cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
3069
Views
0
Helpful
11
Replies
smohur123
Beginner

Site to Site VPN ASA5505 and Cisco 3825

Hi

After configuration of site to site vpn for ip 212.94.157.121(cisco 3825) to 121.243.184.199(ASA 5505), the VPN is not coming up.

I've attached both configurations. Please help.

Thanks

Shameem

11 REPLIES 11
Herbert Baerten
Cisco Employee

Hi Shameem,

I see the ASA is configured to do PFS (group 2, if no group is specified), but the router is not.

Try this:

crypto map SDM_CMAP_1 1 ipsec-isakmp
  set pfs group2

If that doesn't help, enable these debugs:

on  the router:

debug crypto isakmp

debug crypto ipsec

on the ASA:

debug crypto isakmp 10

debug crypto ipsec 10

Enable them all at the same time, and try to bring up the tunnel.

Get the debug output, as well as:

show crypto isakmp sa

show crypto ipsec sa peer n.n.n.n (ip address of the other side)

BTW - you are aware of the limited security DES encryption offers? Why not use 3DES or AES (both peers seem to support it) ?

hth

Herbert

Hi

It's still not working. How to bring up the tunnel.

Below are the results.

From ASA:

SYCO-ciscoasa# sh crypto isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 41.212.209.215

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

SYCO-ciscoasa# sh crypto ipsec sa peer 212.94.157.121

There are no ipsec sas for peer 212.94.157.121

From Cisco 3825:

MAR#debug crypto isakmp

Crypto ISAKMP debugging is on

MAR#debug crypto ipsec

Crypto IPSEC debugging is on

MAR#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

IPv6 Crypto ISAKMP SA

MAR#sh crypto ipsec sa peer 121.243.184.199

interface: GigabitEthernet0/0

    Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.28.53.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.28.0.0/255.255.0.0/0/0)

   current_peer 121.243.184.199  port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

MAR#

Well, the tunnel should come up automatically as soon as there is traffic that matches the crypto access-list (this is usually referred to as "interesting traffic"). So for example try a ping from one network to the other.

If that does not cause the tunnel to come up, please provide the debug output from both sides.

Hi

I've done logging ip address of kiwi syslog server. I've done logging trap debugging. Still cannot get debug output.

your local and remote encryption domains overlap, that's probably causing your problem.

local  ident (addr/mask/prot/port): (172.28.53.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.28.0.0/255.255.0.0/0/0)

nat one side to prevent the overlap

Hi

I've changed the access-list as follows and got the following results for isakmp and ipsec sa:

I've attached the debug info for the 3825

access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 172.28.53.0 0.0.0.127 172.28.45.0 0.0.0.127

access-list 130 deny   ip 172.28.53.0 0.0.0.127 172.28.45.0 0.0.0.127

access-list 130 permit ip 172.28.53.0 0.0.0.127 any

MAR#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

121.243.184.199   212.94.157.121  MM_NO_STATE       4012    0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

MAR#sh crypto ipsec sa

interface: GigabitEthernet0/0

    Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

   remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

   current_peer 121.243.184.199  port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 50, #recv errors 0

     local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

MAR#

try removing pfs on both devices and configure same crypto isakmp policy for both.

2nd, remove ipsec over udp commands.(if this is the same vpn group which is not working)

then try..

Hi

Thanks, it's working now. Below is the results of isakmp and ipsec sa. But I don't get replies from ping and cannot ssh.

MAR#sh crypto ipsec sa

interface: GigabitEthernet0/0

    Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

   remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

   current_peer 121.243.184.199 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 56, #recv errors 0

     local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x9690D5D7(2526074327)

     inbound esp sas:

      spi: 0xCDD5D3C1(3453342657)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3, flow_id: AIM-VPN/SSL-3:3, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4526118/3518)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x9690D5D7(2526074327)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 4, flow_id: AIM-VPN/SSL-3:4, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4526116/3503)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

MAR#

SYCO-ciscoasa# sh isakmp sa

   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

1   IKE Peer: 212.94.157.121

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 41.212.209.143

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

SYCO-ciscoasa# sh ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 3, local addr: 121.243.184.199

      access-list outside_3_cryptomap permit ip 172.28.45.0 255.255.255.128 172.                                           28.53.0 255.255.255.128

      local ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

      remote ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

      current_peer: 212.94.157.121

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 121.243.184.199, remote crypto endpt.: 212.94.157.121

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: CDD5D3C1

    inbound esp sas:

      spi: 0x9690D5D7 (2526074327)

         transform: esp-des esp-sha-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 528384, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4274999/2922)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xCDD5D3C1 (3453342657)

         transform: esp-des esp-sha-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 528384, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4275000/2922)

         IV size: 8 bytes

         replay detection support: Y

    Crypto map tag: outside_dyn_map, seq num: 10, local addr: 121.243.184.199

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.28.45.75/255.255.255.255/0/0)

      current_peer: 41.212.209.143, username: SYCOtelecom

      dynamic allocated peer ip: 172.28.45.75

      #pkts encaps: 152, #pkts encrypt: 152, #pkts digest: 152

      #pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 164, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 121.243.184.199/4500, remote crypto endpt.: 41.212.209.143/2823

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 15649486

    inbound esp sas:

      spi: 0x65B06151 (1706058065)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 532480, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 287810

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x15649486 (358913158)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 532480, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 287808

         IV size: 8 bytes

         replay detection support: Y

SYCO-ciscoasa# ping 172.28.53.87

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.28.53.87, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

SYCO-ciscoasa#

That's almost cetainly failing now because of the overlap in networks.

once the 172.28.53.0/25 network traffic hits the 172.28.0.0/16 network it wont have a return path simply because the router thinks that network is directly connected.

You have to NAT the source before it hits the 172.28.0.0/16 network.

I'm not sure how you do that in IOS, but I'm confident that it'll be possible.

Note that once you've done NAT on the source your encryption domain will no longer be valid, so you'll have to rewrite that part too.

Hi

Now that I've changed the network of the 3825 to 171.28.53.0 instead of 17228.53.0, the VPN is not coming up. Attached are my new configs.

Hi

 I think that the ASA is allowing only 172.28.0.0/16 networks to go inside. Because when trying to configure other L2L also I'm are having the same problem.

Please help

Create
Recognize Your Peers
Content for Community-Ad