02-28-2010 11:32 PM
Hi
After configuration of site to site vpn for ip 212.94.157.121(cisco 3825) to 121.243.184.199(ASA 5505), the VPN is not coming up.
I've attached both configurations. Please help.
Thanks
Shameem
03-01-2010 01:07 AM
Hi Shameem,
I see the ASA is configured to do PFS (group 2, if no group is specified), but the router is not.
Try this:
crypto map SDM_CMAP_1 1 ipsec-isakmp
set pfs group2
If that doesn't help, enable these debugs:
on the router:
debug crypto isakmp
debug crypto ipsec
on the ASA:
debug crypto isakmp 10
debug crypto ipsec 10
Enable them all at the same time, and try to bring up the tunnel.
Get the debug output, as well as:
show crypto isakmp sa
show crypto ipsec sa peer n.n.n.n (ip address of the other side)
BTW - you are aware of the limited security DES encryption offers? Why not use 3DES or AES (both peers seem to support it) ?
hth
Herbert
03-01-2010 03:39 AM
Hi
It's still not working. How to bring up the tunnel.
Below are the results.
From ASA:
SYCO-ciscoasa# sh crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 41.212.209.215
Type : user Role : responder
Rekey : no State : AM_ACTIVE
SYCO-ciscoasa# sh crypto ipsec sa peer 212.94.157.121
There are no ipsec sas for peer 212.94.157.121
From Cisco 3825:
MAR#debug crypto isakmp
Crypto ISAKMP debugging is on
MAR#debug crypto ipsec
Crypto IPSEC debugging is on
MAR#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
MAR#sh crypto ipsec sa peer 121.243.184.199
interface: GigabitEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121
protected vrf: (none)
local ident (addr/mask/prot/port): (172.28.53.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.28.0.0/255.255.0.0/0/0)
current_peer 121.243.184.199 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
MAR#
03-01-2010 03:48 AM
Well, the tunnel should come up automatically as soon as there is traffic that matches the crypto access-list (this is usually referred to as "interesting traffic"). So for example try a ping from one network to the other.
If that does not cause the tunnel to come up, please provide the debug output from both sides.
03-01-2010 06:16 AM
Hi
I've done logging ip address of kiwi syslog server. I've done logging trap debugging. Still cannot get debug output.
03-01-2010 11:18 AM
your local and remote encryption domains overlap, that's probably causing your problem.
local ident (addr/mask/prot/port): (172.28.53.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.28.0.0/255.255.0.0/0/0)
nat one side to prevent the overlap
03-02-2010 09:38 AM
Hi
I've changed the access-list as follows and got the following results for isakmp and ipsec sa:
I've attached the debug info for the 3825
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.28.53.0 0.0.0.127 172.28.45.0 0.0.0.127
access-list 130 deny ip 172.28.53.0 0.0.0.127 172.28.45.0 0.0.0.127
access-list 130 permit ip 172.28.53.0 0.0.0.127 any
MAR#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
121.243.184.199 212.94.157.121 MM_NO_STATE 4012 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
MAR#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121
protected vrf: (none)
local ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)
current_peer 121.243.184.199 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 50, #recv errors 0
local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
MAR#
03-02-2010 12:29 PM
try removing pfs on both devices and configure same crypto isakmp policy for both.
2nd, remove ipsec over udp commands.(if this is the same vpn group which is not working)
then try..
03-03-2010 12:39 AM
Hi
Thanks, it's working now. Below is the results of isakmp and ipsec sa. But I don't get replies from ping and cannot ssh.
MAR#sh crypto ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121
protected vrf: (none)
local ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)
current_peer 121.243.184.199 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 56, #recv errors 0
local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x9690D5D7(2526074327)
inbound esp sas:
spi: 0xCDD5D3C1(3453342657)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: AIM-VPN/SSL-3:3, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4526118/3518)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9690D5D7(2526074327)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: AIM-VPN/SSL-3:4, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4526116/3503)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
MAR#
SYCO-ciscoasa# sh isakmp sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 212.94.157.121
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
2 IKE Peer: 41.212.209.143
Type : user Role : responder
Rekey : no State : AM_ACTIVE
SYCO-ciscoasa# sh ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 3, local addr: 121.243.184.199
access-list outside_3_cryptomap permit ip 172.28.45.0 255.255.255.128 172. 28.53.0 255.255.255.128
local ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)
current_peer: 212.94.157.121
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 121.243.184.199, remote crypto endpt.: 212.94.157.121
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: CDD5D3C1
inbound esp sas:
spi: 0x9690D5D7 (2526074327)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 528384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/2922)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xCDD5D3C1 (3453342657)
transform: esp-des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 528384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/2922)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_dyn_map, seq num: 10, local addr: 121.243.184.199
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.28.45.75/255.255.255.255/0/0)
current_peer: 41.212.209.143, username: SYCOtelecom
dynamic allocated peer ip: 172.28.45.75
#pkts encaps: 152, #pkts encrypt: 152, #pkts digest: 152
#pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 164, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 121.243.184.199/4500, remote crypto endpt.: 41.212.209.143/2823
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 15649486
inbound esp sas:
spi: 0x65B06151 (1706058065)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 532480, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 287810
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x15649486 (358913158)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 532480, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 287808
IV size: 8 bytes
replay detection support: Y
SYCO-ciscoasa# ping 172.28.53.87
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.28.53.87, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
SYCO-ciscoasa#
03-03-2010 05:39 AM
That's almost cetainly failing now because of the overlap in networks.
once the 172.28.53.0/25 network traffic hits the 172.28.0.0/16 network it wont have a return path simply because the router thinks that network is directly connected.
You have to NAT the source before it hits the 172.28.0.0/16 network.
I'm not sure how you do that in IOS, but I'm confident that it'll be possible.
Note that once you've done NAT on the source your encryption domain will no longer be valid, so you'll have to rewrite that part too.
03-04-2010 10:45 PM
03-05-2010 04:32 AM
Hi
I think that the ASA is allowing only 172.28.0.0/16 networks to go inside. Because when trying to configure other L2L also I'm are having the same problem.
Please help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide