dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7493
share rss forum feed

opti2k4

join:2005-05-03
Croatia

1 edit

[HELP] ASA site-to-site VPN

Hi,

i have 2 ASA 5510 (ver 8.4) and 5510 (ver 7). Past day i am trying to configure site-to-site with no success. Can't establish phase1. I am using Ikev1 with shared secret (ikev2 not used). I used wizard to create site-to-site.

This is config from ver 8:

object network inside_nat
subnet 192.168.0.0 255.255.255.0

object network Sterling_private_lan
subnet 192.168.3.0 255.255.255.0

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
crl configure
crypto ca certificate map DefaultCertificateMap 10
crypto ca certificate chain ASDM_TrustPoint0
certificate 92f57c4e
308201e9 30820152 a0030201 02020492 f57c4e30 0d06092a 864886f7 0d010105
05003039 3111300f 06035504 03130863 6973636f 61736131 24302206 092a8648
86f70d01 09021615 63697363 6f617361 2e646f73 66616374 732e676f 76301e17
0d313130 39323430 30353631 315a170d 32313039 32313030 35363131 5a303931
11300f06 03550403 13086369 73636f61 73613124 30220609 2a864886 f70d0109
02161563 6973636f 6173612e 646f7366 61637473 2e676f76 30819f30 0d06092a
864886f7 0d010101 05000381 8d003081 89028181 00abc120 c78294c5 56f9c969
c8451337 c32268c6 ea5710c6 9a9406e5 3cb41de7 0ba404d6 a54273ba b4e15983
cdb5abe0 5514e3b6 f6ebbd72 24db4d6f 08ebfa66 95063ff7 cf00cf7c df1bada6
c622c5f1 dc868dff 8beea9bf f76c747c 6ac7d5e4 9e5a4a96 8eeb2ef4 4a56eb3e
ebc5860b 9143e647 258ac805 2c955b07 c88db581 b3020301 0001300d 06092a86
4886f70d 01010505 00038181 0093278e 75367626 67a28d24 2a24a281 2c7762a5
fd7660bd 81146717 3d7da617 7e18508f c7d4d75b 8d97cfc3 185ec50e 8642ce62
46e8fc0c eda983fb cd278cf3 28cfd4c5 688dba6e 5a01732b 944274ca 5c852b10
cfa68ed7 5f010c46 1ad5abf7 445ab721 535a1b69 e59f8960 b448e94b c3691314
df24000c c71d89c3 27752d55 5e
quit
crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400

group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-tunnel-protocol ikev1

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
!
access-list outside_cryptomap extended permit ip object inside_nat object Sterling_private_lan
access-group outside_in in interface outside

This is ver 7:

name 192.168.0.0 Bur_LAN description Bur_LAN

access-list outside_cryptomap_20_1 extended permit ip 192.168.3.0 255.255.255.0 Bur_LAN 255.255.255.0

group-policy SiteToSite internal
group-policy SiteToSite attributes
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
group-lock value 2.2.2.2
pfs disable
webvpn

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 20 match address outside_cryptomap_20_1
crypto map outside_map 20 set peer 2.2.2.2
crypto map outside_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp identity address
isakmp enable outside
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp nat-traversal 20
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy SiteToSite
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *
vpn-sessiondb max-session-limit 20

Debug log on ver8

Jan 20 11:38:27 [IKE COMMON DEBUG]IKEv2 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 1.
Jan 20 11:38:27 [IKE COMMON DEBUG]Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1 after a failed attempt.. Map Tag = outside_map. Map Sequence Number = 1.
Jan 20 11:38:31 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Jan 20 11:38:36 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Jan 20 11:38:41 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Jan 20 11:38:46 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Jan 20 11:38:51 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Jan 20 11:38:56 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Jan 20 11:38:59 [IKE COMMON DEBUG]IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 1.
Jan 20 11:38:59 [IKE COMMON DEBUG]Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1.
Jan 20 11:38:59 [IKE COMMON DEBUG]Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 1.
Jan 20 11:39:01 [IKE COMMON DEBUG]Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = outside_map. Map Sequence Number = 1.
Jan 20 11:39:06 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager

It's strange that i can't get anything inside Ikev1 debug, only in common i can get output. Could be a bug?


cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9

1 edit

One is doing ikev the other isakmp. They are not the same thing.

Upgrade the v7 system to 8.4, or program the v8.4 system to use isakmp.

[Edit]
Oh good lord. Cisco has yet again made a mess. 8.4 replaces "isakmp" with "ikev1", but not everywhere. There are no default isakmp/ikev1 or ikev2 policies, so you have to set them up completely. Historically, the debug output has been less than helpful in locating what exact number isn't the same on both ends -- it just gives to oh so helpful "attrs don't match".


opti2k4

join:2005-05-03
Croatia
reply to opti2k4

Hi, thx for reply. How you mean there is no default ikev1 default policy? In ASDM i see tons of policies for ikev1.


opti2k4

join:2005-05-03
Croatia

Fixed it, i entered wrong IP of other end

But now traffic is not passing trough

ver 8:

object network Sterling_private_lan
subnet 192.168.3.0 255.255.255.0
description Sterling_private_lan
object network inside_nat
subnet 192.168.0.0 255.255.255.0

access-list outside_cryptomap extended permit ip object inside_nat object Sterling_private_lan
nat (inside,outside) source static inside_nat inside_nat destination static Sterling_private_lan Sterling_private_lan no-proxy-arp route-lookup

Ver 7:

global (outside) 1 interface
global (outside) 10 2.2.2.2
global (management) 1 192.168.1.2-192.168.1.254 netmask 255.255.255.0
nat (inside_140) 0 access-list inside_nat0_outbound
nat (Developer_LAN) 0 access-list Developer_LAN_nat0_outbound
nat (Developer_LAN) 10 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 192.168.13.0 255.255.255.0
access-list Developer_LAN_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 server_lan 255.255.255.224
access-list Developer_LAN_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list Developer_LAN_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 Bur_LAN 255.255.255.0
access-list outside_cryptomap_20_1 extended permit ip 192.168.3.0 255.255.255.0 Bur_LAN 255.255.255.0

Not sure how to deal with that