Solved

ASA Site to Site VPN Issue

Posted on 2009-07-14
2
258 Views
Last Modified: 2012-05-07
I am trying to set up a site to site vpn between two ASA's too no avail...I have followed what I thought were all of the steps to get this set up, but I have no connectivity.  Could someone please look at the config(s) to see what I am missing?

REMOTE:

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 96.244.xx.xx
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 subject-name CN=crmhome
 keypair SitetoSite
 crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

MAIN:

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 140.239.103.71
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 72.81.252.162
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 fqdn sslvpn.legnemgroup.com
 subject-name CN=sslvpn.legnemgroup.com
 keypair sslvpnkey
 crl configure
crypto ca certificate chain localtrust
 certificate f6c6e849
    30820207 30820170 a0030201 020204f6 c6e84930 0d06092a 864886f7 0d010104
    05003048 311f301d 06035504 03131673 736c7670 6e2e6c65 676e656d 67726f75
    702e636f 6d312530 2306092a 864886f7 0d010902 16167373 6c76706e 2e6c6567
    6e656d67 726f7570 2e636f6d 301e170d 30393034 31373138 31343134 5a170d31
    39303431 35313831 3431345a 3048311f 301d0603 55040313 1673736c 76706e2e
    6c65676e 656d6772 6f75702e 636f6d31 25302306 092a8648 86f70d01 09021616
    73736c76 706e2e6c 65676e65 6d67726f 75702e63 6f6d3081 9f300d06 092a8648
    86f70d01 01010500 03818d00 30818902 818100b8 f26f88f2 3733ee71 d67dc376
    11dee975 f5b4bf1b 0904483e d19d5856 c4d71a93 6d29e511 50b1a143 bb623836
    cc23fba0 637bd871 9edf6b9b 36766896 5fcb346d 25d9de1f f26a9bf8 c7ab95d7
    07f9ac29 e7bcba9e 0e26e062 3693cce9 97bc2358 3a23f19e 182df76c 8e7cbc80
    8a9211cb 003638c7 2911bf95 01d00eb4 cc947d02 03010001 300d0609 2a864886
    f70d0101 04050003 8181001c a83e9dd8 ca726022 d8bba650 652545cd 76925d07
    8adb26b5 2840d9d8 8ad9ade8 1eddcaac d69ef009 10be3502 20b272ba aa39219d
    ba5b47de 84344476 7b452470 98b24ede 67c2dfb6 f5492d10 5e5969f9 4d71b584
    3ad0959d c9d49190 958c5733 d009b18e 9ab3804c 987cd5bb 40af2afa 5b46ae04
    b5f013ad dbfc325d 21665b
  quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
0
Comment
Question by:bbresslin
  • 2
2 Comments
 
LVL 15

Expert Comment

by:bignewf
Comment Utility
I will check over your config, but I need output from the following command:
sh ipsec sa
show crypto isakmp sa

biggest cause of tunnel failure is phase I and II ISAKMP policy mismatch due to transform sets and preshared key

0
 
LVL 15

Accepted Solution

by:
bignewf earned 500 total points
Comment Utility
suggestions:

1. disable perfect  forward secrecy on cryptomap entry
2. suggest primary transform set on both tunnel endpoints:  ESP-3DES-MD5 or ESP-3DES-SHA usually works  you will see this under "advanced" and cryptomaps in asdm gui
3. I don't see nat exempt networks (or hosts) or access-lists allowing traffic through the tunnel:  in asdm:  configuration>site-sitevpn>advanced>cryptomaps>static cryptomap>edit>traffic selection tab - here you configure allowed networks/subnets for tunnel traffic

after you run the show crypto isakmp sa  you should see State:  MM_Active
if you have successful tunnel formation.  
when you run show crypto ipsec sa, you will see pkts encrypt and decrypt is traffic is passing

so first, reset shared secret, and reset the transform sets I suggested as primary.
I would just redo the tunnel from the gui, enable logging and send me output if still can't connect. make sure both tunnels have identical transform sets
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now