to a LAN host trying to access the remote network behind the L2L VPN.

Therefore the "input" interface would be the interface behind which the host on your LAN is. The destination IP address would be a host the remote LAN.

If your LAN interface was called "inside" and the LAN host was 10.10.10.10 and the remote site host was 192.168.10.10 and the remote site host was a Web server then you could enter the following

packet-tracer input inside tcp 10.10.10.10 12345 192.168.10.10 80

- Jouni

Steven Williams · ‎01-17-2014

not having much luck here. Packet trace stops at "VPN lookup"

this is the config template I used:

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

tunnel-group 5.6.7.8 type ipsec-l2l

tunnel-group 5.6.7.8 ipsec-attributes

ikev1 pre-shared-key cisco123

access-list VPN permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0

crypto ipsec ikev1 transform-set MYTSET esp-des esp-md5-hmac

crypto map CMAP_OUTSIDE 10 ipsec-isakmp

crypto map CMAP_OUTSIDE 10 set ikev1 transform-set MYTSET

crypto map CMAP_OUTSIDE 10 match address VPN

crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8

crypto map CMAP_OUTSIDE interface outside

object network MY-LAN

subnet 10.0.X.0 255.255.255.0

object network HIS-LAN

subnet 10.0.Y.0 255.255.255.0

nat (inside,outside) source static MY-LAN MY-LAN destination static HIS-LAN HIS-LAN

crypto ipsec ikev1 transform-set MYTSET esp-des esp-md5-hmac

crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE 10 set ikev1 transform-set MYTSET
crypto map CMAP_OUTSIDE 10 match address VPN
crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside

object network MY-LAN
subnet 10.0.X.0 255.255.255.0
object network HIS-LAN
subnet 10.0.Y.0 255.255.255.0
nat (inside,outside) source static MY-LAN MY-LAN destination static HIS-LAN HIS-LAN

I did notice that the command "crypto map CMAP_OUTSIDE 10 ipsec-isakmp" does not work on its own, it requires the word dynamic...

Jouni Forss · ‎01-20-2014

Hi,

You wont need the line with "ipsec-isakmp" with this L2L VPN configuration. Its related to the VPN Client configurations which are dynamic VPN connections while L2L VPN are using static crypto map configurations.

Have you used the above parameters for the L2L VPN Connection? Are you really sure these are the correct parameters? You are using DES which should not be used.

From my perspective it would be easier to see your current configurations and the L2L VPN parameters that were given to you for building this L2L VPN connection. I could then go through the configurations to determine what might be causing the problem on your side (if anything)

I seem to have forgotten to ask you to take the output of

show crypto ikev1 sa

On your ASA while you are requently issuing the "packet-tracer" matching the L2L VPN configurations.

If the "packet-tracer" matches the VPN by hitting the VPN Phase (whether its PERMIT/DROP) tells us that your configurations leading to the VPN negotiation seem to be fine.

But I highly doubt that DES/MD5 would be used for any new connection. 3DES/MD5 would be more likely. The negotiation might stop because of missmatched Phase 1 parameters/policys on the VPN gateways. Is the above IKEv1 policy the only policy on your device?

- Jouni