bbresslin
asked on
ASA Site to Site VPN Issue
I am trying to set up a site to site vpn between two ASA's too no avail...I have followed what I thought were all of the steps to get this set up, but I have no connectivity. Could someone please look at the config(s) to see what I am missing?
REMOTE:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 96.244.xx.xx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=crmhome
keypair SitetoSite
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
MAIN:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 140.239.103.71
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 72.81.252.162
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.legnemgroup.com
subject-name CN=sslvpn.legnemgroup.com
keypair sslvpnkey
crl configure
crypto ca certificate chain localtrust
certificate f6c6e849
30820207 30820170 a0030201 020204f6 c6e84930 0d06092a 864886f7 0d010104
05003048 311f301d 06035504 03131673 736c7670 6e2e6c65 676e656d 67726f75
702e636f 6d312530 2306092a 864886f7 0d010902 16167373 6c76706e 2e6c6567
6e656d67 726f7570 2e636f6d 301e170d 30393034 31373138 31343134 5a170d31
39303431 35313831 3431345a 3048311f 301d0603 55040313 1673736c 76706e2e
6c65676e 656d6772 6f75702e 636f6d31 25302306 092a8648 86f70d01 09021616
73736c76 706e2e6c 65676e65 6d67726f 75702e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100b8 f26f88f2 3733ee71 d67dc376
11dee975 f5b4bf1b 0904483e d19d5856 c4d71a93 6d29e511 50b1a143 bb623836
cc23fba0 637bd871 9edf6b9b 36766896 5fcb346d 25d9de1f f26a9bf8 c7ab95d7
07f9ac29 e7bcba9e 0e26e062 3693cce9 97bc2358 3a23f19e 182df76c 8e7cbc80
8a9211cb 003638c7 2911bf95 01d00eb4 cc947d02 03010001 300d0609 2a864886
f70d0101 04050003 8181001c a83e9dd8 ca726022 d8bba650 652545cd 76925d07
8adb26b5 2840d9d8 8ad9ade8 1eddcaac d69ef009 10be3502 20b272ba aa39219d
ba5b47de 84344476 7b452470 98b24ede 67c2dfb6 f5492d10 5e5969f9 4d71b584
3ad0959d c9d49190 958c5733 d009b18e 9ab3804c 987cd5bb 40af2afa 5b46ae04
b5f013ad dbfc325d 21665b
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
REMOTE:
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 96.244.xx.xx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=crmhome
keypair SitetoSite
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
MAIN:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 140.239.103.71
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 72.81.252.162
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.legnemgroup.com
subject-name CN=sslvpn.legnemgroup.com
keypair sslvpnkey
crl configure
crypto ca certificate chain localtrust
certificate f6c6e849
30820207 30820170 a0030201 020204f6 c6e84930 0d06092a 864886f7 0d010104
05003048 311f301d 06035504 03131673 736c7670 6e2e6c65 676e656d 67726f75
702e636f 6d312530 2306092a 864886f7 0d010902 16167373 6c76706e 2e6c6567
6e656d67 726f7570 2e636f6d 301e170d 30393034 31373138 31343134 5a170d31
39303431 35313831 3431345a 3048311f 301d0603 55040313 1673736c 76706e2e
6c65676e 656d6772 6f75702e 636f6d31 25302306 092a8648 86f70d01 09021616
73736c76 706e2e6c 65676e65 6d67726f 75702e63 6f6d3081 9f300d06 092a8648
86f70d01 01010500 03818d00 30818902 818100b8 f26f88f2 3733ee71 d67dc376
11dee975 f5b4bf1b 0904483e d19d5856 c4d71a93 6d29e511 50b1a143 bb623836
cc23fba0 637bd871 9edf6b9b 36766896 5fcb346d 25d9de1f f26a9bf8 c7ab95d7
07f9ac29 e7bcba9e 0e26e062 3693cce9 97bc2358 3a23f19e 182df76c 8e7cbc80
8a9211cb 003638c7 2911bf95 01d00eb4 cc947d02 03010001 300d0609 2a864886
f70d0101 04050003 8181001c a83e9dd8 ca726022 d8bba650 652545cd 76925d07
8adb26b5 2840d9d8 8ad9ade8 1eddcaac d69ef009 10be3502 20b272ba aa39219d
ba5b47de 84344476 7b452470 98b24ede 67c2dfb6 f5492d10 5e5969f9 4d71b584
3ad0959d c9d49190 958c5733 d009b18e 9ab3804c 987cd5bb 40af2afa 5b46ae04
b5f013ad dbfc325d 21665b
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sh ipsec sa
show crypto isakmp sa
biggest cause of tunnel failure is phase I and II ISAKMP policy mismatch due to transform sets and preshared key