03-24-2013 06:30 AM
Hi
im trying to create a VPN between a Cisco ASA5510 and an ASR1002 when my Loopback interface is The Source IP .
( i understan d i cannot VPN ASA to CISCO IOS SVTI ... )
so if anyone could help me here it would be Legendary -
crypto keyring KEYS-WC-TEST
local-address 1.1.1.54
pre-shared-key address 2.2.2.54 key test123
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp profile ISAKMP-WC-TEST
keyring KEYS-WC-TEST
match identity address 2.2.2.54 255.255.255.255
local-address 1.1.1.54
virtual-template 1
crypto ipsec transform-set TRANS_SET-WC-TEST esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile VPN_S2S-WC-TEST
set transform-set TRANS_SET-WC-TEST
set pfs group2
set isakmp-profile ISAKMP-WC-TEST
interface Virtual-Template1 type tunnel
ip unnumbered Loopback777
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_S2S-WC-TEST
crypto dynamic-map dynmap 10
set transform-set TRANS_SET-WC-TEST
set isakmp-profile ISAKMP-WC-TEST
reverse-route
match address IPSEC-WC-TEST-ACL
!
crypto map TEST-MAP local-address Loopback777
crypto map TEST-MAP 10 ipsec-isakmp dynamic dynmap
interface Loopback777
description ### TEST IPSEC ###
ip address 1.1.1.54 255.255.255.255
crypto map TEST-MAP
ip access-list extended IPSEC-WC-TEST-ACL
permit ip host 10.43.8.122 host 10.53.9.12
permit ip host 10.53.9.12 host 10.43.8.122
EC-ASR-01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.54 2.2.2.54 QM_IDLE 37195 ACTIVE
This is the OUtput from debug crypto isakmp and debug crypto ipsec err
*Mar 24 01:28:45.190 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE
*Mar 24 01:28:45.190 EST: ISAKMP:(37214): phase 2 packet is a duplicate of a previous packet.
*Mar 24 01:28:45.190 EST: ISAKMP:(37214): retransmitting due to retransmit phase 2
*Mar 24 01:28:45.190 EST: ISAKMP:(37214): ignoring retransmission,because phase2 node marked dead -263527270
*Mar 24 01:28:48.117 EST: ISAKMP:(37212):purging SA., sa=4079E61C, delme=4079E61C
*Mar 24 01:28:53.190 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE
*Mar 24 01:28:53.190 EST: ISAKMP: set new node -866013715 to QM_IDLE
*Mar 24 01:28:53.191 EST: ISAKMP:(37214): processing HASH payload. message ID = 3428953581
*Mar 24 01:28:53.191 EST: ISAKMP:(37214): processing DELETE payload. message ID = 3428953581
*Mar 24 01:28:53.191 EST: ISAKMP:(37214):peer does not do paranoid keepalives.
*Mar 24 01:28:53.191 EST: ISAKMP:(37214):deleting node -866013715 error FALSE reason "Informational (in) state 1"
*Mar 24 01:28:53.192 EST: ISAKMP (37214): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE
*Mar 24 01:28:53.192 EST: ISAKMP: set new node 218841786 to QM_IDLE
*Mar 24 01:28:53.193 EST: ISAKMP:(37214): processing HASH payload. message ID = 218841786
*Mar 24 01:28:53.193 EST: ISAKMP:(37214): processing DELETE payload. message ID = 218841786
*Mar 24 01:28:53.193 EST: ISAKMP:(37214):peer does not do paranoid keepalives.
*Mar 24 01:28:53.193 EST: ISAKMP:(37214):deleting SA reason "No reason" state (R) QM_IDLE (peer 2.2.2.54)
*Mar 24 01:28:53.193 EST: ISAKMP:(37214):deleting node 218841786 error FALSE reason "Informational (in) state 1"
*Mar 24 01:28:53.193 EST: ISAKMP: set new node 789219990 to QM_IDLE
*Mar 24 01:28:53.193 EST: ISAKMP:(37214): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Sending an IKE IPv4 Packet.
*Mar 24 01:28:53.194 EST: ISAKMP:(37214):purging node 789219990
*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Mar 24 01:28:53.194 EST: ISAKMP:(37214):deleting SA reason "No reason" state (R) QM_IDLE (peer 2.2.2.54)
*Mar 24 01:28:53.194 EST: ISAKMP: Unlocking peer struct 0x44493EC0 for isadb_mark_sa_deleted(), count 0
*Mar 24 01:28:53.194 EST: ISAKMP: Deleting peer node by peer_reap for 2.2.2.54: 44493EC0
*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 24 01:28:53.194 EST: ISAKMP:(37214):Old State = IKE_DEST_SA New State = IKE_DEST_SA
*Mar 24 01:28:53.842 EST: ISAKMP:(0):: peer matches *none* of the profiles
*Mar 24 01:28:53.929 EST: ISAKMP (0): received packet from 2.2.2.54 dport 500 sport 500 Global (N) NEW SA
*Mar 24 01:28:53.929 EST: ISAKMP: Created a peer struct for 2.2.2.54, peer port 500
*Mar 24 01:28:53.929 EST: ISAKMP: New peer created peer = 0x44493EC0 peer_handle = 0x8000635F
*Mar 24 01:28:53.929 EST: ISAKMP: Locking peer struct 0x44493EC0, refcount 1 for crypto_isakmp_process_block
*Mar 24 01:28:53.929 EST: ISAKMP: local port 500, remote port 500
*Mar 24 01:28:53.929 EST: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 48A95210
*Mar 24 01:28:53.930 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 24 01:28:53.930 EST: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing SA payload. message ID = 0
*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload
*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload
*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload
*Mar 24 01:28:53.930 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 24 01:28:53.930 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing vendor id payload
*Mar 24 01:28:53.930 EST: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 24 01:28:53.930 EST: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 24 01:28:53.930 EST: ISAKMP:(0):found peer pre-shared key matching 2.2.2.54
*Mar 24 01:28:53.930 EST: ISAKMP:(0): local preshared key found
*Mar 24 01:28:53.930 EST: ISAKMP : Scanning profiles for xauth ... ISAKMP-COMPANY ISAKMP-AMAZON-85c829ec-1 ISAKMP-AMAZON-d0d332b9-1 ISAKMP-WC-TEST
*Mar 24 01:28:53.931 EST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Mar 24 01:28:53.931 EST: ISAKMP: default group 2
*Mar 24 01:28:53.931 EST: ISAKMP: encryption AES-CBC
*Mar 24 01:28:53.931 EST: ISAKMP: keylength of 128
*Mar 24 01:28:53.931 EST: ISAKMP: hash SHA
*Mar 24 01:28:53.931 EST: ISAKMP: auth pre-share
*Mar 24 01:28:53.931 EST: ISAKMP: life type in seconds
*Mar 24 01:28:53.931 EST: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 24 01:28:53.931 EST: ISAKMP:(0):atts are acceptable. Next payload is 3
*Mar 24 01:28:53.931 EST: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar 24 01:28:53.931 EST: ISAKMP:(0):Acceptable atts:life: 0
*Mar 24 01:28:53.931 EST: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar 24 01:28:53.931 EST: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar 24 01:28:53.931 EST: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar 24 01:28:53.931 EST: ISAKMP:(0)::Started lifetime timer: 86400.
*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload
*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID is NAT-T v2
*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload
*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Mar 24 01:28:53.931 EST: ISAKMP:(0): vendor ID is NAT-T v3
*Mar 24 01:28:53.931 EST: ISAKMP:(0): processing vendor id payload
*Mar 24 01:28:53.932 EST: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Mar 24 01:28:53.932 EST: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Mar 24 01:28:53.932 EST: ISAKMP:(0): processing vendor id payload
*Mar 24 01:28:53.932 EST: ISAKMP:(0): processing IKE frag vendor id payload
*Mar 24 01:28:53.932 EST: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar 24 01:28:53.932 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 24 01:28:53.932 EST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
*Mar 24 01:28:53.932 EST: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar 24 01:28:53.932 EST: ISAKMP:(0): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_SA_SETUP
*Mar 24 01:28:53.932 EST: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar 24 01:28:53.933 EST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 24 01:28:53.933 EST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
*Mar 24 01:28:54.006 EST: ISAKMP (0): received packet from 2.2.2.54 dport 500 sport 500 Global (R) MM_SA_SETUP
*Mar 24 01:28:54.007 EST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 24 01:28:54.007 EST: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
*Mar 24 01:28:54.007 EST: ISAKMP:(0): processing KE payload. message ID = 0
*Mar 24 01:28:54.010 EST: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar 24 01:28:54.010 EST: ISAKMP:(0):found peer pre-shared key matching 2.2.2.54
*Mar 24 01:28:54.010 EST: ISAKMP:(37215): processing vendor id payload
*Mar 24 01:28:54.010 EST: ISAKMP:(37215): vendor ID is Unity
*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload
*Mar 24 01:28:54.011 EST: ISAKMP:(37215): vendor ID seems Unity/DPD but major 56 mismatch
*Mar 24 01:28:54.011 EST: ISAKMP:(37215): vendor ID is XAUTH
*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload
*Mar 24 01:28:54.011 EST: ISAKMP:(37215): speaking to another IOS box!
*Mar 24 01:28:54.011 EST: ISAKMP:(37215): processing vendor id payload
*Mar 24 01:28:54.011 EST: ISAKMP:(37215):vendor ID seems Unity/DPD but hash mismatch
*Mar 24 01:28:54.011 EST: ISAKMP:received payload type 20
*Mar 24 01:28:54.011 EST: ISAKMP (37215): His hash no match - this node outside NAT
*Mar 24 01:28:54.011 EST: ISAKMP:received payload type 20
*Mar 24 01:28:54.011 EST: ISAKMP (37215): No NAT Found for self or peer
*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Mar 24 01:28:54.011 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 24 01:28:54.011 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.
*Mar 24 01:28:54.012 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 24 01:28:54.012 EST: ISAKMP:(37215):Old State = IKE_R_MM3 New State = IKE_R_MM4
*Mar 24 01:28:54.086 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Old State = IKE_R_MM4 New State = IKE_R_MM5
*Mar 24 01:28:54.087 EST: ISAKMP:(37215): processing ID payload. message ID = 0
*Mar 24 01:28:54.087 EST: ISAKMP (37215): ID payload
next-payload : 8
type : 1
address : 2.2.2.54
protocol : 17
port : 0
length : 12
*Mar 24 01:28:54.087 EST: ISAKMP:(0):: peer matches ISAKMP-WC-TEST profile
*Mar 24 01:28:54.087 EST: ISAKMP:(37215):Found ADDRESS key in keyring KEYS-WC-TEST
*Mar 24 01:28:54.087 EST: ISAKMP:(37215): processing HASH payload. message ID = 0
*Mar 24 01:28:54.088 EST: ISAKMP:received payload type 17
*Mar 24 01:28:54.088 EST: ISAKMP:(37215): processing keep alive: proposal=32767/32767 sec., actual=10/10 sec.
*Mar 24 01:28:54.088 EST: ISAKMP:(37215): processing vendor id payload
*Mar 24 01:28:54.088 EST: ISAKMP:(37215): vendor ID is DPD
*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA authentication status:
authenticated
*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA has been authenticated with 2.2.2.54
*Mar 24 01:28:54.088 EST: ISAKMP: Trying to insert a peer 1.1.1.54/2.2.2.54/500/, and inserted successfully 44493EC0.
*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Old State = IKE_R_MM5 New State = IKE_R_MM5
*Mar 24 01:28:54.088 EST: ISAKMP:(37215):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 24 01:28:54.088 EST: ISAKMP (37215): ID payload
next-payload : 8
type : 1
address : 1.1.1.54
protocol : 17
port : 500
length : 12
*Mar 24 01:28:54.088 EST: ISAKMP:(37215):Total payload length: 12
*Mar 24 01:28:54.089 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.
*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 24 01:28:54.089 EST: ISAKMP:(37215):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
*Mar 24 01:28:54.090 EST: ISAKMP:(37215):IKE_DPD is enabled, initializing timers
*Mar 24 01:28:54.090 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 24 01:28:54.090 EST: ISAKMP:(37215):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 24 01:28:54.094 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
*Mar 24 01:28:54.130 EST: ISAKMP:(37215):IKE_DPD is enabled, initializing timers
*Mar 24 01:28:54.130 EST: ISAKMP:(37215):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar 24 01:28:54.130 EST: ISAKMP:(37215):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Mar 24 01:28:54.165 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE
*Mar 24 01:28:54.165 EST: ISAKMP: set new node -1638274170 to QM_IDLE
*Mar 24 01:28:54.166 EST: ISAKMP:(37215): processing HASH payload. message ID = 2656693126
*Mar 24 01:28:54.166 EST: ISAKMP:(37215): processing SA payload. message ID = 2656693126
*Mar 24 01:28:54.166 EST: ISAKMP:(37215):Checking IPSec proposal 1
*Mar 24 01:28:54.166 EST: ISAKMP: transform 1, ESP_AES
*Mar 24 01:28:54.166 EST: ISAKMP: attributes in transform:
*Mar 24 01:28:54.166 EST: ISAKMP: SA life type in seconds
*Mar 24 01:28:54.166 EST: ISAKMP: SA life duration (basic) of 28800
*Mar 24 01:28:54.166 EST: ISAKMP: SA life type in kilobytes
*Mar 24 01:28:54.166 EST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*Mar 24 01:28:54.166 EST: ISAKMP: encaps is 1 (Tunnel)
*Mar 24 01:28:54.166 EST: ISAKMP: authenticator is HMAC-SHA
*Mar 24 01:28:54.166 EST: ISAKMP: key length is 128
*Mar 24 01:28:54.166 EST: ISAKMP:(37215):atts are acceptable.
*Mar 24 01:28:54.166 EST: map_db_find_best did not find matching map
*Mar 24 01:28:54.166 EST: IPSEC(ipsec_process_proposal): proxy identities not supported
*Mar 24 01:28:54.166 EST: ISAKMP:(37215): IPSec policy invalidated proposal with error 32
*Mar 24 01:28:54.166 EST: ISAKMP:(37215): phase 2 SA policy not acceptable! (local 1.1.1.54 remote 2.2.2.54)
*Mar 24 01:28:54.166 EST: ISAKMP: set new node -148278355 to QM_IDLE
*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 1017571376, message ID = 4146688941
*Mar 24 01:28:54.167 EST: ISAKMP:(37215): sending packet to 2.2.2.54 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Sending an IKE IPv4 Packet.
*Mar 24 01:28:54.167 EST: ISAKMP:(37215):purging node -148278355
*Mar 24 01:28:54.167 EST: ISAKMP:(37215):deleting node -1638274170 error TRUE reason "QM rejected"
*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Node 2656693126, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 24 01:28:54.167 EST: ISAKMP:(37215):Old State = IKE_QM_READY New State = IKE_QM_READY
*Mar 24 01:29:02.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE
*Mar 24 01:29:02.161 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.
*Mar 24 01:29:02.161 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2
*Mar 24 01:29:02.161 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170
*Mar 24 01:29:10.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE
*Mar 24 01:29:10.160 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.
*Mar 24 01:29:10.160 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2
*Mar 24 01:29:10.160 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170
*Mar 24 01:29:10.591 EST: ISAKMP:(37213):purging node 667120255
*Mar 24 01:29:10.591 EST: ISAKMP:(37213):purging node 1131880735
*Mar 24 01:29:11.199 EST: ISAKMP:(37214):purging node -263527270
*Mar 24 01:29:18.160 EST: ISAKMP (37215): received packet from 2.2.2.54 dport 500 sport 500 Global (R) QM_IDLE
*Mar 24 01:29:18.160 EST: ISAKMP:(37215): phase 2 packet is a duplicate of a previous packet.
*Mar 24 01:29:18.160 EST: ISAKMP:(37215): retransmitting due to retransmit phase 2
*Mar 24 01:29:18.160 EST: ISAKMP:(37215): ignoring retransmission,because phase2 node marked dead -1638274170
*Mar 24 01:29:20.592 EST: ISAKMP:(37213):purging SA., sa=4550D2C8, delme=4550D2C8
*Mar 24 01:29:26.771 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
and here is the ASA Side :
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map IPSEC_map 1 match address IPSEC_cryptomap
crypto map IPSEC_map 1 set peer 2.2.2.54
crypto map IPSEC_map 1 set ikev1 transform-set ESP-AES-128-SHA
crypto map IPSEC_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map IPSEC_map 1 set reverse-route
crypto map IPSEC_map interface IPSEC
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable IPSEC
crypto ikev1 enable IPSEC
crypto ikev1 policy 9
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group 2.2.2.54 type ipsec-l2l
tunnel-group 2.2.2.54 general-attributes
default-group-policy GroupPolicy_2.2.2.54
tunnel-group 2.2.2.54 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
group-policy GroupPolicy_2.2.2.54 internal
group-policy GroupPolicy_2.2.2.54 attributes
vpn-tunnel-protocol ikev1 ikev2
route IPSEC 2.2.2.54 255.255.255.255 1.1.1.254 1
access-list IPSEC_cryptomap extended permit ip object MONITOR-WC object MONITOR-EC
nat (VMs,IPSEC) source static MONITOR-WC MONITOR-WC destination static MONITOR-EC MONITOR-EC
object network MONITOR-WC
host 10.43.8.122
object network MONITOR-EC
host 10.53.9.12
Thanks !!!
03-24-2013 09:50 AM
Hi Hummus,
For this to work you do not need to apply the crypto map to the loopback, it is not supported anyway.
So at this point you set up a pretty common L2L tunnel (of course not using VTI since the ASA will not accept the SA) and use the loopback as the local-address for the crypto map.
Check this out:
HTH.
Portu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide