11-04-2012 10:56 AM
Hi guys,
I have an issue with hub and spoke vpn connectivity.
My connection is like the following
------ ISP1 (Static IP) ----
SPOKE (Branch)-| |---------------- INTERNET ------------- HUB with Static IP (HQ)
----- ISP2 (Dynamic IP) ----
To achieve vpn fail over for the branch I configured Dynamic to Static L2L with DefaultL2LGroup on HQ
HQ uses ASA 5540 with 8.4(3) and branch runs ASA 5520 with 8.2(2)
HQ Config
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map mydyn 10 set transform-set myset
crypto map mymap 60000 ipsec-isakmp dynamic mydyn
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Branch Config
access-list ISPBackup_1_cryptomap extended permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.x.x 255.255.255.0 172.16.x.x 255.255.255.0
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto map ISPBackup_map 1 match address ISPBackup_1_cryptomap
crypto map ISPBackup_map 1 set peer x.x.x.x
crypto map ISPBackup_map 1 set transform-set ESP-3DES-SHA
crypto map ISPBackup_map 1 set reverse-route
crypto map ISPBackup_map interface ISPBackup
crypto isakmp enable outside
crypto isakmp enable ISPBackup
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
The default route on Branch is tracked one, always taking priority with the ISP1.
My concern is whenever an interesting traffic hits the brach ASA, it initiates a vpn to HQ, and I am getting Phase 1 completed. But always getting Phase 2 error.
When I check the debug on HQ ASA, what I see is, the HQ ASA after phase 1 checks for each STATIC crypto map and then gives the message as the connection is pointing to dynamic map. But never checks any of my dynamic crypto map, Instead on next log ASA will complain that All IPSec proposals found unacceptable. then it will cut the phase1.
I know that phase2 error can be because of transform sets, pfs, interesting traffic etc mismatch, I tried all the combinations making everything look exact mirror, without any luck. I will stand around the same problem.
The interesting fact is that, it was working perfect, with the setup but before I upgrade to 8.4(3)
Any idea, what to do now?
11-04-2012 12:35 PM
Hello,
HQ running 8.4.3
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map mydyn 10 set transform-set myset
crypto map mymap 60000 ipsec-isakmp dynamic mydyn
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
This cannot be the configuration as now we use ikev1 commands,
Can you share the updated config please?
11-04-2012 08:49 PM
Very true,
I just gave the normal command sets for the HUB :-)
My actual configuration is as following
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set my-set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set test esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set myset esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set mydynset esp-3des esp-sha-hmac
crypto dynamic-map DYN_L2L 3 match address Outside_cryptomap_1
crypto dynamic-map DYN_L2L 3 set ikev1 transform-set my-set mydynset
crypto dynamic-map DYN_L2L 3 set reverse-route
crypto map mymap 3 ipsec-isakmp dynamic DYN_L2L
crypto map mymap 60000 ipsec-isakmp dynamic dynmap
crypto map mymap interface Outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide