cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4615
Views
0
Helpful
3
Replies

Site to site vpn Cisco asa 8.4(2) gns3

Capricorn
Level 1
Level 1

Hi!

I am configuring site to site vpn on gns3. I have check all the things and everything looks similar from both ends but i can see not a single converstion between them in terms of anything. Not even debug is showing any thing . Need some help.

Thanks

ASA- LEFTy

--------

ASA Version 8.4(2)

!

hostname LEFTY

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

nameif inside

security-level 100

ip address 10.1.1.1 255.255.255.0

!

interface GigabitEthernet1

nameif outside

security-level 0

ip address 192.168.1.1 255.255.255.0

!

interface GigabitEthernet2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network NETWORK_OBJ_10.1.1.0_24

subnet 10.1.1.0 255.255.255.0

object network NETWORK_OBJ_10.2.2.0_24

subnet 10.2.2.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 destination static NETWORK_OBJ_10.2.2.0_24 NETWORK_OBJ_10.2.2.0_24 no-proxy-arp route-lookup

route outside 10.2.2.0 255.255.255.0 192.168.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.1.1.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no sysopt connection permit-vpn

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.1.2

crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES

crypto map outside_map interface outside

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_192.168.1.2 internal

group-policy GroupPolicy_192.168.1.2 attributes

vpn-tunnel-protocol ikev1 ikev2

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group 192.168.1.2 type ipsec-l2l

tunnel-group 192.168.1.2 general-attributes

default-group-policy GroupPolicy_192.168.1.2

tunnel-group 192.168.1.2 ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate nocheck

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:9a61152dafa61967fc70a4aab7d03b36

: end

--------

ASA Righty

ASA Version 8.4(2)

!

hostname Righty

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet1

nameif inside

security-level 100

ip address 10.2.2.1 255.255.255.0

!

interface GigabitEthernet2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

!

interface GigabitEthernet3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

object network NETWORK_OBJ_10.1.1.0_24

subnet 10.1.1.0 255.255.255.0

object network NETWORK_OBJ_10.2.2.0_24

subnet 10.2.2.0 255.255.255.0

access-list outside_cryptomap extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list inside_access_in extended permit ip any any inactive

access-list outside_access_in extended permit icmp any any inactive

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_10.2.2.0_24 NETWORK_OBJ_10.2.2.0_24 destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 no-proxy-arp route-lookup

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 10.1.1.0 255.255.255.0 192.168.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 10.2.2.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no sysopt connection permit-vpn

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 192.168.1.1

crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set ikev2 ipsec-proposal DES

crypto map outside_map interface outside

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GroupPolicy_192.168.1.1 internal

group-policy GroupPolicy_192.168.1.1 attributes

vpn-tunnel-protocol ikev1 ikev2

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group 192.168.1.1 type ipsec-l2l

tunnel-group 192.168.1.1 general-attributes

default-group-policy GroupPolicy_192.168.1.1

tunnel-group 192.168.1.1 ipsec-attributes

ikev1 pre-shared-key sungard

ikev2 remote-authentication pre-shared-key sungard

ikev2 local-authentication pre-shared-key sungard

!

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

crashinfo save disable

Cryptochecksum:ba0e59146949c57e75290514f6dd57d7

: end

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Please do a capture on both outside interfaces and check if they are receiving packets on port 500 ( UDP).

Packets could be not even reaching the other end-point.

Regards,

Julio

CSC is a free support community, take your time to rate all the engineer's answers.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Nothing is coming up.

LEFTY# show isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Nothing in debug as well..

It looks like the devices are not  negotiation.

Sajid,

I know this is not current but I noticed in a side by side configuration comparison, that your local and remote authentications are not the same, one is encrypted and the other is not.  If that is the actual case that would be the reason the tunnel is not transmitting information. Tunnel configs must be exact copies on both ends except, of course, peer addresses.

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: