cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
624
Views
0
Helpful
5
Replies
femi.agboade
Beginner

Site to Site VPN between ASA and IOS Router Errors

Hello,

I'm having some errors with setting up a site to site VPN between my ASA 5510 and a clients 3845 Router. I keep getting the behaviour such that the phase 1 of the VPN session stays established for about 32 seconds, disconnects and automatically reconnects again and this just goes on and on forever, without the Phase 2 ever really getting initiated. I have attached a screen shot of the errors that come up on the ASA's ASDM syslog interface and below is a snippet of the config i have applied on the ASA and the parameters provided by the service provider.

ASA Config

object network PROD_CONN-nat
host 172.19.205.31
object network UAT_CONN_35180
host 172.30.50.2
object network UAT_CONN_35160
host 172.30.50.2
object network OPRS_Live
host 7.7.7.7
object network OPRS_Test
host 8.8.8.10
object network UAT_CONN-nat
host 172.30.5.2
object network UAT_CONN_host
host 172.30.50.2

object-group network From_OPRS
network-object object OPRS_Live
network-object object OPRS_Test
object-group network To_OPRS
network-object object PROD_CONN-nat
network-object object UAT_CONN-nat
object-group protocol IP_TCP_PROTOCOLS
protocol-object ip
protocol-object tcp

access-list OPRS extended permit ip object UAT_CONN_host object OPRS_Test


arp timeout 14400
no arp permit-nonconnected
nat (UAT_CONN,Outside) source static UAT_CONN_host UAT_CONN_host destination static OPRS_Test OPRS_Test no-proxy-arp route-lookup
nat (UAT_CONN,Outside) source static UAT_CONN-nat UAT_CONN-nat destination static OPRS_Test OPRS_Test no-proxy-arp route-lookup
nat (PROD_CONN,Outside) source static PROD_CONN-nat PROD_CONN-nat destination static OPRS_Live OPRS_Live no-proxy-arp route-lookup
!

object network PROD_CONN-nat
nat (PROD_CONN,Outside) static 5.5.5.3
object network UAT_CONN_35180
nat (UAT_CONN,Outside) static 5.5.5.6 service tcp 35180 35180
object network UAT_CONN_35160
nat (UAT_CONN,Outside) static 5.5.5.6 service tcp 35160 35160
object network UAT_CONN-nat
nat (UAT_CONN,Outside) static 5.5.5.6

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 5.5.5.1 1


dynamic-access-policy-record DfltAccessPolicy

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256_OPRS
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address OPRS
crypto map Outside_map 1 set pfs group5
crypto map Outside_map 1 set peer 8.8.8.25
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map Outside_map 1 set security-association lifetime seconds 1800
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 1800
crypto ikev2 policy 2
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 1880
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400


group-policy DfltGrpPolicy attributes
vpn-idle-timeout none

group-policy OPRS_GroupPolicy1 internal
group-policy OPRS_GroupPolicy1 attributes
vpn-filter value OPRS
vpn-tunnel-protocol ikev1

tunnel-group 8.8.8.25 type ipsec-l2l
tunnel-group 8.8.8.25 general-attributes
default-group-policy OPRS_GroupPolicy1
tunnel-group 8.8.8.25 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ctiqbe
inspect http
inspect icmp
inspect icmp error
inspect mgcp
inspect snmp
class class-default
set connection decrement-ttl
!
service-policy global_policy global

Config Parameters

IKE Parameters

IKE Encryption (DES, 3DES, AES)

AES 256

Authentication Method (MD5, SHA)

SHA

Diffie-Helman Group (1,2,5)

5

Security Association Lifetime (sec)

28800

Pre-Shared Secret (16 character/Cap Sensitive)

 **********

IPSEC Parameters

IPSEC Encryption (DES, 3DES,AES)

AES 256

Authentication Method (MD5, SHA)

SHA

Diffle-Helman Group (1,2)

2

Security Association Lifetime (Sec)

1800

Perfect Forward Secrecy (Yes, No)

Yes

PFS Diffie-Helman Group (1,2,5)

5

I would be grateful for any assistance to help solve this riddle, i've been on it for the last 24 hours and its driving me crazy.

Regards,

Femi

5 REPLIES 5
Richard Burts
Hall of Fame Guru

Femi

Probably the most significant line in the output that you shared is the one that says no proposal chosen. So there seems to be a mismatch between your config and the config of the peer for phase 2 negotiation. We see in your config that you are specifying that it should process traffic between 172.30.50.2 and 8.8.8.10. There is not anything in what you posted that verifies what addresses they have configured on their side. So the first thing that I would check would be that they are onfiguring the same addresses as you are. Also their information shows a lifetime of 1800 and I do not see anything in your config with 1800 as lifetime.

HTH

Rick

HTH

Rick

Hello Richard,

Thank you for your reply.

I will request from the service provider to see their side of the config on Monday and share same here as they arent available over the weekend.

As regards the interesting traffic to process, let me explain a little further. On my side, i have a local host IP as 172.30.50.2 and the remote host IP is 8.8.8.10. However, the remote side will only allow me to communicate with the remote server via a public IP, in this case 5.5.5.6, hence the reason i have the following commands for the static IP mapping:

object network OPRS_Test
host 8.8.8.10
!
object network UAT_CONN-nat
host 172.30.5.2
!
object network UAT_CONN-nat
nat (UAT_CONN,Outside) static 5.5.5.6
!
nat (UAT_CONN,Outside) source static UAT_CONN-nat UAT_CONN-nat destination static OPRS_Test OPRS_Test no-proxy-arp route-lookup

I believe this is correct right?

As for the phase 2 lifetime of 1800 secs, it is included in the config, please see below:

crypto map Outside_map 1 set security-association lifetime seconds 1800

That is where it ought to be specified isnt it?

Again, thanks for taking a look at my post, would appreciate any additional feedback on my comments above.

Regards,

Femi

Hi Richard,

So i made some changes to my config and i can now successfully establish a VPN tunnel. However, i am unable to pass traffic but will take that up with the remote end admin tomorrow. Below are the changes i made:

Added:

object network UAT_CONN_NAT-host
 host 5.5.5.6
object network PROD_CONN-host
 host 172.19.205.31
object network PROD_CONN_NAT-host
 host 5.5.5.3
!
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256_OPRS (dont think it affects the config in anyway as ikev2 is not used)
crypto map Outside_map 1 set security-association lifetime kilobytes 4608000
!
crypto ikev2 enable Outside (just to enable ikev2 on the interface though its not used)
!

Removed

tunnel-group 8.8.8.25 general-attributes
 default-group-policy OPRS_GroupPolicy1

Replaced
object-group network To_OPRS
 network-object object PROD_CONN-nat
 network-object object UAT_CONN-nat
With
object-group network To_OPRS
 network-object object PROD_CONN_NAT-host
 network-object object UAT_CONN_NAT-host

Replaced
access-list OPRS extended permit ip object UAT_CONN-host object OPRS_Test
With
access-list OPRS extended permit object-group IP_TCP_PROTOCOLS object-group To_OPRS object-group From_OPRS

Replaced
nat (UAT_CONN,Outside) source static UAT_CONN-host UAT_CONN-host destination static OPRS_Test OPRS_Test no-proxy-arp route-lookup
nat (UAT_CONN,Outside) source static UAT_CONN-nat UAT_CONN-nat destination static OPRS_Test OPRS_Test no-proxy-arp route-lookup
nat (PROD_CONN,Outside) source static PROD_CONN-nat PROD_CONN-nat destination static OPRS_Live OPRS_Live no-proxy-arp route-lookup
With
nat (UAT_CONN,Outside) source static UAT_CONN-host UAT_CONN_NAT-host destination static OPRS_Test OPRS_Test
nat (PROD_CONN,Outside) source static PROD_CONN-host PROD_CONN_NAT-host destination static OPRS_Live OPRS_Live

Replaced
crypto ikev2 policy 1
 lifetime seconds 1800
With
crypto ikev2 policy 1
 lifetime seconds 28800

Regards,

Femi

Femi

Thanks for posting back to the forum to let us know of the changes that you made and that with these changes you are able to bring up the VPN. This way where you specify the real address and the mapped address in the NAT (UAT_CONN-host UAT_CONN_NAT-host) is the way that I have configured it for site to site VPN and it works.

If you are not using IKEv2 then it makes little difference to add some ikev2 parameters. It certainly does no harm but little good to have them in the config if they are not used.

If you are able to bring up the VPN but not to pass traffic it may indicate that one side or the other does not have a correct route for the traffic going through VPN. Or it might indicate that address translation is not working quite as expected. When the VPN is up and you do show crypto ipsec sa do you see in this VPN any packets encapsulated or any packets dencapsulated? That would help clarify whether you are sending anything or receiving anything.

HTH

Rick 

HTH

Rick

Hello Richard,

Thanks for the feedback. All seems to be working just fine now. The routing issues were config related from the remote side.

I however do have another issue. As you may have noticed with the following commands, i access some web services on the 172.30.50.2 server:

object network UAT_CONN_35180
host 172.30.50.2
object network UAT_CONN_35160
host 172.30.50.2

object network UAT_CONN_35180
nat (UAT_CONN,Outside) static 5.5.5.6 service tcp 35180 35180 
object network UAT_CONN_35160
nat (UAT_CONN,Outside) static 5.5.5.6 service tcp 35160 35160 

But I can no longer access these services when i browse to the 5.5.5.6 IP. I have changed the public facing IP 5.5.5.6 to another and i am then able to access these services.

I need to be able to access these services on this 5.5.5.6 IP, so would appreciate if you can guide on what i may have done wrong with my config that has caused this issue.

Regards,

Femi

Content for Community-Ad