cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2586
Views
0
Helpful
1
Replies

VPN ASA to CISCO IOS Using Loopback IF

Hi

im trying to create a VPN between a Cisco ASA5510 and an ASR1002 when my Loopback interface is The Source IP .

( i understan d i cannot VPN ASA to CISCO IOS SVTI ... )

so if anyone could help me here it would be Legendary   -

crypto keyring KEYS-WC-TEST

  local-address 1.1.1.54

  pre-shared-key address 2.2.2.54 key test123

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp profile ISAKMP-WC-TEST

   keyring KEYS-WC-TEST

   match identity address 2.2.2.54 255.255.255.255

   local-address 1.1.1.54

virtual-template 1

crypto ipsec transform-set TRANS_SET-WC-TEST esp-aes esp-sha-hmac

mode tunnel

crypto ipsec profile VPN_S2S-WC-TEST

set transform-set TRANS_SET-WC-TEST

set pfs group2

set isakmp-profile ISAKMP-WC-TEST

interface Virtual-Template1 type tunnel

ip unnumbered Loopback777

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN_S2S-WC-TEST

crypto dynamic-map dynmap 10

set transform-set TRANS_SET-WC-TEST

set isakmp-profile ISAKMP-WC-TEST

reverse-route

match address IPSEC-WC-TEST-ACL

!

crypto map TEST-MAP local-address Loopback777

crypto map TEST-MAP 10 ipsec-isakmp dynamic dynmap

interface Loopback777

description ### TEST IPSEC ###

ip address 1.1.1.54 255.255.255.255

crypto map TEST-MAP

ip access-list extended IPSEC-WC-TEST-ACL

permit ip host 10.43.8.122 host 10.53.9.12

permit ip host 10.53.9.12 host 10.43.8.122

EC-ASR-01#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

1.1.1.54    2.2.2.54    QM_IDLE          37195 ACTIVE

This is the OUtput from debug crypto isakmp and debug crypto ipsec err

*Mar 24 01:28:45.190 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:28:45.190 EST: ISAKMP:(37214): phase 2 packet is a duplicate of a previous packet.

*Mar 24 01:28:45.190 EST: ISAKMP:(37214): retransmitting due to retransmit phase 2

*Mar 24 01:28:45.190 EST: ISAKMP:(37214): ignoring retransmission,because phase2 node marked dead -263527270

*Mar 24 01:28:48.117 EST: ISAKMP:(37212):purging SA., sa=4079E61C, delme=4079E61C

*Mar 24 01:28:53.190 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:28:53.190 EST: ISAKMP: set new node -866013715 to QM_IDLE   

*Mar 24 01:28:53.191 EST: ISAKMP:(37214): processing HASH payload. message ID = 3428953581

*Mar 24 01:28:53.191 EST: ISAKMP:(37214): processing DELETE payload. message ID = 3428953581

*Mar 24 01:28:53.191 EST: ISAKMP:(37214):peer does not do paranoid keepalives.

*Mar 24 01:28:53.191 EST: ISAKMP:(37214):deleting node -866013715 error FALSE reason "Informational (in) state 1"

*Mar 24 01:28:53.192 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:28:53.192 EST: ISAKMP: set new node 218841786 to QM_IDLE   

*Mar 24 01:28:53.193 EST: ISAKMP:(37214): processing HASH payload. message ID = 218841786

*Mar 24 01:28:53.193 EST: ISAKMP:(37214): processing DELETE payload. message ID = 218841786

*Mar 24 01:28:53.193 EST: ISAKMP:(37214):peer does not do paranoid keepalives.

*Mar 24 01:28:53.193 EST: ISAKMP:(37214):deleting SA reason "No reason" state (R) QM_IDLE       (peer 2.2.2.54)

*Mar 24 01:28:53.193 EST: ISAKMP:(37214):deleting node 218841786 error FALSE reason "Informational (in) state 1"

*Mar 24 01:28:53.193 EST: ISAKMP: set new node 789219990 to QM_IDLE   

*Mar 24 01:28:53.193 EST: ISAKMP:(37214): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) QM_IDLE   

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Sending an IKE IPv4 Packet.

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):purging node 789219990

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):deleting SA reason "No reason" state (R) QM_IDLE       (peer 2.2.2.54)

*Mar 24 01:28:53.194 EST: ISAKMP: Unlocking peer struct 0x44493EC0 for isadb_mark_sa_deleted(), count 0

*Mar 24 01:28:53.194 EST: ISAKMP: Deleting peer node by peer_reap for 2.2.2.54: 44493EC0

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Mar 24 01:28:53.842 EST: ISAKMP:(0):: peer matches *none* of the profiles

*Mar 24 01:28:53.929 EST: ISAKMP (0): received packet from 2.2.2.54 dport 500 sport 500 Global (N) NEW SA

*Mar 24 01:28:53.929 EST: ISAKMP: Created a peer struct for 2.2.2.54, peer port 500

*Mar 24 01:28:53.929 EST: ISAKMP: New peer created peer = 0x44493EC0 peer_handle = 0x8000635F

*Mar 24 01:28:53.929 EST: ISAKMP: Locking peer struct 0x44493EC0, refcount 1 for crypto_isakmp_process_block

*Mar 24 01:28:53.929 EST: ISAKMP: local port 500, remote port 500

*Mar 24 01:28:53.929 EST: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 48A95210

*Mar 24 01:28:53.930 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 24 01:28:53.930 EST: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing SA payload. message ID = 0

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID is NAT-T v3

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 24 01:28:53.930 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing IKE frag vendor id payload

*Mar 24 01:28:53.930 EST: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar 24 01:28:53.930 EST: ISAKMP:(0):found peer pre-shared key matching 2.2.2.54

*Mar 24 01:28:53.930 EST: ISAKMP:(0): local preshared key found

*Mar 24 01:28:53.930 EST: ISAKMP : Scanning profiles for xauth ... ISAKMP-COMPANY ISAKMP-AMAZON-85c829ec-1 ISAKMP-AMAZON-d0d332b9-1 ISAKMP-WC-TEST

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

*Mar 24 01:28:53.931 EST: ISAKMP:      default group 2

*Mar 24 01:28:53.931 EST: ISAKMP:      encryption AES-CBC

*Mar 24 01:28:53.931 EST: ISAKMP:      keylength of 128

*Mar 24 01:28:53.931 EST: ISAKMP:      hash SHA

*Mar 24 01:28:53.931 EST: ISAKMP:      auth pre-share

*Mar 24 01:28:53.931 EST: ISAKMP:      life type in seconds

*Mar 24 01:28:53.931 EST: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

*Mar 24 01:28:53.931 EST: ISAKMP:(0):atts are acceptable. Next payload is 3

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Acceptable atts:life: 0

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Fill atts in sa life_in_seconds:86400

*Mar 24 01:28:53.931 EST: ISAKMP:(0):Returning Actual lifetime: 86400

*Mar 24 01:28:53.931 EST: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID is NAT-T v2

*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID is NAT-T v3

*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.932 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

*Mar 24 01:28:53.932 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947

*Mar 24 01:28:53.932 EST: ISAKMP:(0): processing vendor id payload

*Mar 24 01:28:53.932 EST: ISAKMP:(0): processing IKE frag vendor id payload

*Mar 24 01:28:53.932 EST: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar 24 01:28:53.932 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 24 01:28:53.932 EST: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Mar 24 01:28:53.932 EST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID

*Mar 24 01:28:53.932 EST: ISAKMP:(0): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_SA_SETUP

*Mar 24 01:28:53.932 EST: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar 24 01:28:53.933 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 24 01:28:53.933 EST: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Mar 24 01:28:54.006 EST: ISAKMP (0): received packet from 2.2.2.54 dport 500 sport 500 Global (R) MM_SA_SETUP

*Mar 24 01:28:54.007 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 24 01:28:54.007 EST: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

*Mar 24 01:28:54.007 EST: ISAKMP:(0): processing KE payload. message ID = 0

*Mar 24 01:28:54.010 EST: ISAKMP:(0): processing NONCE payload. message ID = 0

*Mar 24 01:28:54.010 EST: ISAKMP:(0):found peer pre-shared key matching 2.2.2.54

*Mar 24 01:28:54.010 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.010 EST: ISAKMP:(37215): vendor ID is Unity

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): vendor ID seems Unity/DPD but major 56 mismatch

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): vendor ID is XAUTH

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): speaking to another IOS box!

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.011 EST: ISAKMP:(37215):vendor ID seems Unity/DPD but hash mismatch

*Mar 24 01:28:54.011 EST: ISAKMP:received payload type 20

*Mar 24 01:28:54.011 EST: ISAKMP (37215): His hash no match - this node outside NAT

*Mar 24 01:28:54.011 EST: ISAKMP:received payload type 20

*Mar 24 01:28:54.011 EST: ISAKMP (37215): No NAT Found for self or peer

*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Old State = IKE_R_MM3  New State = IKE_R_MM3

*Mar 24 01:28:54.011 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.

*Mar 24 01:28:54.012 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 24 01:28:54.012 EST: ISAKMP:(37215):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Mar 24 01:28:54.086 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) MM_KEY_EXCH

*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Mar 24 01:28:54.087 EST: ISAKMP:(37215): processing ID payload. message ID = 0

*Mar 24 01:28:54.087 EST: ISAKMP (37215): ID payload

        next-payload : 8

        type         : 1

        address      : 2.2.2.54

        protocol     : 17

        port         : 0

        length       : 12

*Mar 24 01:28:54.087 EST: ISAKMP:(0):: peer matches ISAKMP-WC-TEST profile

*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Found ADDRESS key in keyring KEYS-WC-TEST

*Mar 24 01:28:54.087 EST: ISAKMP:(37215): processing HASH payload. message ID = 0

*Mar 24 01:28:54.088 EST: ISAKMP:received payload type 17

*Mar 24 01:28:54.088 EST: ISAKMP:(37215): processing keep alive: proposal=32767/32767 sec., actual=10/10 sec.

*Mar 24 01:28:54.088 EST: ISAKMP:(37215): processing vendor id payload

*Mar 24 01:28:54.088 EST: ISAKMP:(37215): vendor ID is DPD

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA authentication status:

        authenticated

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA has been authenticated with 2.2.2.54

*Mar 24 01:28:54.088 EST: ISAKMP: Trying to insert a peer 1.1.1.54/2.2.2.54/500/,  and inserted successfully 44493EC0.

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

*Mar 24 01:28:54.088 EST: ISAKMP (37215): ID payload

        next-payload : 8

        type         : 1

        address      : 1.1.1.54

        protocol     : 17

        port         : 500

        length       : 12

*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Total payload length: 12

*Mar 24 01:28:54.089 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_KEY_EXCH

*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.

*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Mar 24 01:28:54.090 EST: ISAKMP:(37215):IKE_DPD is enabled, initializing timers

*Mar 24 01:28:54.090 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 24 01:28:54.090 EST: ISAKMP:(37215):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar 24 01:28:54.094 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

*Mar 24 01:28:54.130 EST: ISAKMP:(37215):IKE_DPD is enabled, initializing timers

*Mar 24 01:28:54.130 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Mar 24 01:28:54.130 EST: ISAKMP:(37215):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar 24 01:28:54.165 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:28:54.165 EST: ISAKMP: set new node -1638274170 to QM_IDLE   

*Mar 24 01:28:54.166 EST: ISAKMP:(37215): processing HASH payload. message ID = 2656693126

*Mar 24 01:28:54.166 EST: ISAKMP:(37215): processing SA payload. message ID = 2656693126

*Mar 24 01:28:54.166 EST: ISAKMP:(37215):Checking IPSec proposal 1

*Mar 24 01:28:54.166 EST: ISAKMP: transform 1, ESP_AES

*Mar 24 01:28:54.166 EST: ISAKMP:   attributes in transform:

*Mar 24 01:28:54.166 EST: ISAKMP:      SA life type in seconds

*Mar 24 01:28:54.166 EST: ISAKMP:      SA life duration (basic) of 28800

*Mar 24 01:28:54.166 EST: ISAKMP:      SA life type in kilobytes

*Mar 24 01:28:54.166 EST: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0

*Mar 24 01:28:54.166 EST: ISAKMP:      encaps is 1 (Tunnel)

*Mar 24 01:28:54.166 EST: ISAKMP:      authenticator is HMAC-SHA

*Mar 24 01:28:54.166 EST: ISAKMP:      key length is 128

*Mar 24 01:28:54.166 EST: ISAKMP:(37215):atts are acceptable.

*Mar 24 01:28:54.166 EST: map_db_find_best did not find matching map

*Mar 24 01:28:54.166 EST: IPSEC(ipsec_process_proposal): proxy identities not supported

*Mar 24 01:28:54.166 EST: ISAKMP:(37215): IPSec policy invalidated proposal with error 32

*Mar 24 01:28:54.166 EST: ISAKMP:(37215): phase 2 SA policy not acceptable! (local 1.1.1.54 remote 2.2.2.54)

*Mar 24 01:28:54.166 EST: ISAKMP: set new node -148278355 to QM_IDLE   

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 1017571376, message ID = 4146688941

*Mar 24 01:28:54.167 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) QM_IDLE   

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):purging node -148278355

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):deleting node -1638274170 error TRUE reason "QM rejected"

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Node 2656693126, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Old State = IKE_QM_READY  New State = IKE_QM_READY

*Mar 24 01:29:02.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:29:02.161 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.

*Mar 24 01:29:02.161 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2

*Mar 24 01:29:02.161 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170

*Mar 24 01:29:10.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:29:10.160 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.

*Mar 24 01:29:10.160 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2

*Mar 24 01:29:10.160 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170

*Mar 24 01:29:10.591 EST: ISAKMP:(37213):purging node 667120255

*Mar 24 01:29:10.591 EST: ISAKMP:(37213):purging node 1131880735

*Mar 24 01:29:11.199 EST: ISAKMP:(37214):purging node -263527270

*Mar 24 01:29:18.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE   

*Mar 24 01:29:18.160 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.

*Mar 24 01:29:18.160 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2

*Mar 24 01:29:18.160 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170

*Mar 24 01:29:20.592 EST: ISAKMP:(37213):purging SA., sa=4550D2C8, delme=4550D2C8

*Mar 24 01:29:26.771 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down

and here is the ASA Side :

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto map IPSEC_map 1 match address IPSEC_cryptomap

crypto map IPSEC_map 1 set peer 2.2.2.54

crypto map IPSEC_map 1 set ikev1 transform-set ESP-AES-128-SHA

crypto map IPSEC_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map IPSEC_map 1 set reverse-route

crypto map IPSEC_map interface IPSEC

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2 

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable IPSEC

crypto ikev1 enable IPSEC

crypto ikev1 policy 9

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.54 type ipsec-l2l

tunnel-group 2.2.2.54 general-attributes

default-group-policy GroupPolicy_2.2.2.54

tunnel-group 2.2.2.54 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

group-policy GroupPolicy_2.2.2.54 internal

group-policy GroupPolicy_2.2.2.54 attributes

vpn-tunnel-protocol ikev1 ikev2

route IPSEC 2.2.2.54 255.255.255.255 1.1.1.254 1

access-list IPSEC_cryptomap extended permit ip object MONITOR-WC object MONITOR-EC

nat (VMs,IPSEC) source static MONITOR-WC MONITOR-WC destination static MONITOR-EC MONITOR-EC

object network MONITOR-WC

host 10.43.8.122

object network MONITOR-EC

host 10.53.9.12

Thanks !!!

1 Reply 1

Hi Hummus,

For this to work you do not need to apply the crypto map to the loopback, it is not supported anyway.

So at this point you set up a pretty common L2L tunnel (of course not using VTI since the ASA will not accept the SA) and use the loopback as the local-address for the crypto map.

Check this out:

crypto map local-address

HTH.

Portu.