cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
699
Views
0
Helpful
3
Replies

VPN Tunnel S2S between ASA 5505 and Cisco 2801

armandorf
Level 1
Level 1

Hello,

 

I have problems establishing a tunnel  between ASA 5505 and Cisco 2801 

 

This is the config i use and it has been working for a while. For some reason it suddenly stopped working.

Can you help me to spot the error? Thanks

 

Cisco 2801(Main Office):

 

crypto isakmp policy 5
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 6
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 7
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 8
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 9
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 11
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 12
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 14
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 15
encr aes 256
hash md5
authentication pre-share
group 2
crypto isakmp key salugano address ASA 5505 IP
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic

!
crypto ipsec security-association idle-time 1800
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set myset2 ah-sha-hmac esp-aes esp-sha-hmac

crypto ipsec transform-set strongSA-IMC esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile VTI-PROFILE
set transform-set strongBEUSA2
!
!
crypto dynamic-map securidvpnclient 15
set transform-set myset
set isakmp-profile securidprofile
reverse-route
!
crypto dynamic-map vpnclient 10
set transform-set myset
set isakmp-profile testprofile
reverse-route
!
!
crypto map vpn local-address FastEthernet0/0

crypto map vpn 16 ipsec-isakmp
description VPNTEST
set peer ASA 5505 IP
set security-association lifetime seconds 86400
set security-association idle-time 120 default
set transform-set strongSA-IMC
match address 129
crypto map vpn 17 ipsec-isakmp
description -=Corina=-
set peer 1xxx
set security-association lifetime seconds 86400
set security-association idle-time 86400
set transform-set strongvoip
match address 130

crypto map vpn 25 ipsec-isakmp dynamic securidvpnclient
!

 

ASA 5505 (remote location):

 

crypto ipsec ikev1 transform-set strongSA-IMC esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map IMC-map 1 match address VPN-SA-IMCL
crypto map IMC-map 1 set pfs
crypto map IMC-map 1 set peer Cisco 2801 IP
crypto map IMC-map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map IMC-map 1 set reverse-route
crypto map IMC-map interface outside-telefonica(ASA 5505 IP)
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside-fibertel
crypto ikev1 enable outside-telefonica
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1   


tunnel-group Cisco 2801 IP type ipsec-l2l
tunnel-group Cisco 2801 IP general-attributes
default-group-policy GroupPolicy1
tunnel-group Cisco 2801 IP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key C
tunnel-group Cisco 2801 IP type ipsec-l2l
tunnel-group Cisco 2801 IP general-attributes
default-group-policy GroupPolicy1
tunnel-group Cisco 2801 IP ipsec-attributes
ikev1 pre-shared-key *****
!

 

ASA 5505 sh crypto isa sa shows nothing

ON Cicso 2801 side :

 

.Nov 13 14:52:25.378 ARG: ISAKMP:(0:1777:HW:2):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE
.Nov 13 14:52:27.086 ARG: ISAKMP:(0:0:N/A:0):purging SA., sa=659E3E88, delme=659E3E88
.Nov 13 14:52:27.158 ARG: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 172.31.4.2, remote= ASA 5505 IP,
local_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
remote_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4)
.Nov 13 14:52:27.158 ARG: ISAKMP: received ke message (3/1)
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer ASA 5505 IP)
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peerASA 5505 IP)
.Nov 13 14:52:27.158 ARG: ISAKMP: Unlocking IKE struct 0x66015574 for isadb_mark_sa_deleted(), count 0
.Nov 13 14:52:27.158 ARG: ISAKMP: Deleting peer node by peer_reap for ASA 5505 IP: 66015574
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):deleting node -879990099 error FALSE reason "IKE deleted"
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):deleting node -158567796 error FALSE reason "IKE deleted"
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
.Nov 13 14:52:27.158 ARG: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

.Nov 13 14:52:27.158 ARG: IPSEC(key_engine): got a queue event with 1 kei messages
.Nov 13 14:52:27.202 ARG: ISAKMP:(0:0:N/A:0):purging SA., sa=651AD370, delme=651AD370
.Nov 13 14:52:27.238 ARG: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 172.31.4.2, remote=  ASA 5505 IP,
local_proxy= 10.0.0.0/255.0.0.0/0/0 (type=4),
remote_proxy= 192.168.X.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac (Tunnel),
lifedur= 86400s and 4608000kb,
spi= 0x790311F3(2030244339), conn_id= 0, keysize= 0, flags= 0x400E
.Nov 13 14:52:27.238 ARG: ISAKMP: received ke message (1/1)
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
.Nov 13 14:52:27.238 ARG: ISAKMP: Created a peer struct for  ASA 5505 IP, peer port 500
.Nov 13 14:52:27.238 ARG: ISAKMP: New peer created peer = 0x66015574 peer_handle = 0x80283735
.Nov 13 14:52:27.238 ARG: ISAKMP: Locking peer struct 0x66015574, IKE refcount 1 for isakmp_initiator
.Nov 13 14:52:27.238 ARG: ISAKMP: local port 500, remote port 500
.Nov 13 14:52:27.238 ARG: ISAKMP: set new node 0 to QM_IDLE
.Nov 13 14:52:27.238 ARG: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65A28830
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching ASA 5505 IP
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0):Old State = IKE_READY New State = IKE_I_MM1

.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
.Nov 13 14:52:27.238 ARG: ISAKMP:(0:0:N/A:0): sending packet to  ASA 5505 IP my_port 500 peer_port 500 (I) MM_NO_STATE

3 Replies 3

Hi,

 What about the command show crypto isakmp sa and show crypto ipsec sa ?

 

Also, do you have two tunnel to 2801 ?  I´d recommend you clean up everything that is not necessary, this can bring caos when something went wrong.

 

!

tunnel-group Cisco 2801 IP type ipsec-l2l
tunnel-group Cisco 2801 IP general-attributes
default-group-policy GroupPolicy1
tunnel-group Cisco 2801 IP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key C
tunnel-group Cisco 2801 IP type ipsec-l2l
tunnel-group Cisco 2801 IP general-attributes
default-group-policy GroupPolicy1
tunnel-group Cisco 2801 IP ipsec-attributes
ikev1 pre-shared-key *****
!

 -If I helped you somehow, please, rate it as useful.-

Thanks for your reply.

 

ASA-55051# sh crypto isa sa

There are no IKEv1 SAs

There are no IKEv2 SAs
ASA-5505 show crypto ipsec sa

There are no ipsec sas

 

 

 

vpnserver#sh crypto isakmp sa
dst                    src             state                 conn-id slot status
xxxxxxxxxxxx 172.31.4.2 MM_NO_STATE   0     0      ACTIVE
xxxxxxxxxxxx 172.31.4.2 MM_NO_STATE   0     0      ACTIVE (deleted)

 

vpnserver# sh crypto ipsec sa

current_peer ASA 5505 IP port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10118, #recv errors 0

local crypto endpt.: 172.31.4.2, remote crypto endpt.: ASA 5505 IP
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

You have no Phase 1 mounted. Can both device ping each other?

Try to force the tunnel to go up. From some device behind ASA or Router try to ping some device on the other end.

 

 

 

 

-If I helped you somehow, please, rate it as useful.-