VPN failing to Initiate - Site to Site tunnel

Adrian Jones · ‎12-02-2012

Hi All,

I am having an issue establishing a tunnel between two ASA's, one version 8.4(4) and version 8.2(5).

The config looks okay to me. I currently have it in local connection - outside on same subnet - hope this doesn't cause the issue, as when deployed its a 15 minute drive.

Looking at the logs the tunnel isn't even attempting to establish. Logs just show the pings from laptops either side going straight to outside interfaces and being rejected.

Here's the configs:

Version 8.4:

hostname VPN02

interface Ethernet0/0

description +++ OUTSIDE INTERFACE TO ASA +++

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 146.10.1.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.1.10 255.255.255.0

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

ftp mode passive

dns server-group DefaultDNS

object network VPN01

subnet 146.10.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 146.10.1.0 255.255.255.0 146.10.0.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any any

access-list outside_1_cryptomap extended permit ip 146.10.1.0 255.255.255.0 146.10.0.0 255.255.255.0

access-list outbound extended deny ip any any log

access-list no_nat extended permit ip 146.10.1.0 255.255.255.0 146.10.0.0 255.255.0.0

access-list VPN extended permit ip 146.10.1.0 255.255.255.0 146.10.0.0 255.255.255.0

pager lines 24

logging enable

logging timestamp

logging console debugging

logging buffered informational

logging trap errors

logging asdm informational

logging host outside 146.10.1.31

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication telnet console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no service password-recovery

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-AES-SHA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 172.16.0.10

crypto map outside_map 1 set ikev1 transform-set ESP-AES-SHA

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh 146.10.0.30 255.255.255.255 outside

ssh timeout 60

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 172.16.0.10 type ipsec-l2l

tunnel-group 172.16.0.10 ipsec-attributes

ikev1 pre-shared-key *****

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo console disable

Version 8.2:

ASA Version 8.2(5)

!

hostname VPN01

names

!

interface Ethernet0/0

description +++ OUTSIDE INTERFACE TO ASA +++

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 146.10.0.10 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.0.10 255.255.255.0

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

no ip address

!

ftp mode passive

dns server-group DefaultDNS

access-list inside_nat0_outbound extended permit ip 146.10.0.0 255.255.255.0 146.10.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 146.10.0.0 255.255.255.0 146.10.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any any

access-list outside_1_cryptomap extended permit ip 146.10.0.0 255.255.255.0 146.10.1.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 146.10.0.0 255.255.255.0 146.10.2.0 255.255.255.0

access-list outbound extended deny ip any any log

access-list no_nat extended permit ip 146.10.0.0 255.255.255.0 146.10.0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging console debugging

logging buffered informational

logging trap errors

logging asdm informational

logging host outside 146.10.0.30

mtu inside 1500

mtu outside 1500

mtu dmz 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list no_nat

access-group outbound in interface inside

route outside 0.0.0.0 0.0.0.0 172.16.0.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

http 192.168.1.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no service password-recovery

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 172.16.1.10

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 172.16.2.10

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 146.10.0.30 255.255.255.255 outside

ssh timeout 60

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 172.16.1.10 type ipsec-l2l

tunnel-group 172.16.1.10 ipsec-attributes

pre-shared-key *****

tunnel-group 172.16.2.10 type ipsec-l2l

tunnel-group 172.16.2.10 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect ip-options

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

crashinfo console disable

The default route will not apply and I know it is wrong. I also know there will be unecessary access-list config but this shouldn't come into play. I can ping across outside interfaces okay. Help appreciated.

Julio Carvajal · ‎12-02-2012

Hello Adrian,

Copy and past the following and let me know

clear configure access-group

crypto ipsec transform-set JULIO esp-aes esp-sha

crypto map outside_map 1 set transform set JULIO

Then try again,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Peter Koltl · ‎12-02-2012

the transform-set is missing one the hub