07-28-2010 06:32 AM - edited 02-21-2020 04:45 PM
Hi I have a problem with ipsec tunel on ASA
Phase I is OK
but phase II is weard
let's say local ip is 200.4.250.10
local host 192.168.0.1/32
remote net 172.20.0.0/16
peer ip is 100.30.20.10
-----the output of show crypto ipsec sa gives:
local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
current_peer: 100.30.20.10
I think de local ident & remote ident are wrong I should get
local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): 172.20.0.0/255.255.0.0/0/0)
current_peer: 100.30.20.10
--when i execute
debug crypto ipsec 7
IPSEC: No user rule added. No intersection between source source networks (192.168.0.1/255.255.255.255) and (100.30.20.10/255.255.255.255).
IPSEC: No user rule added. No intersection between source source networks (192.168.0.1/255.255.255.255) and (100.30.20.10/255.255.255.255).
Any ideas??
Thanks
07-28-2010 06:46 AM
I think you config is incorrect - posr your ASA's config for review, remove any sensitive information.
07-28-2010 06:48 AM
Just make sure that there is a nat exemption between ur vpn networks, routes for remote networks pointing to vpn gateway and no vpn filter configured in the group-policy. It would help if u had a gist of ur crypto config posted. And wat is the device on the other end?
07-28-2010 07:40 AM
Hi all
OK
outside ip is 200.4.250.10
local host ip is 192.168.10.1/32
local host ip, after nat becomes 192.168.0.1/32
peer ip is 100.30.20.10
remote net 172.20.0.0/16
the ip of the local host is 192.168.10.1 an it is natted to 192.168.0.1/32 if the traffic goes to 172.20.0.0
This is part of the configuration:
access-list outside_cryptomap_3 extended permit ip host 192.168.0.1 172.20.0.0 255.255.0.0
crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_cryptomap_3
crypto map outside_map 2 set connection-type originate-only
crypto map outside_map 2 set peer 100.30.20.10
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside
group-policy VPN_2 internal
group-policy VPN_2 attributes
vpn-filter none
vpn-tunnel-protocol IPSec svc
tunnel-group 100.30.20.10 type ipsec-l2l
tunnel-group 100.30.20.10 general-attributes
default-group-policy VPN_2
tunnel-group 100.30.20.10 ipsec-attributes
pre-shared-key ""
isakmp keepalive disable
Thanks in advance
07-28-2010 08:04 AM
So the phase 2 comes up but u not able to pass traffic?
Can u do a packet tracer between the relevant hosts and post the outputs?
07-28-2010 08:35 AM
Hi
tracer does not give usable information as the packets are not oruted via the vpn
Thanks
07-28-2010 08:10 AM
provide the "no-nat" config i.e "nat inside 0"
Why is this end set to originate only?
07-29-2010 02:59 AM
there is another problem
the output of show crypto ipsec sa gives:
access-list OO_temp_outside_map2 permit ip host 200.4.250.10 host 100.30.20.10
local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
current_peer: 100.30.20.10
"OO_temp_outside_map2" This is not the acl I put in cryptp map my line states:
crypto map outside_map 2 match address outside_cryptomap_3
07-29-2010 04:28 AM
try removing the set connection originate-only in the crypto map and re-initiate the tunnel.
07-29-2010 06:08 AM
Thanks, but
If I use bidirectional the tunnels stops
how do I re-initiate the tunnel?.
Thanks again
07-29-2010 06:44 AM
clear crypto isakmp sa
and clear crypto ipsec sa peer07-29-2010 03:03 AM
Again - provide the "no-nat" config i.e "nat inside 0"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide