ap-technology
asked on
Cisco ASA 5505 : Site to site VPN connexion
Hi everybody, i have a problem with a configuration with 3 cisco ASA
I hope that some one can help me
So here it ils a description of my need
Site 1 : 192.168.1.1-ASA 5505-10.0.0.2 -------10.0.0.1-ISP Router-195.1.1.1
Site 2 : 192.168.2.1-ASA 5505-192.168.0.2 -------192.168.0.1-ISP Router-195.2.1.1
Site 3 : 192.168.3.1-ASA 5505-192.168.253.2 -------192.167.253.1-ISP Routeur-195.3.1.1
I need that the site 2 and the site 3 are connected with a IPSEC Site-to-Site tunnel VPN
The connection between the site 1 and 2 work fine, but i can't etablished the connection between the site 1 and the site 3
there is a specific operation to do to have 2 tunnel on the same ASA 5505
Can i have some help please?
Thanks a lot
Axel
I hope that some one can help me
So here it ils a description of my need
Site 1 : 192.168.1.1-ASA 5505-10.0.0.2 -------10.0.0.1-ISP Router-195.1.1.1
Site 2 : 192.168.2.1-ASA 5505-192.168.0.2 -------192.168.0.1-ISP Router-195.2.1.1
Site 3 : 192.168.3.1-ASA 5505-192.168.253.2 -------192.167.253.1-ISP Routeur-195.3.1.1
I need that the site 2 and the site 3 are connected with a IPSEC Site-to-Site tunnel VPN
The connection between the site 1 and 2 work fine, but i can't etablished the connection between the site 1 and the site 3
there is a specific operation to do to have 2 tunnel on the same ASA 5505
Can i have some help please?
Thanks a lot
Axel
please show ur ASA config
No there are no specific things you need to do.
The easy way is to use the VPN wizard in the asa.
From experience: make sure those encryption keys and transformsets are the same on both ends. Also Diffie Helmann keys need to be the same.
if you can post your config we can figure out what's wrong.
The easy way is to use the VPN wizard in the asa.
From experience: make sure those encryption keys and transformsets are the same on both ends. Also Diffie Helmann keys need to be the same.
if you can post your config we can figure out what's wrong.
ASKER
Thanks or your information but i have always a problem
I will send you my configuration
To start this is the configuration of site1, the main site
I will send you my configuration
To start this is the configuration of site1, the main site
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name domain.local
enable password S8eyzXDZaHO17k8R encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.3.0 site3
name 192.168.1.3 CJS-site1 description ServeurDC
name 192.168.2.0 site2
name 192.168.2.1 site2LanDefaultGateWay
name 192.168.2.3 site2Server
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 195.238.2.21
name-server 195.238.2.22
domain-name domain.local
object-group service standard_web_tcp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
port-object eq ssh
port-object eq telnet
object-group service standard_web_udp udp
port-object eq domain
port-object eq ntp
object-group service isabel tcp
port-object range 7000 7099
object-group network ipsec_user
network-object 10.10.0.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service VirtualWebServer tcp-udp
port-object eq 143
port-object eq 2525
port-object eq 8080
object-group service virtualweb8080 tcp
port-object eq 8080
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in remark mail entrant
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in remark Acces Https to DAVOISE-DC
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit ip any interface outside
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any
access-list inside_access_in extended permit udp 192.168.1.0 255.255.255.0 any object-group standard_web_udp
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group isabel
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any object-group standard_web_tcp
access-list inside_access_in extended permit icmp 192.168.1.0 255.255.255.0 any echo
access-list inside_access_in remark autorise outgoing VPN connection
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq pptp
access-list inside_access_in extended permit tcp 192.168.1.0 255.255.255.0 any eq lotusnotes
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 host site2Server
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 site3 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 site2 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 site2 255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 site3 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging from-address mail@domain.be
logging recipient-address mail@mail.be level errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp CJS-site1 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pptp CJS-site1 pptp netmask 255.255.255.255
static (inside,outside) tcp interface https CJS-site1 https netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer PublicIPSite2
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer PublicIPSite3
crypto map outside_map 2 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.36 inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy site3 internal
group-policy site3 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
username admin password 5A4D4nFCsonQeeZr encrypted privilege 15
tunnel-group PublicIPSite2 type ipsec-l2l
tunnel-group PublicIPSite2 ipsec-attributes
pre-shared-key *
tunnel-group PublicIPSite3 type ipsec-l2l
tunnel-group PublicIPSite3 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
service-policy global_policy global
smtp-server 192.168.1.3
prompt hostname context
Cryptochecksum:f8ee7254bc7ef9e30313edd301fa8a7e
: end
asdm location site3 255.255.255.0 inside
asdm location site2 255.255.255.0 inside
no asdm history enable
ASKER
And this is the configuration of the site3, the site witch i can not connect with the ipsec site so site vpn tunnel
ASKER
the code is
ASA Version 8.2(1)
!
hostname FWGrez
domain-name domain.local
enable password S8eyzXDZaHO17k8R encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name PublicIPSite1 Site1Public
name 192.168.1.0 Site1Lan
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.253.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
boot system disk0:/asa724-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 195.238.2.21
name-server 195.238.2.22
domain-name domain.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service standard_web_tcp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
port-object eq pop3
port-object eq smtp
port-object eq ssh
port-object eq telnet
object-group service standard_web_udp udp
port-object eq domain
port-object eq ntp
object-group service isabel tcp
port-object range 7000 7099
object-group network ipsec_user
network-object 10.10.0.0 255.255.255.0
object-group service VirtualWebServer tcp-udp
port-object eq 143
port-object eq 2525
port-object eq 8080
object-group service virtualweb8080 tcp
port-object eq 8080
object-group network BANKSYS
access-list outside_access_in extended permit tcp any interface outside eq pptp
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit tcp any interface outside eq https
access-list outside_access_in extended permit ip any interface outside
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside eq smtp
access-list outside_access_in extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit ip host Site1Lan 192.168.3.0 255.255.255.0
access-list outside_access_in_1 extended permit icmp any any unreachable
access-list outside_access_in_1 extended permit icmp any any time-exceeded
access-list outside_access_in_1 extended permit ip any interface outside
access-list outside_access_in_1 extended permit icmp any any echo-reply
access-list outside_access_in_1 extended permit tcp any interface outside eq pptp
access-list inside_access_in extended permit udp 192.168.3.0 255.255.255.0 any object-group standard_web_udp
access-list inside_access_in extended permit tcp 192.168.3.0 255.255.255.0 any object-group standard_web_tcp
access-list inside_access_in extended permit icmp 192.168.3.0 255.255.255.0 any echo
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 10.10.0.0 255.255.255.0
access-list inside_access_in extended permit tcp 192.168.3.0 255.255.255.0 any eq pptp
access-list inside_access_in extended permit object-group TCPUDP 192.168.3.0 255.255.255.0 any eq domain
access-list inside_access_in extended permit icmp 192.168.3.0 255.255.255.0 any
access-list inside_access_in_1 extended permit tcp 192.168.3.0 255.255.255.0 any object-group standard_web_tcp
access-list inside_access_in_1 extended permit udp 192.168.3.0 255.255.255.0 any object-group standard_web_udp
access-list inside_access_in_1 extended permit tcp 192.168.3.0 255.255.255.0 any eq pptp
access-list inside_access_in_1 extended permit ip 192.168.3.0 255.255.255.0 Site1Lan 255.255.255.0
access-list inside_access_in_1 extended permit object-group TCPUDP 192.168.3.0 255.255.255.0 any eq domain
access-list inside_access_in_1 extended permit icmp 192.168.3.0 255.255.255.0 any
access-list inside_access_in_1 extended permit icmp 192.168.3.0 255.255.255.0 any echo
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 Site1Lan 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 192.168.3.0 255.255.255.0 Site1Lan 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 Site1Lan 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.253.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Site1Lan 255.255.255.0 inside
http 192.168.3.0 255.255.255.0 inside
http 192.168.253.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap
crypto map outside_map1 1 set pfs group1
crypto map outside_map1 1 set peer Site1Public
crypto map outside_map1 1 set transform-set ESP-DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh 192.168.3.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.35-192.168.3.66 inside
dhcpd dns 212.71.8.10 212.71.0.33 interface inside
dhcpd domain domain.local interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group PublicIPSite1 type ipsec-l2l
tunnel-group PublicIPSite1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:bcb22e9f3e4667943a0c2692d4302681
: end
FWGrez#
ur config seems to be ok
any way try add the below command at site 1
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
on both firewalls
crypto isakmp nat-traversal 60
sysopt connection permit-vpn
+ i need the out put of below commands while testing , try to give the output from both sites
sh crypto isakmp sa
sh crypto ipsec sa
debug crypto isakmp
show logging
any way try add the below command at site 1
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
on both firewalls
crypto isakmp nat-traversal 60
sysopt connection permit-vpn
+ i need the out put of below commands while testing , try to give the output from both sites
sh crypto isakmp sa
sh crypto ipsec sa
debug crypto isakmp
show logging
ASKER
Site 3 :
sh crypto isakmp sa
Result : there are no isakmp sas
sh crypto ipsec sa
Result : there are no ipsec sas
sh crypto isakmp sa
Result : there are no isakmp sas
sh crypto ipsec sa
Result : there are no ipsec sas
ASKER
Site 1
Result of the command: "sh crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 194.78.199.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "sh crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 10.0.0.2
access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 Genappe 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (Genappe/255.255.255.0/0/0 )
current_peer: 194.78.199.234
#pkts encaps: 320, #pkts encrypt: 320, #pkts digest: 320
#pkts decaps: 395, #pkts decrypt: 395, #pkts verify: 395
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 320, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.2/4500, remote crypto endpt.: 194.78.199.234/64133
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 46BA50B7
inbound esp sas:
spi: 0xE0DD64AE (3772605614)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373926/23015)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x46BA50B7 (1186615479)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373913/23015)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
For info on the site one a other vpn tunnel is up un running
Result of the command: "sh crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 194.78.199.234
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Result of the command: "sh crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 10.0.0.2
access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 Genappe 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0
remote ident (addr/mask/prot/port): (Genappe/255.255.255.0/0/0
current_peer: 194.78.199.234
#pkts encaps: 320, #pkts encrypt: 320, #pkts digest: 320
#pkts decaps: 395, #pkts decrypt: 395, #pkts verify: 395
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 320, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.2/4500, remote crypto endpt.: 194.78.199.234/64133
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 46BA50B7
inbound esp sas:
spi: 0xE0DD64AE (3772605614)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373926/23015)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x46BA50B7 (1186615479)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373913/23015)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
For info on the site one a other vpn tunnel is up un running
did u try my above commands
did u generate any intresting traffic ?
please give me the debug output
did u generate any intresting traffic ?
please give me the debug output
i hope the below ouput between site 1 and site 2 ( working ) .
kindly add my commands and give me the output atleast from other router ( site 3)
kindly add my commands and give me the output atleast from other router ( site 3)
ASKER
for the site 3
sh crypto isakmp sa
Result : there are no isakmp sas
sh crypto ipsec sa
Result : there are no ipsec sas
for the site 2 witch is connected to site 1
Result of the command: "sh crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 91.183.58.236
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Result of the command: "sh crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 192.168.0.2
access-list outside_1_cryptomap permit ip 192.168.2.0 255.255.255.0 Rosieres 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0 /0/0)
remote ident (addr/mask/prot/port): (Rosieres/255.255.255.0/0/ 0)
current_peer: 91.183.58.236
#pkts encaps: 625, #pkts encrypt: 625, #pkts digest: 625
#pkts decaps: 519, #pkts decrypt: 519, #pkts verify: 519
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 625, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.0.2/4500, remote crypto endpt.: 91.183.58.236/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: E0DD64AE
inbound esp sas:
spi: 0x46BA50B7 (1186615479)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914866/21557)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE0DD64AE (3772605614)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914884/21557)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
sh crypto isakmp sa
Result : there are no isakmp sas
sh crypto ipsec sa
Result : there are no ipsec sas
for the site 2 witch is connected to site 1
Result of the command: "sh crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 91.183.58.236
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Result of the command: "sh crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 192.168.0.2
access-list outside_1_cryptomap permit ip 192.168.2.0 255.255.255.0 Rosieres 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0
remote ident (addr/mask/prot/port): (Rosieres/255.255.255.0/0/
current_peer: 91.183.58.236
#pkts encaps: 625, #pkts encrypt: 625, #pkts digest: 625
#pkts decaps: 519, #pkts decrypt: 519, #pkts verify: 519
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 625, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 192.168.0.2/4500, remote crypto endpt.: 91.183.58.236/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: E0DD64AE
inbound esp sas:
spi: 0x46BA50B7 (1186615479)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914866/21557)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE0DD64AE (3772605614)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 1, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914884/21557)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASKER
that is not the debug output that I asked for .
ok ,try the following
logginh enable
logging buffere 7
debug crypto isakmp
clear log
then test.
ok ,try the following
logginh enable
logging buffere 7
debug crypto isakmp
clear log
then test.
can u able to reach the site3 outside Ip ?
ASKER
hi
from site one i can pig site 3
it is that your question?
from site one i can pig site 3
it is that your question?
I mean the tunnel peer ip of site3
for eg : site1 : 91.183.58.236
site 2 : 194.78.199.234
site3 : ?
for eg : site1 : 91.183.58.236
site 2 : 194.78.199.234
site3 : ?
ASKER
77.109.115.48
ASKER
or th site 1 i just have a web access so i can not use the debug command
can u able to reach that IP ?
if u can reach Site 3, then take the output of
logginh enable
logging buffere 7
debug crypto isakmp
clear log
then test.
u can generate traffic from site 3 by
ping 192.168.1.1 source 192.168.3.1
if u can reach Site 3, then take the output of
logginh enable
logging buffere 7
debug crypto isakmp
clear log
then test.
u can generate traffic from site 3 by
ping 192.168.1.1 source 192.168.3.1
so u r at site 3 ?
try my above workaround there
try my above workaround there
ASKER
i am not seeing anything related to ipsec , still the show crypto isakmp sa is showing blank
ok
try like this
no logging enable
terminal monitor
debug crypto isakmp 255
ping 192.168.1.1 source 192.168.3.1
it will display the log messages on the screen
ok
try like this
no logging enable
terminal monitor
debug crypto isakmp 255
ping 192.168.1.1 source 192.168.3.1
it will display the log messages on the screen
ASKER
on site 3 i do this
logginh enable
logging buffere 7
debug crypto isakmp
clear log
and then i do
ping 192.168.1.3 : on consol : success rate is 0 percent
i attached the log file
site-3-ter.txt
logginh enable
logging buffere 7
debug crypto isakmp
clear log
and then i do
ping 192.168.1.3 : on consol : success rate is 0 percent
i attached the log file
site-3-ter.txt
as I mentioned above that logs are related to tcp .
try my above comment
try my above comment
ASKER
I try this on site 3
no logging enable
terminal monitor
debug crypto isakmp 255
ping 192.168.1.1
i have the message that terminal monitor is not supporter by the console
no logging enable
terminal monitor
debug crypto isakmp 255
ping 192.168.1.1
i have the message that terminal monitor is not supporter by the console
ASKER
<hen i try on the asdm interface
the result is
Result of the command: "no logging enable"
The command has been sent to the device
Result of the command: "terminal monitor"
The command has been sent to the device
Result of the command: "ping 192.168.1.1"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
but i have the message that debug commande is not supporter by cli windows
the result is
Result of the command: "no logging enable"
The command has been sent to the device
Result of the command: "terminal monitor"
The command has been sent to the device
Result of the command: "ping 192.168.1.1"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
but i have the message that debug commande is not supporter by cli windows
ASKER
with this command
logging enable
logging buffere 7
debug crypto isakmp
clear log
ping 192.168.1.3
does this buffer log help you
see file
thanks
site-3-buffer.txt
logging enable
logging buffere 7
debug crypto isakmp
clear log
ping 192.168.1.3
does this buffer log help you
see file
thanks
site-3-buffer.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hi,
With you different précednt comment a delete the vpn tunnel and i recreated; And i take care about your comment and the vpn tunnel work fine
Thanks for you help
With you different précednt comment a delete the vpn tunnel and i recreated; And i take care about your comment and the vpn tunnel work fine
Thanks for you help
gr8
so u recreated the ipsec tunnel at site3 .
if u need any further assistance , please let me know
so u recreated the ipsec tunnel at site3 .
if u need any further assistance , please let me know