01-06-2011 05:28 PM
Hi,
I'm setting up a Site-to-Site VPN Tunnel but I'm facing some problem I think regarding phase 1.
I've pasted below part of what I think is relevant of my configuration.
Could anyone help me out? Thanks in advance.
access-list ACL1 extended permit ip 192.168.121.0 255.255.255.0 10.0.0.0 255.255.0.0
access-list ACL1 extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.255.0.0
crypto map outside_map 120 match address ACL1
crypto map outside_map 120 set peer 33.33.33.33
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 120 set security-association lifetime seconds 3600
tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
pre-shared-key test
show run ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
show run tunnel-group
tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
pre-shared-key *
show run crypto map
crypto map outside_map 120 match address ACL1
crypto map outside_map 120 set peer 33.33.33.33
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 120 set security-association lifetime seconds 3600
crypto map outside_map 120 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
I can't ping the other remote location (10.0.0.0) but I can ping it's public interface 33.33.33.33
The other end of the VPN tunnel has matched subnets and when I run show run isakmp or show crypto ipsec sa I don't get any details.
Kind Regards,
Joana Botto
01-06-2011 05:44 PM
hi,
Please paste the following output from both ends of the tunnel.
1. sh run cry
2. sh cry isa sa
3. sh cry ips sa
4. sh run nat
5. sh access-list
6. sh access-list
Regards,
Anisha
01-06-2011 06:22 PM
Hi Anisha,
#sh run cry
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set eds
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 100 match address site6
crypto map outside_map 100 set peer 66.66.66.66
crypto map outside_map 100 set transform-set site66
crypto map outside_map 100 set security-association lifetime seconds 3600
crypto map outside_map 100 set security-association lifetime kilobytes 4608000
crypto map outside_map 120 match address ACL1
crypto map outside_map 120 set peer 33.33.33.33
crypto map outside_map 120 set transform-set ESP-3DES-SHA
crypto map outside_map 120 set security-association lifetime seconds 3600
crypto map outside_map 120 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
# sh cry isa sa
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 44.44.44.44
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: 55.55.55.55
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
edsgfs-asa-CRA# sh cry ips sa
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 22.22.22.22
access-list outside_cryptomap_dyn_20 permit ip any 192.168.10.0 255.255.255.128
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.86/255.255.255.255/0/0)
current_peer: 55.55.55.55, username: user2
dynamic allocated peer ip: 192.168.10.86
#pkts encaps: 25527, #pkts encrypt: 25527, #pkts digest: 25527
#pkts decaps: 22664, #pkts decrypt: 22664, #pkts verify: 22664
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 25527, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 22.22.22.22/4500, remote crypto endpt.: 55.55.55.55/50305
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 644C6CEF
inbound esp sas:
spi: 0x0CBFA635 (213886517)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4575232, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 5975
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x644C6CEF (1682730223)
transform: esp-3des esp-md5-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4575232, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 5975
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 100, local addr: 22.22.22.22
access-list failteacl permit ip 192.168.121.0 255.255.255.0 10.128.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.121.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
current_peer: 66.66.66.66
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 198237, #pkts decrypt: 198237, #pkts verify: 198237
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 22.22.22.22, remote crypto endpt.: 66.66.66.66
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 327989F7
inbound esp sas:
spi: 0x3D1AFCAA (1025178794)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 901120, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2654
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x327989F7 (846825975)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 901120, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 2654
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
# sh run nat
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list nodmznat
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (remsite) 0 access-list noremsitenat
nat (remsite) 1 0.0.0.0 0.0.0.0
# sh access-list ACL1
access-list ACL1; 2 elements
access-list ACL1 line 1 extended permit ip 192.168.121.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=0) 0xdae8954a
access-list ACL1 line 2 extended permit ip 172.16.1.0 255.255.255.0 10.0.0.0 255.255.0.0 (hitcnt=102) 0x04c45a75
access-list outside_cryptomap_dyn_20; 1 elements
access-list outside_cryptomap_dyn_20 line 1 extended permit ip any 192.168.10.0 255.255.255.128 (hitcnt=24267) 0x06ba586e
Regards,
Joana
01-06-2011 08:27 PM
Please attach the output of:
Sh access-list nonat
sh access-list nodmznat
sh access-list noremsitenat
sh ip
Regards,
Anisha
01-07-2011 08:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide