01-29-2012 03:09 PM
Hi there,
I try to establish a site to site VPN connection between ASA5510 and Westermo DR250.
The setup for the westermo is supposed to work as I have got 20 of thoses deply on the field running ipsec-l2l with a Cisco 1812.
But anyway as a test I opened all ports from the westermo to the ASA.
I used ASDM to set up the rules for tha ASA.
Permit the following rules:
OUTSIDE interface
permit from ASA_outside_interface to westermo_outside_interface port UDP 500, ESP, AH, UDP 4500.
permit from westermo_outside_interface to ASA_outside_interface port UDP 500, ESP, AH, UDP 4500.
This is the sh ru crypto:
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal ARC
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap
crypto map OUTSIDE_map 1 set peer 125.236.X.X
crypto map OUTSIDE_map 1 set ikev1 phase1-mode aggressive
crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-3DES-MD5
crypto map OUTSIDE_map 1 set ikev2 ipsec-proposal ARC
crypto map OUTSIDE_map interface OUTSIDE
crypto ikev2 policy 1
encryption 3des
integrity md5
group 2
prf md5
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
Debug crypto isakmp
Jan 29 2012 10:10:05: %ASA-7-713236: IP = 125.236.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 344
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing SA payload
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing ke payload
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing ISA_KE payload
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing nonce payload
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236..X.X, processing ID payload
Jan 29 2012 10:10:05: %ASA-7-714011: IP = 125.236.X.X, ID_IPV4_ADDR ID received 125.236.X.X
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload
Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received DPD VID
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload
Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received NAT-Traversal ver 03 VID
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload
Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received NAT-Traversal ver 02 VID
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload
Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received NAT-Traversal RFC VID
Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload
Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received Cisco Unity client VID
Jan 29 2012 10:10:05: %ASA-7-713906: IP = 125.236.X.X, Connection landed on tunnel_group 125.236.X.X
Jan 29 2012 10:10:05: %ASA-7-715047: Group = 125.236.X.X, IP = 125.236.X.X, processing IKE SA payload
Jan 29 2012 10:10:05: %ASA-7-715028: Group = 125.236.X.X, IP = 125.236.X.X, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
Jan 29 2012 10:10:05: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,, constructing ISAKMP SA payload
Jan 29 2012 10:10:09: %ASA-7-715046: Group = 125.236.X.X, IP = 125.236.X.X,, constructing ke payload
Jan 29 2012 10:10:09: %ASA-7-715046: Group = 125.236.X.X, IP = 125.236.X.X,constructing nonce payload
Jan 29 2012 10:10:09: %ASA-7-713906: Group = 125.236.X.X, IP = 125.236.X.X,, Generating keys for Responder...
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing ID payload
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,, constructing hash payload
Jan 29 2012 10:10:09: %ASA-7-715076:Group = 125.236.X.X, IP = 125.236.X.X,, Computing hash for ISAKMP
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,, constructing Cisco Unity VID payload
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,, constructing xauth V6 VID payload
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing dpd vid payload
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing NAT-Traversal VID ver 02 payload
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing NAT-Discovery payload
Jan 29 2012 10:10:09: %ASA-7-713906:Group = 125.236.X.X, IP = 125.236.X.X,computing NAT Discovery hash
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing NAT-Discovery payload
Jan 29 2012 10:10:09: %ASA-7-713906: GGroup = 125.236.X.X, IP = 125.236.X.X,computing NAT Discovery hash
Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing Fragmentation VID + extended capabilities payload
%ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing VID payload
%ASA-7-715048:Group = 125.236.X.X, IP = 125.236.X.X,Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-713236: IP = 125.236.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 424
%ASA-7-713906:Group = 125.236.X.X, IP = 125.236.X.X,IKE SA AM:d6b4a88d terminating: flags 0x01004001, refcnt 0, tuncnt 0
%ASA-7-713906:Group = 125.236.X.X, IP = 125.236.X.X,sending delete/delete with reason message
%ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing blank hash payload
%ASA-7-715046: Group = 125.236.X.X, IP = 125.236.X.X,constructing IKE delete payload
%ASA-7-715046: Group = 125.236.X.X, IP = 125.236.X.X,constructing qm hash payload
%ASA-7-713236: IP = 125.236.X.X, IKE_DECODE SENDING Message (msgid=15cfffe3) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
I can ping both Router/ASA outside interfaces from the respective Boxes, but VPN doesn't come up. It seems that ASA doesn't received any answer.
Amy help would really appreciated.
Yoan
01-30-2012 02:18 AM
Yoan,
There is no need to change outside ACL for control plane traffic.
It looks like UDP/500 traffic from ASA is not making it to the other end or UDP/500 (or 4500) is not making it from other side to ASA.
Get a sniffer trace + debugs on both sides to confirm which one is it.
M.
02-01-2012 05:37 PM
Hi Marcin,
Thanks for your reply and sorry for my late answer.
I want to be sure to set up properly before to come back to you with a success or not.
I will let you know.
Cheers.
Y
02-07-2012 06:21 PM
Hi there,
The VPN site to site is now setup.
ASA5510: Follow the ASDM wizard site-to-site vpn.
I used for isakmp: ikev1, AES-256-SHA1, D-H Group 2 ,preshared key.
For IPSEC AES-256 SHA mode tunnel.
crypto ikev1 enable OUTSIDE
Static NAT (INSIDE,OUTSIDE) source static "NET_source" "NET_source" destination static "NET_dest" "NET_dest"
WESTERMO DR250
Same config as above.
Configure the firewall to allow traffic to/from ASA
Configure the firewall to allow traffic to/from WESTERMO subnet to/from ASA subnet.
The only thing is that the pre shared key is configured when a user is created! Tricky.
Configure->Users-> UsersX (X = [0;14]), Name = IP address of the VPN peer, here ASA.
Password=Preshared Key.
Note You can choose any number for user the Box will check all users till match.
Cheers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide