IPSec tunnel doesn't work
Hi,
I'm practicing a little with 2 routers CISCO 2811 and 2621. I made the basic configuration for an IPSec connection but the tunnel doesn't seem to come up. Also, I can ping each other router's external interface but I can't ping the inside network behind each one. Any Ideas? The outside interface are connected via croosover UTP cable. These are the sh run of each one:
Router 2621:
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname RPrueba2
logging buffered 51200 warnings
enable secret 5 $1$oNw1$SQaqP.FazBuaiVZ3MHte70
username supervisor privilege 15 password 7 07062F49420C1A110513
voice-card 1
ip subnet-zero
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key Inelectra address 20.20.20.21
crypto ipsec transform-set basic esp-des esp-md5-hmac
crypto map armadillo 1 ipsec-isakmp
set peer 20.20.20.21
set security-association lifetime seconds 4000
set transform-set basic
set pfs group1
match address 101
call rsvp-sync
controller E1 1/0
interface FastEthernet0/0
ip address 192.168.250.1 255.255.255.0
duplex auto
speed auto
interface Serial0/0
no ip address
shutdown
interface FastEthernet0/1
ip address 20.20.20.1 255.255.255.0
duplex auto
speed auto
crypto map armadillo
interface Serial0/1
no ip address
shutdown
interface Serial0/2
no ip address
shutdown
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.21
ip http server
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
dial-peer cor custom
line con 0
password 7 020F0A5E07030C355E4F
login
line aux 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
login
transport input telnet ssh
end
Router 2811:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname RPrueba
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 $1$oNw1$SQaqP.FazBuaiVZ3MHte70
no aaa new-model
resource policy
memory-size iomem 15
no network-clock-participate wic 1
ip subnet-zero
ip cef
voice-card 0
no dspfarm
username supervisor privilege 15 password 7 07062F49420C1A110513
controller E1 0/1/0
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key Inelectra address 20.20.20.1
crypto ipsec transform-set Ineset ah-md5-hmac esp-des
crypto ipsec transform-set basic esp-des esp-md5-hmac
crypto map armadillo 1 ipsec-isakmp
set peer 20.20.20.1
set security-association lifetime seconds 4000
set transform-set basic
set pfs group1
match address 102
interface FastEthernet0/0
ip address 192.168.240.1 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 20.20.20.21 255.255.255.0
duplex auto
speed auto
crypto map armadillo
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
ip classless
ip route 0.0.0.0 0.0.0.0 20.20.20.1
ip http server
no ip http secure-server
access-list 101 permit ip 192.168.240.0 0.0.0.255 any
access-list 102 permit ip 192.168.240.0 0.0.0.255 192.168.250.0 0.0.0.255
control-plane
line con 0
password 7 020F0A5E07030C355E4F
login
line aux 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
login
transport input telnet ssh
scheduler allocate 20000 1000
end
I also tried the show crypto isakmp sa and there is nothing on the tables. Thanks for any help.
Gustavo
Under crypto map armadilloin Router 2621 =
Use the crypto ACL 102 instead of 101.
match address 102
And then clear the isakmp sa and ipsec sa
then try to ping.
Similar Messages
-
Ipsec Authentication doesn't work
hi friends
in my hyper-v test lab, i have tree win2008 R2 VMs.
vm1= dc+enterprise root CA vm2 & vm3 are domain joined VMs.
in vm2, via MMC i obtained a computer certificate from vm1(enterprise root CA).
now in vm3, in windows firewal with advanced security console, i have created a connection security rule to secure RDP traffic (TCP 3389). this rule "requires authentication for inbound & requests Authentication for outbound traffic.
in authentication method i have selected computer certificate from vm1(enterprise-CA).
but vm2 cannot establish remote desktop to vm3. (although it has obtained a computer certificate from my enterprise CA)
is any additional configuration required in CA or any other place ?
any help pleaseHi,
you must create a IPsec rule on vm2 as well with the traget IP address of vm3.
See also http://secattic.blogspot.com/2013/11/creating-ipsec-tunnel-with-windows.html
Regards,
Lutz -
RTMPT / Tunneling doesn't work
I have Flash Media Streaming Server 3 running on a Windows
2003 machine with IIS 6. I can view the Video-on-demand samples
locally and remotely just fine using rtmp, but not rtmpt. I have
disabled socket pooling using httpcfg, but FMS 3 doesn't seem to be
binding to any IP addresses on port 80. Next steps?
hbzYou can add ports as a comma delimited list:
ADAPTOR.HOSTPORT = xxx.xxx.xxx.12:1935, 80
Then restart the FMS service, and you should be all set. You
can run netstat -nab from the command prompt to make sure FMS is
bound to port 80 -
IPSec Tunnel (reform) examples
Would it be possible to use Solaris 10u4 new IPSec tunnel (reform) feature to build Solaris VPN server, where I have a list of remote systems (each with different dynamic IP) and Solaris server which allows them to connect to internal network ?
Thanks.This link ( http://docs.sun.com/app/docs/doc/816-4554/6maoq0228?a=view ) has an overview of how IPsec Tunnel Mode policy works with a VPN. You should examine these for more examples.
A simple single-node remote access case would look like the following.
Assume:
C == client's external-network IP address
S == server's external-network IP address
c == client's internal IP address
s == server's internal-network IP address
On the server side:
Configure (but do not enable) an IP-in-IP tunnel once you've assigned the client's IP address (assume there are no other tunnels for now...):
ifconfig ip.tun0 plumb s c tsrc S tdst C
Now add policy for that tunnel, enabling JUST the single internal IP address for the client to go through. Add this line via ipsecconf(1M), let's use AES and HMAC-SHA-1
# When the "tunnel" keyword is present, inner-addresses are the selectors.
{tunnel ip.tun0 negotiate tunnel raddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
Then bring the tunnel up:
ifconfig ip.tun0 up
I assume you have IKE properly configured between S and C.
On the client side, it's pretty much the same but with local/remote or src/dst reversed:
ifconfig ip.tun0 plumb c s tsrc C tdst S
then feed this into ipsecconf(1M):
{ tunnel ip.tun0 negotiate tunnel laddr *c* } ipsec {encr_algs aes encr_auth_algs sha1}
and finally:
ifconfig ip.tun0 up.
The docs pointer shows office-to-office examples where you may wish to protect one or more subnets.
Hope this helps,
Dan
Edited by: danmcd on Sep 18, 2007 2:27 PM -
Hi, all,
I have seen a good post in google.com about how to make all the client's traffic though IPsec tunnel then out to the Internet from the Main site,now I attach this configuration and application for discussion, and what the problem is that I am still confused with the configuration on Main site , I hope anyone who can tell me more detail and how to accomplish it. Any answer will be appreciated , thank you !
Quote :
Question ? :
Mine is a very simple configuration. I have 2 sites linked via an IPsec tunnel. Dallas is my Main HQ R1 and Austin R2 is my remote office. I want all traffic from Austin to route thru the tunnel up to Dallas, then out to the Internet.
Dallas (Main) Lan Net is: 10.10.200.0/24
Austin (Remote) LAN Net is: 10.20.2.0/24
The Dallas (Main) site has a VPN config of:
Local Net: 0.0.0.0/0
Remote Net: 10.20.2.0/24
The Austin (Remote) site has a VPN config of:
10.20.2.0/24
Remote Net: 0.0.0.0/0
The tunnel gets established just fine. From the Austin LAN clients, I can ping the router at the main site (10.10.200.1). This is how I know the tunnel is created, but I cannot ping anything beyond the router from the Austin LAN, e.g. 8.8.8.8.
I'm sure it's something simple I failed to configure. Anyone have any pointers or hints?
Answer:
Thanks to Jimp from the other thread, I was able to see why it was not working. To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network.
Once I made this change, Voila! Traffic from the remote side started heading out to the Internet. Now all traffic flows thru the Main site. It makes perfect sense why I needed to make this change, it just took a slap in the head from Jimp to point me in the right direction.
My question ?
The answer said "To fix, I had to change the Outbound NAT on the main side to Manual. Then I created a new Outbound NAT rule that included the subnet from the Austin network (10.20.2.0). Basically, I just created a copy of the default rule and changed the Source network." what this mean and
how to do it , could anybody give me the specific configuration ? thanks a lot.Thank you for Jouni's reply, following is the configuration on Cisco 2800 router ,no firewall enable, :
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 2
crypto isakmp key x.x.x address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
crypto ipsec transform-set IPsectrans esp-3des esp-md5-hmac
crypto dynamic-map IPsecdyn 100
set transform-set IPsectrans
match address 102
crypto map IPsecmap 100 ipsec-isakmp dynamic IPsecdyn
interface Loopback1
ip address 10.10.200.1 255.255.255.0
interface FastEthernet0/0
ip address 113.113.1.1 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map IPsecmap
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip route 0.0.0.0 0.0.0.0 113.113.1.2
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any 10.20.2.0 0.0.0.255 -
L2TP on Cisco ASA 5505, just doesn't work??!
This is pretty urgent, client expects me to have this up by lunch today
So, there is this Cisco ASA 5505 ver 8.4.
Most things work but now I want to setup a vpn connection...
I have done this 2 ways, first by using the "VPN Wizard" in ASDM and then 5 hours later removing everything and configuring from cli.
And it just doesn't work, client (WinXP & Win7) gets "error 792" and sometimes "error 789" (both indicating problem with phase 1, I'm pretty sure of that)
Googling on those gives a few suggestions none works.
All I get in the log on Cisco is the "Error processing payload: Payload ID: 1"
Googling on that only comes up with a few pages telling me this message is caused by an error. (Yeah, I could never have guessed...)
For the cli config, I followed this tutorial carefully (3 times actually...)
http://www.cisco.com/en/US/docs/secu...html#wp1117464
I'm using PSK for IPSec, entered same on Cisco and client - checked several times, this is not a password/PSK issue.
Ports opened on Cisco: 500, 1701, 4500
(For a try I opened all ports, no change.)
And here's the "show run":
Code:
ASA Version 8.4(2)
hostname ciscoasa
enable password <string> encrypted
passwd <string> encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address #.#.#.# 255.255.255.252
interface Vlan7
description VLAN till kontor
no forward interface Vlan2
nameif kontor
security-level 100
ip address 172.16.5.1 255.255.255.0
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Webserver
host 192.168.5.2
object network Webserver443
host 192.168.5.2
object network rdp
host 192.168.5.2
object network vpnserver
host 192.168.5.2
object service vpn-service-group
object network VPN
host 192.168.5.2
object-group service Webports tcp-udp
description Portar för webbserver
port-object eq 443
port-object eq www
object-group service DM_INLINE_TCP_1 tcp
group-object Webports
port-object eq www
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VPNports tcp-udp
port-object eq 1701
port-object eq 4500
port-object eq 500
object-group service RDP tcp-udp
port-object eq 3389
object-group service vpn-services tcp-udp
port-object eq 1701
port-object eq 500
access-list outside_access_in extended permit tcp any object Webserver eq www
access-list outside_access_in_1 extended permit tcp any object Webserver object-group DM_INLINE_TCP_1
access-list outside_access_in_1 remark Ãppnar för vpn
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group VPNports
access-list outside_access_in_1 extended permit object-group TCPUDP any any object-group RDP
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu kontor 1500
ip local pool vpn1 10.10.10.10-10.10.10.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
object network obj_any
nat (inside,outside) dynamic interface
object network Webserver
nat (inside,outside) static interface service tcp www www
object network Webserver443
nat (inside,outside) static interface service tcp https https
object network rdp
nat (inside,outside) static interface service tcp 3389 3389
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 79.142.243.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
protocol esp encryption aes-256 aes-192 aes 3des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal 3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
proxy-ldc-issuer
crl configure
crypto ca certificate chain ASDM_TrustPoint0
.... (sorry, not giving you the cert...)
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2 1
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 1
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
l2tp tunnel hello 100
dhcpd dns 8.8.8.8
dhcpd auto_config outside
dhcpd address 192.168.5.11-192.168.5.36 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
address-pools value vpn1
group-policy DfltGrpPolicy attributes
dns-server value 79.142.240.10
vpn-tunnel-protocol l2tp-ipsec
address-pools value vpn1
username test password <string> nt-encrypted
username someoneelse password <string> nt-encrypted privilege 15
username someoneelse attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
service-type admin
username someone password <string> nt-encrypted privilege 0
tunnel-group DefaultRAGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group vpn1 type remote-access
tunnel-group vpn1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:dd92aa6707dc63e8ed7dad47cfecdd47
: end
In Pingvino Veritas!I lmost got it working now, new problem is that the connection is immediately ended.
Logs shows that client is authenticated and assigned an ip.
From the logs, all happens during one second:
IPAA: Client assigned ip-address from local pool
IPAA: Local pool request succeeded for tunnel-group
IPAA: Freeing local pool address
L2TP Tunnel created, tunnel_id is 24
L2TP Tunnel deleted, tunnel_id =24
IPSEC: An outbound remote access SA has been deleted
IPSEC: An inbound remote access SA has been deleted
Session is being torn down. Reason: L2TP initiated
Teardown UDP connection -
The tale of two IPSec Tunnels...
I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.
I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.
At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.
Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.
I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.
Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.
I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks
Test Site that works
Production Site that Doesn't
testasa01-5510# sh run
: Saved
ASA Version 8.2(5)
hostname testasa01-5510
names
interface Ethernet0/0
nameif outside
security-level 0
ip address <outsideif> 255.255.255.240
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.39.194.2 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240
access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable
tcp-map WSOptions
tcp-options range 24 31 allow
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 100 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 100 10.39.0.0 255.255.0.0
access-group inside_access_in in interface inside
router eigrp 100
network 10.0.0.0 255.0.0.0
passive-interface default
no passive-interface inside
route outside 0.0.0.0 0.0.0.0 <outsideif> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer 209.242.145.200
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 170
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 60
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server <server> source inside
webvpn
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
tunnel-group 111.222.333.444 type ipsec-l2l
tunnel-group 111.222.333.444
general-attributes
default-group-policy GroupPolicy1
tunnel-group 111.222.333.444
ipsec-attributes
pre-shared-key *****
class-map WSOptions-class
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class WSOptions-class
set connection advanced-options WSOptions
policy-map type inspect ip-options ip-options-map
parameters
eool action allow
nop action allow
router-alert action allow
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
: end
mp01-5510asa# sh run
: Saved
ASA Version 8.2(5)
hostname mp01-5510asa
names
interface Ethernet0/0
nameif inside
security-level 100
ip address 10.29.194.2 255.255.255.252
interface Ethernet0/1
nameif dmz
security-level 50
ip address 172.16.29.1 255.255.255.0
interface Ethernet0/2
description
nameif backup
security-level 0
ip address <backupif> 255.255.255.252
interface Ethernet0/3
description
speed 100
duplex full
nameif outside
security-level 0
ip address <outsideif> 255.255.255.248
interface Management0/0
nameif management
security-level 100
ip address 10.29.199.11 255.255.255.0
management-only
banner login Authorized Use Only
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network DM_INLINE_NETWORK_1
network-object 10.29.1.0 255.255.255.0
network-object 10.29.15.0 255.255.255.0
network-object 10.29.199.0 255.255.255.0
network-object 10.29.200.0 255.255.255.0
network-object 10.29.31.0 255.255.255.0
access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings
access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings
access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings
access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings
access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings
access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings
access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings
access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0
pager lines 24
logging enable
logging list acl-messages message 106023
logging buffered acl-messages
logging asdm acl-messages
mtu inside 1500
mtu dmz 1500
mtu backup 1500
mtu outside 1500
mtu management 1500
ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm history enable
arp timeout 14400
global (inside) 201 interface
global (dmz) 101 interface
global (backup) 101 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 10.29.1.0 255.255.255.0
nat (inside) 101 10.29.15.0 255.255.255.0
nat (inside) 101 10.29.31.0 255.255.255.0
nat (inside) 101 10.29.32.0 255.255.255.0
nat (inside) 101 10.29.199.0 255.255.255.0
nat (inside) 101 10.29.200.0 255.255.255.0
nat (inside) 101 192.168.29.0 255.255.255.0
static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1
route backup 0.0.0.0 0.0.0.0 205.179.122.165 254
route management 10.0.0.0 255.0.0.0 10.29.199.1 1
route inside 10.29.0.0 255.255.0.0 10.29.194.1 1
route inside 192.168.29.0 255.255.255.0 10.29.194.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 management
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 74.125.239.16 interface outside
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 100 reachability
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 inside
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 60
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.200.1.41 source inside
webvpn
group-policy RemoteAccess internal
group-policy RemoteAccess attributes
dns-server value 8.8.8.8
vpn-filter value remoteaccess
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RemoteAccess_splitTunnelAcl
split-tunnel-all-dns disable
vlan none
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess general-attributes
address-pool vpn_ip_pool3
default-group-policy RemoteAccess
tunnel-group RemoteAccess ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
testasa01-5510# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 172.16.139.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 0A7F396F
current inbound spi : E87AF806
inbound esp sas:
spi: 0xE87AF806 (3900372998)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x7FFFFFFF
outbound esp sas:
spi: 0x0A7F396F (176109935)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3587
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
mp01-5510asa# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)
current_peer: <peer ip>, username: blah
dynamic allocated peer ip: 10.254.29.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 096265D4
current inbound spi : F5E4780C
inbound esp sas:
spi: 0xF5E4780C (4125390860)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x001FFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x096265D4 (157443540)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 3576
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Config (non working site) looks fine(unless I missed something:)) . You may want to add :
access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0
Try by taking out vpnfilter : vpn-filter value remoteaccess
To further t-shoot, try using packet tracer from ASA to the client...
https://supportforums.cisco.com/docs/DOC-5796
Thx
MS -
Hello,
I have set up a IPSec VPN between two 3845 routers:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXX address 1.1.1.1
crypto ipsec transform-set CTransformSet esp-3des esp-sha-hmac
crypto map MyCryptoMap local-address GigabitEthernet0/1
crypto map MyCryptoMap 15 ipsec-isakmp
set peer 1.1.1.1
set transform-set CTransformSet
set pfs group2
match address CryptoC
ip access-list extended CryptoC
permit ip 192.168.1.0 0.0.0.255 1.1.1.0 0.0.0.255
And similar on the other side. It all works great, once the tunnel is up and running. However if I don't send any data from the 192.168.1 network to the 1.1.1 network for a while (5-10 minutes?), it seems to drop the tunnel, and the first request I make fails (I guess because the tunnel is establishing). Subsequent requests work fine again, but the first one always fails.
Is there any way to (preferably) make the first request succeed? Or if not, how to make the tunnel not drop after a certain time has passed? I have tried:
crypto ipsec security-association lifetime kilobytes 536870912
crypto ipsec security-association lifetime seconds 86400
crypto isakmp keepalive 10
...with no success! "show crypto ipsec sa" tells me there's plenty of time remaining on the inbound and outbound esp:
sa timing: remaining key lifetime (k/sec): (513953358/5739)debug crypto ipsec
debug crypto isakmp
I just get this block:
Jul 19 12:50:48.145: ISAKMP (0:134217734): received packet from 1.1.1.1 dport 500 sport 500 Global (R) QM_IDLE
Jul 19 12:50:48.145: ISAKMP: set new node -46235277 to QM_IDLE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): processing HASH payload. message ID = -46235277
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -46235277, sa = 64F91240
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):deleting node -46235277 error FALSE reason "Informational (in) state 1"
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):DPD/R_U_THERE received from peer 1.1.1.1, sequence 0x4BD2106F
Jul 19 12:50:48.145: ISAKMP: set new node 32334157 to QM_IDLE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1886462640, message ID = 32334157
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): seq. no 0x4BD2106F
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (R) QM_IDLE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):purging node 32334157
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Jul 19 12:50:48.145: ISAKMP:(0:6:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
... every few minutes. It doesn't seem to be regular: 12:50:48, 12:53:00, 13:04:04, 13:07:36...even though the keepalive is set to 10 seconds. Not sure why that is.
When it "drops", there's no logging and when it reestablishes there's nothing either. Which seems to suggest it's not actually dropping..... but when I remove the IPSec tunnel, I don't get the problem. So it must be something to do with it. -
Hi,
I am using a RV082 for a site-to-site IPsec Tunnel to a Barracuda NG200 firewall. I can establish the tunnel from the NG200 site and the tunnel stays alive for the work day, but the next morning the users at the RV082 site cannot establish the tunnel, I need to ping a node there to get it back up.
There is a setting IKE passive/active on the NG200 which I have set to 'passive' to allow tunnels to be established from the remote site.
I never upgraded the firmware on this because I saw posts regarding problems with the later versions.
Serial Number : DEZ006B01147
Firmware version : 1.3.98-tm (Jun 20 2008 18:37:29)Very interesting set of options in v1.3 on the rv082. Even v3 firmware on the rv016 doesn't have a backup tunnel option.
Are you able to originate a tunnel at all from the rv082 side, even manually? (ie, if you log into the router via it's IP address and click 'connect', does the tunnel establish?)
If you cannot originate a tunnel from the rv082 side, then there is probably some small configuration error on the rv082 that makes the other side reject the request.
Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com -
IPSec tunnel on sub-interface on ASA 5510
Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
MudsHi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds -
Cisco ASA 5505 Site to site VPN IPSEC tunnel to an Clavister Firewall
Hi,
I have weird problem with a Site to site VPN tunnel from a Cisco ASA 5505 to an Clavister Firewall.
When I restart the Cisco ASA 5505 the tunnel is up and down,up, down, down, and I get all strange messages when I see if the tunnel is up or down with the syntax: show crypto isakmp sa
After a while like 5-10 min the vpn site to site tunnel is up and here is the strange thing happening I have all accesslists and tunnel accesslists right I can only access one remote network (Main site Clavister Firewall) trought the vpn tunnel behind the Cisco ASA 5505, and I have 5 more remote networks that I want to access but only one remote network is working trought the vpn tunnel behind the Cisco ASA. I see that when I do this syntax in ASA: show crypto ipsec sa.
They had a Clavister Firewall before on that site before and now they have a Cisco ASA 5505 and all the rules on the main site thats have the big Clavister Firewall is intact so the problems are in the Cisco ASA 5505.
Here is some logs that ASDM give me about the tunnel issue, but like I said, the tunnel is up and only one remote network is reachable in that tunnel.....
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, Removing peer from correlator table failed, no match!
3
Nov 21 2012
07:11:09
713902
Group = 195.149.180.254, IP = 195.149.169.254, QM FSM error (P2 struct &0xc92462d0, mess id 0x1c6bf927)!
3
Nov 21 2012
07:11:09
713061
Group = 195.149.180.254, IP = 195.149.169.254, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
5
Nov 21 2012
07:11:09
713119
Group = 195.149.180.254, IP = 195.149.169.254, PHASE 1 COMPLETED
Here is from the syntax: show crypto isakmp sa
Result of the command: "show crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 195.149.180.254
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: CustomerCryptoMap, seq num: 10, local addr: 213.180.90.29
access-list arvika_garnisonen permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
local ident (addr/mask/prot/port): (172.22.65.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
current_peer:195.149.180.254
#pkts encaps: 2188, #pkts encrypt: 2188, #pkts digest: 2188
#pkts decaps: 2082, #pkts decrypt: 2082, #pkts verify: 2082
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2188, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 213.180.67.29, remote crypto endpt.: 195.149.180.254
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: E715B315
inbound esp sas:
spi: 0xFAC769EB (4207372779)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38738/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE715B315 (3876958997)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 2879488, crypto-map: CustomerCryptoMap
sa timing: remaining key lifetime (kB/sec): (38673/2061)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And here are my Accesslists and vpn site to site config:
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 84600
crypto isakmp nat-traversal 40
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map CustomerCryptoMap 10 match address VPN_Tunnel
crypto map CustomerCryptoMap 10 set pfs group5
crypto map CustomerCryptoMap 10 set peer 195.149.180.254
crypto map CustomerCryptoMap 10 set transform-set ESP-AES-256-SHA
crypto map CustomerCryptoMap interface outside
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0 -------> This is the only remote network I can reach behind the Cisco ASA and the other remote networks dont work..
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list VPN_Tunnel extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 192.168.123.0 255.255.255.0
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.34.5
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 10.1.20.76
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 host 62.88.129.221
access-list nonat extended permit ip 172.22.65.0 255.255.255.0 172.22.71.0 255.255.255.0
nat (inside) 0 access-list nonat
All these remote networks are at the Main Site Clavister Firewall.
Best Regards
MichaelHi,
I'd start by getting the configuration of the remote site related to Local/Remote network configurations and go through them. Even though no changes have been made.
If they are mirror images of eachother already I'd say its probably some problem related to Cisco/Clavister setup
Seems especially wierd to me that one of the error messages includes 0.0.0.0 lines.
I have run into some problems with L2L VPN configurations when our Cisco device just doesnt want to work with the remote end device. In some cases we have confirmed that our networks defined for the L2L VPN are exactly the same and yet when checking debugs on the ASA side we can see the remote end device using totally wrong network masks for the VPN negotiaton and therefore it failed. That problem we corrected with changing the network masks a bit.
Maybe you could try to change the Encryption Domain configurations a bit and test it then.
You could also maybe take some debugs on the Phase2 and see if you get anymore hints as to what could be the problem when only one network is working for the L2L VPN.
- Jouni -
Multiple site to site IPSec tunnels to one ASA5510
Question on ASA VPN tunnels. I have one ASA 5510 in our corporate office, I have two subnets in our corporate office that are configured in the ASA in a Object group. I have a site to site IPSEC tunnel already up and that has been working. I am trying to set up another site to site IPSEC tunnel to a different location that will need to be setup to access the same two subnets. I'm not sure if this can be setup or not, I think I had a problem with setting up two tunnels that were trying to connect to the same subnet but that was between the same two ASA's. Anyways the new tunnel to a new site is not coming up and I want to make sure it is not the subnet issue. The current working tunnel is between two ASA 5510's, the new tunnel we are trying to build is between the ASA and a Sonicwall firewall. Any help would be appreciated.
Hi,
Regarding setting up the new L2L VPN connection..
Should be no problem (to my understanding) to configure the new L2L VPN connection through the other ISP interface (0/3). You will need to atleast route the remote VPN peers IP address towards that link. The L2L VPN forming should add a route for the remote networks through that L2L VPN. If not reverse route injection should handle it in the cryptomap configurations.
I guess rest of the setup depends on what will be using the 0/0 ISP and what will be using the 0/3 ISP.
If you are going to put the default route towards the 0/3 ISP you will have to think of something for the 0/0 ISP if some of your local LAN devices are going to use it for Internet also. (Possible routing problems) On the other hand if you have remote VPN Client users using the 0/0 ISP there should be no routing problem for them as they would be initiating connection through that 0/0 ISP link through ASA so ASA should know where to forward the return traffic.
Most of my 2 ISP setups have been implemented with a router in front of the actual ASA/PIX/FWSM firewalls where the router has performed Policy Routing based on the source IP address from the firewalls and then settings the correct gateway towards the correct ISP.
- Jouni -
Anyconnect SSL-VPN - DNS Lookups (external) doesn't work
Hello,
I have issues with my SSL AnyConnect VPN setup on my ASA 5512-x. The VPN , split tunneling and NAT exempt is working fine and i can connect to internal hosts.
However, external or internal DNS requests doesn't work on the clients (Windows, Anyconnect). I want full split tunneling, ie DNS requests should not go through the VPN.
The DNS requests works through NSLOOKUP but not in ping and in any browser.
(The config, request more if i've omitted something important).
ASA Version 8.6(1)2
access-list vlan42-splittunneling standard permit 192.168.42.0 255.255.255.0
ip local pool vlan42test 192.168.199.50-192.168.199.55 mask 255.255.255.0
address-pools value vlan42test
nat (any,any) source static any any destination static VPN-pool-range VPN-pool-range
object network VPN-pool-range
range 192.168.199.10 192.168.199.254
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect enable
group-policy vlan42-clientvpn-policy internal
group-policy vlan42-clientvpn-policy attributes
wins-server none
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vlan42-splittunneling
default-domain value doesntmatter.local
split-dns value doesntmatter.local
vlan none
address-pools value vlan42test
vpn-group-policy vlan42-clientvpn-policy
vpn-simultaneous-logins 20
service-type remote-access
tunnel-group vlan42-con-profile type remote-access
tunnel-group vlan42-con-profile general-attributes
authentication-server-group ah
default-group-policy vlan42-clientvpn-policy
tunnel-group vlan42-con-profile webvpn-attributes
group-alias privatecloud42 enable
group-url https://vpn.**.com/privatecloud42 enable
I gladly appreciate your help. Thank you.I don't have experience with the ssl client and vista, but I do use the new Anyconnect SSL client with vista. All you need to do is upgrade the ASA to version 8. Hope that helps.
-
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank -
Hi,
I have a hopefully fairly basic question regarding configuring some static NAT entries on a remote site 887 router which also has a IPSec tunnel configured back to our main office. I am fairly new to networking so forgive me if I ask some really silly questions!
I have been asked to configure some mobile phone "boost" boxes, which will take a mobile phone and send the traffic over the Internet - this is required because of the poor signal at the branch. These boxes connect via Ethernet to the local network and need a direct connection to the Internet and also certain UDP and TCP ports opening up.
There is only one local subnet on site and the ACL for the crypto map dictates that all traffic from this network to our head office go over the tunnel. What I wanted to do was create another vlan, give this a different subnet. Assign these mobile boost boxes DHCP reservations (there is no interface to them so they cannot be configured) and then allow them to break out to the Internet locally rather than send the traffic back to our head office and have to open up ports on our main ASA firewall.
From my research I came across this article (http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
So I went ahead and created a separate vlan and DHCP reservation and then also followed the guidelines outlined above about using a route-map to stop the traffic being sent down the tunnel and then configured static NAT statements for each of the four ports these boost boxes need to work. I configure the ip nat inside/outside on the relevant ports (vlan 3 for inside, dialer 1 for outside)
The configuration can be seen below for the NAT part;
! Denies vpn interesting traffic but permits all other
ip access-list extended NAT-Traffic
deny ip 172.19.191.0 0.0.0.255 172.16.0.0 0.3.255.255
deny ip 172.19.191.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 172.19.191.0 0.0.0.255 192.168.128.0 0.0.3.255
deny ip 172.19.191.0 0.0.0.255 12.15.28.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 137.230.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 165.26.0.0 0.0.255.255
deny ip 172.19.191.0 0.0.0.255 192.56.231.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.49.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.61.0 0.0.0.255
deny ip 172.19.191.0 0.0.0.255 192.168.240.0 0.0.7.255
deny ip 172.19.191.0 0.0.0.255 205.206.192.0 0.0.3.255
permit ip any any
! create route map
route-map POLICY-NAT 10
match ip address NAT-Traffic
! static nat
ip nat inside source static tcp 192.168.1.2 50 85.233.188.47 50 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 123 85.233.188.47 123 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 500 85.233.188.47 500 route-map POLICY-NAT extendable
ip nat inside source static udp 192.168.1.2 4500 85.233.188.47 4500 route-map POLICY-NAT extendable
Unfortunately this didn't work as expected, and soon after I configured this the VPN tunnel went down. Am I right in thinking that UDP port 500 is also the same port used by ISAKMP so by doing this configuration it effectively breaks IPSec?
Am I along the right lines in terms of configuration? And if not can anyone point me in the direction of anything that may help at all please?
Many thanks in advance
BrianHi,
Sorry to bump this thread up but is anyone able to assist in configuration? I am now thinking that if I have another public IP address on the router which is not used for the VPN tunnel I can perform the static NAT using that IP which should not break anything?
Thanks
Brian
Maybe you are looking for
-
Using getRuntime().exec() with Serlvet to run applications in Solaris
I am currently doing a project which requires the execution of Solaris applications through the use of Java Servlet with this Runtime method - Runtime.getRuntime.exec() This means that if the client PC tries to access the servlet in the server PC, an
-
How to print text in JClient ?
How to print CLOB content from an JClient application built in JDeveloper 9.0.3 ?
-
Assigning Selected Tree Node Value To An Item
Hi guys, I want to assign selected tree node's value to a page item. This item can be a textbox or a label (display only). How can i do that? I tried to use "Selected Node Page Item" property which is available on Tree Attributes. But I couldn't assi
-
I have a Mac Pro Mid 2010 and 2012 both running OS 10.8.5. Both using ATI Radeon HD 5770 1052 MB vid cards. Using the standard Display that came with the Macs, everytime I'm working in Ilustrator CS5 or 6, the Document I am working on gets transparen
-
Page cropping problem in Acrobat XI
I have a title built in InDesign that I export in PDF for the printer. I discovered over successive runs that I needed to shift the y axis a tad and widen the gutter to get the best production results. Here is the routine for doing so in Acrobat Pro