Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10901
Views
0
Helpful
6
Replies

VPN L2L dynamic to static w/o DefaultL2LGroup

Go to solution
Lybra1983
Level 1
Level 1

‎01-07-2011 07:33 AM

I was looking for a method to have L2L VPN dyn to static without using DefaultL2LGroup but defining instead multiple tunnel groups for each router with dynamic IP. Many people say it's not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses

Now the problem: the vpn comes up but I cannot reach any device with a ping.

Static side: ASA 5505 - 8.22

Dynamic side: Zyxel P-661HW-D3

Here the config for the ASA:

access-list outside extended permit icmp any any 
access-list outside extended deny ip any any
access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0 
access-list inside extended deny ip any any 
access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0 
access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0 


nat (inside) 0 access-list VPN
nat (inside) 1 10.1.0.0 255.255.248.0

access-group inside in interface inside
access-group outside in interface outside

crypto ipsec transform-set myset esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DN3710 1 match address ST_3710
crypto dynamic-map DN3710 1 set transform-set myset

crypto map dyn-map 2 ipsec-isakmp dynamic DN3710
crypto map dyn-map interface outside

crypto isakmp enable outside

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
no crypto isakmp nat-traversal

group-policy GP3710 internal
group-policy GP3710 attributes
 vpn-filter value ST_3710
 vpn-tunnel-protocol IPSec

tunnel-group TG3710 type ipsec-l2l
tunnel-group TG3710 general-attributes
 default-group-policy GP3710
tunnel-group TG3710 ipsec-attributes
 pre-shared-key *********

As you can see the vpn is up:

2   IKE Peer: ***.***.***.***
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE

Thanks in advance if someone can help me with this issue.

Regards,

Luca

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎01-07-2011 10:02 AM

Hello Luca,

You are right this can be done, you can have the spokes landing on separate tunnel-groups, not just to the DefaultL2LGroup, the ASA follows this sequence when doing a tunnel-group looup for L2L tunnels with Pre-shared keys:

- ike-id checked first and could be either hostname (fqdn) or IP address

- if ike-id lookup fails ASA tries Peer IP address

- DefaultRAGroup/DefaultL2LGroup is used as a last resort

From the output of your "sh cry isa sa" I can see that at least Phase 1 is up for your tunnel, please make sure that it landed on the correct tunnel-group.

The problem that I can clearly see here is the VPN filter that you applied to the group-policy, remember that we must apply the vpn-filters on inbound direction.

When a vpn-filter is applied to a group-policy that governs a LAN to LAN VPN connection, the ACL should be configured with the
remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.  Caution should be exercised when constructing the
ACLs for use with the vpn-filter feature.  The ACLs are constructed with the post-decrypted traffic in mind, however, they are also applied to the traffic
in the opposite direction.

In your case the remote network is 10.51.10.0 255.255.255.0  and the local network is 10.1.0.0 255.255.248.0. so lets say that you want to allow just telnet:

The following ACE will allow remote network to telnet to the local network:

access-list vpnfilt-l2l permit 10.51.10.0 255.255.255.0  10.1.0.0 255.255.248.0 eq 23


The following ACE will allow the local network to telnet to the remote network:
access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0

Note:  The ACE access-list vpnfilt-l2l permit 10.51.10.0 255.255.255.0  10.1.0.0 255.255.248.0 eq 23 will allow the local network to initiate a connection to the remote network on any TCP port if it uses a source port of 23.

The ACE access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0  will allow the remote network to initiate a connection to the local network on any TCP port if it uses a source port of 23.

Regards,

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎01-07-2011 10:02 AM

Hello Luca,

You are right this can be done, you can have the spokes landing on separate tunnel-groups, not just to the DefaultL2LGroup, the ASA follows this sequence when doing a tunnel-group looup for L2L tunnels with Pre-shared keys:

- ike-id checked first and could be either hostname (fqdn) or IP address

- if ike-id lookup fails ASA tries Peer IP address

- DefaultRAGroup/DefaultL2LGroup is used as a last resort

From the output of your "sh cry isa sa" I can see that at least Phase 1 is up for your tunnel, please make sure that it landed on the correct tunnel-group.

The problem that I can clearly see here is the VPN filter that you applied to the group-policy, remember that we must apply the vpn-filters on inbound direction.

When a vpn-filter is applied to a group-policy that governs a LAN to LAN VPN connection, the ACL should be configured with the
remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL.  Caution should be exercised when constructing the
ACLs for use with the vpn-filter feature.  The ACLs are constructed with the post-decrypted traffic in mind, however, they are also applied to the traffic
in the opposite direction.

In your case the remote network is 10.51.10.0 255.255.255.0  and the local network is 10.1.0.0 255.255.248.0. so lets say that you want to allow just telnet:

The following ACE will allow remote network to telnet to the local network:

access-list vpnfilt-l2l permit 10.51.10.0 255.255.255.0  10.1.0.0 255.255.248.0 eq 23


The following ACE will allow the local network to telnet to the remote network:
access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0

Note:  The ACE access-list vpnfilt-l2l permit 10.51.10.0 255.255.255.0  10.1.0.0 255.255.248.0 eq 23 will allow the local network to initiate a connection to the remote network on any TCP port if it uses a source port of 23.

The ACE access-list vpnfilt-l2l permit 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0  will allow the remote network to initiate a connection to the local network on any TCP port if it uses a source port of 23.

Regards,

0 Helpful

Go to solution
Lybra1983
Level 1
Level 1
In response to Gustavo Medina

‎01-10-2011 01:47 AM

Thanks Jose, I've inverted the ACL and now it's working.

Actually I didn't really get why I had to invert it; whether you find time, can you kindly explain it one more time?

Many many thanks for your help.

Luca

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee
In response to Lybra1983

‎01-10-2011 08:10 AM

Hey Luca!

I'm glad to hear that everything is working now!! here is a link for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

if you have any question just let me know.

Thanks,

0 Helpful

Go to solution
joaott1974
Level 1
Level 1
In response to Gustavo Medina

‎03-11-2011 11:05 AM

I have a similar problem in one of customers PIX.

I have some connections to PIX :

  • 2 lan2lan connections to Static public ip addresses(working)
  • Multiple Cisco RA Vpn clients( working)
  • 1 lan2lan connection to a Dynamic Ip peer(not working) - uses 1 draytek 2700 with a 3G access

If i check that peer ip address and create a tunnel-group for it ,and configure it like :

tunnel-group x.250.94.45 type ipsec-l2l
tunnel-group x.250.94.45 ipsec-attributes
pre-shared-key *

It works fine...but than the dynamic ip adress changes(of course).....and i need to configure it again.Cause if i dont ...PIX attaches that unknown IP in the DefaultRAGroup, returning this error and VPN of course fails:

%PIX-3-713902: Group = DefaultRAGroup, IP = x.250.94.45, Removing peer from peer table failed, no match!
%PIX-4-713903: Group = DefaultRAGroup, IP = x.250.94.45, Error: Unable to remove PeerTblEntry

How do i "tell" to PIX to change the default group from DefaultRAGroup to DefaultLan2Lan group?

im lost...all lan2lan connections(static public ip´s) in conjuntion with remote vpn clients works except this (it works if i create a tunnel-group with that dynamic ip address).

I dont want to be all the time  creating a new entry...and deleting the last one..

in using tunnel groups i read that we really need to specify  the ip address...the problem is that is dynamic.

here is my config :

group-policy Salsicharia_Dinamico internal
group-policy Salsicharia_Dinamico attributes
vpn-filter value Internet_40_cryptomap
vpn-tunnel-protocol IPSec


access-list Internet_40_cryptomap extended permit ip 192.168.0.0 255.255.0.0 172.21.2.0 255.255.255.0


crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map SSHARIA_IPDINAMICO 10 match address Internet_40_cryptomap
crypto dynamic-map SSHARIA_IPDINAMICO 10 set transform-set ESP-DES-MD5


crypto map Internet_map 60 match address Internet_60_cryptomap
crypto map Internet_map 60 set peer X.154.248.37
crypto map Internet_map 60 set transform-set ESP-DES-MD5
crypto map Internet_map 80 match address VILA_ALISOL_CRYPTOMAP_ID80
crypto map Internet_map 80 set peer X.28.55.237
crypto map Internet_map 80 set transform-set ESP-DES-MD5
crypto map Internet_map 65534 ipsec-isakmp dynamic SSHARIA_IPDINAMICO - 3g access (not working)
crypto map Internet_map 65535 ipsec-isakmp dynamic Internet_dyn_map (cisco vpn clients)
crypto map Internet_map interface Internet
crypto map Micros_map 65535 ipsec-isakmp dynamic Micros_dyn_map
crypto map Micros_map interface Micros
crypto map inside_map interface inside

tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
peer-id-validate nocheck
isakmp ikev1-user-authentication none

tunnel-group X.154.248.37 type ipsec-l2l
tunnel-group X.154.248.37 ipsec-attributes
pre-shared-key *
tunnel-group VPN_Compta type ipsec-ra
tunnel-group VPN_Compta general-attributes
address-pool VPM_Assec
default-group-policy VPN_Compta
tunnel-group VPN_Compta ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 300 retry 10
tunnel-group X.240.230.174 type ipsec-l2l
tunnel-group X.240.230.174 ipsec-attributes
pre-shared-key *
tunnel-group Vilavita_mail type ipsec-ra
tunnel-group Vilavita_mail general-attributes
default-group-policy Vilavita_mail
tunnel-group Vilavita_mail ipsec-attributes
pre-shared-key *
tunnel-group Manut type ipsec-ra
tunnel-group Manut general-attributes
address-pool VPM_Assec
default-group-policy Manut
tunnel-group Manut ipsec-attributes
pre-shared-key *
tunnel-group Roessner type ipsec-ra
tunnel-group Roessner general-attributes
address-pool VPM_Assec
default-group-policy Roessner

If i have more than 1 tunnel-group created how pix knows ,if a dynamic ip address tries to connect to it,wich should it uses? Not using a user name..

In your example PIX knows that it should use tunnel-group TG3710 cause y just have one.But in my case..how do i do?..

Thanks in advance

Joao

0 Helpful

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee
In response to joaott1974

‎03-11-2011 12:59 PM

Joao,

Since this is an IPsec L2L with Preshared keys  the tunnel-group lookup is as follows:

- skips rules and OU since these are certificate related and certs aren't used

- ike-id checked first and could be either hostname (fqdn) or IP address

- if ike-id lookup fails ASA tries Peer IP address

- DefaultRAGroup/DefaultL2LGroup is used as a last resort

Care should be taken to define a different preshared key in the  DefaultRAGroup and DefaultL2LGroup since the DefaultL2LGroup will only  be used if the preshared key check in DefaultRAGroup fails.  If they are  the same the tunnel-group lookup will end in DefaultRAGroup and  connection will fail.

In this case I'd like to know a few things, is the peer negotiating aggressive mode? if so try main Mode; what is the local ike-id the peer is using?


We need the following debug outputs "debug crypto isa 127" and "debug crypto ipsec 127"

Besides, I just checked this line:

crypto dynamic-map SSHARIA_IPDINAMICO 10 match address Internet_40_cryptomap

We don't need it bc we are gonna accept what the other side is proposing.

As a last resource and if you are not using the DefaultRAGroup we can do this:

tunnel-group-map default-group DefaultL2LGroup


Hope this helps.


Tavo.

0 Helpful

Go to solution
joaott1974
Level 1
Level 1
In response to Gustavo Medina

‎03-15-2011 04:43 AM

Hi Jose,

Many thanks for your detailed reply.I really appreciate it.

Its working now.....

I didn´t knew very well what you mean about de ike-id,but now i understand,and i send a prinscreen how i did it,so that y can have the solution for future questions about it.The peer equipment is a Vigor Draytek 2700.

If we dont fill the field "LOCALID" in the Draytek 2700 it will send public IP address by default,than PIX attaches this connection to DeafultRaGroup.

I didnt get the solution to attach it to DefaultL2LGroup even with the command tunnel-group-map default-group DefaultL2LGroup.I changed the preshared key to an incorrect one in the defaultRaGroup.Pix doesnt assume it.

Anyway...its working now.

  • 2 IPSEC VPN´s peers with public static IP Addresses(Vigor Draytek 2700);
  • 1 IPSEC  VPN peer with dynamic public ip address (Vigor Draytek 700);
  • multiple RA Cisco VPN client.

Here is the config related with the entry to dynamic peer (working together with 2 static peers,RA CiscoVPN Client ) :

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map SSHARIA_IPDINAMICO 10 set transform-set ESP-DES-MD5


crypto dynamic-map SSHARIA_IPDINAMICO 10 set transform-set ESP-DES-MD5


crypto map Internet_map 65534 ipsec-isakmp dynamic SSHARIA_IPDINAMICO



crypto isakmp policy 10
  authentication pre-share
  encryption des
  hash md5
  group 2
  lifetime 86400


tunnel-group salsicharia type ipsec-l2l
tunnel-group salsicharia ipsec-attributes
pre-shared-key *


VV#    sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection   : X.28.55.237 (static public ip address)
Index        : 1                      IP Addr      : X.28.55.237
Protocol     : IPSecLAN2LAN           Encryption   : DES
Hashing      : MD5                   
Bytes Tx     : 46916                  Bytes Rx     : 309909
Login Time   : 09:55:59 GMT/BST Tue Mar 15 2011
Duration     : 1h:28m:52s
Filter Name  :

Connection   : X.154.248.37 (static public ip address)
Index        : 2                      IP Addr      : X.154.248.37
Protocol     : IPSecLAN2LAN           Encryption   : DES
Hashing      : MD5                   
Bytes Tx     : 1214409                Bytes Rx     : 1174211
Login Time   : 19:13:53 GMT/BST Mon Mar 14 2011
Duration     : 16h:10m:58s
Filter Name  :

Connection   : salsicharia (dynamic ip address)
Index        : 3                      IP Addr      : X.50.54.78
Protocol     : IPSecLAN2LAN           Encryption   : DES
Hashing      : MD5                   
Bytes Tx     : 3080                   Bytes Rx     : 62632
Login Time   : 06:49:16 GMT/BST Tue Mar 15 2011
Duration     : 4h:35m:35s
Filter Name  :

VV#

Thanks again for your precious info´s.

Joao














Preview file
309 KB
0 Helpful
Customers Also Viewed These Support Documents