01-16-2014 09:13 AM
I have configured, well i attempted to configure my side of the tunnel for a site to site vpn, The other side is waiting on configuration. Someone else is doing the other side, but is there a way I can see if my side is even trying to connect?
show crypto isakmp sa shows nothing...
01-16-2014 09:39 AM
Hi,
If you are generating constant traffic that is supposed to match the L2L VPN configurations then the output of the command you mention should show some output
If you are not seeing anything I would imagine that you might either be missing some essential configuration related to the VPN Connection or there might be some NAT/ACL related configuration that is stopping the connection attempt before reaching the VPN Phase or changing the packet so (NAT) that it doesnt match the VPN configurations.
I usually tend to use "packet-tracer" command to test if the traffic matches the VPN configurations and naturally also because the use of "packet-tracer" command actually initiates the VPN negotiation without having to use any internal host for that purpose.
In a normal working L2L VPN setup your first "packet-tracer" test would end up with the VPN Phase DROP and the second time entering the command would result with an ALLOW
Naturally if there is no VPN Phase in the output then the packet wouldnt match any VPN configuration on the device. If the "packet-tracer" keeps resulting in VPN Phase DROP it means that the VPN negotiations simply dont complete.
On the newer software levels you are also able to use TCP Ping for example to generate traffic to the actual L2L VPN connection. The command format for that would be
ping tcp
- Jouni
01-16-2014 09:43 AM
Packet-tracer is where i get a bit confused...
What should the interface be, I assume outside?
also so I select the public IP of the other end of the tunnel as the destination or a private IP i am trying to hit/>
01-16-2014 11:15 AM
Hi,
Basically the "packet-tracer" in this case should use the information corresponding to a LAN host trying to access the remote network behind the L2L VPN.
Therefore the "input" interface would be the interface behind which the host on your LAN is. The destination IP address would be a host the remote LAN.
If your LAN interface was called "inside" and the LAN host was 10.10.10.10 and the remote site host was 192.168.10.10 and the remote site host was a Web server then you could enter the following
packet-tracer input inside tcp 10.10.10.10 12345 192.168.10.10 80
- Jouni
01-17-2014 11:43 AM
not having much luck here. Packet trace stops at "VPN lookup"
this is the config template I used:
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 ipsec-attributes
ikev1 pre-shared-key cisco123
access-list VPN permit ip 10.0.X.0 255.255.255.0 10.0.Y.0 255.255.255.0
crypto ipsec ikev1 transform-set MYTSET esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE 10 set ikev1 transform-set MYTSET
crypto map CMAP_OUTSIDE 10 match address VPN
crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside
object network MY-LAN
subnet 10.0.X.0 255.255.255.0
object network HIS-LAN
subnet 10.0.Y.0 255.255.255.0
nat (inside,outside) source static MY-LAN MY-LAN destination static HIS-LAN HIS-LAN
crypto ipsec ikev1 transform-set MYTSET esp-des esp-md5-hmac
crypto map CMAP_OUTSIDE 10 ipsec-isakmp
crypto map CMAP_OUTSIDE 10 set ikev1 transform-set MYTSET
crypto map CMAP_OUTSIDE 10 match address VPN
crypto map CMAP_OUTSIDE 10 set peer 5.6.7.8
crypto map CMAP_OUTSIDE interface outside
object network MY-LAN
subnet 10.0.X.0 255.255.255.0
object network HIS-LAN
subnet 10.0.Y.0 255.255.255.0
nat (inside,outside) source static MY-LAN MY-LAN destination static HIS-LAN HIS-LAN
I did notice that the command "crypto map CMAP_OUTSIDE 10 ipsec-isakmp" does not work on its own, it requires the word dynamic...
01-20-2014 12:25 AM
Hi,
You wont need the line with "ipsec-isakmp" with this L2L VPN configuration. Its related to the VPN Client configurations which are dynamic VPN connections while L2L VPN are using static crypto map configurations.
Have you used the above parameters for the L2L VPN Connection? Are you really sure these are the correct parameters? You are using DES which should not be used.
From my perspective it would be easier to see your current configurations and the L2L VPN parameters that were given to you for building this L2L VPN connection. I could then go through the configurations to determine what might be causing the problem on your side (if anything)
I seem to have forgotten to ask you to take the output of
show crypto ikev1 sa
On your ASA while you are requently issuing the "packet-tracer" matching the L2L VPN configurations.
If the "packet-tracer" matches the VPN by hitting the VPN Phase (whether its PERMIT/DROP) tells us that your configurations leading to the VPN negotiation seem to be fine.
But I highly doubt that DES/MD5 would be used for any new connection. 3DES/MD5 would be more likely. The negotiation might stop because of missmatched Phase 1 parameters/policys on the VPN gateways. Is the above IKEv1 policy the only policy on your device?
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide