[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco ASA 5505 Site to Site VPN

Posted on 2011-04-27
28
Medium Priority
?
1,255 Views
Last Modified: 2012-05-11
Our main office has a Cisco 5505 with the security bundle and unlimited users.  I have a remote office also with a Cisco 5505, except this is the basic model.

I'd like to setup a site to site VPN tunnel between the two.  So that the remote site can see the domain, access files, etc.

How do I go about doing this?

Thanks in Advance
0
Comment
Question by:Railroad
  • 14
  • 10
  • 3
  • +1
28 Comments
 

Author Comment

by:Railroad
ID: 35476596
So I found this guide:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Followed it, but no tunnel's are created.
0
 
LVL 18

Expert Comment

by:jmeggers
ID: 35477302
Your best bet may be to use the wizard, but remember both sides have to match in some ways, and be mirror images of each other in other ways.  I believe the basic license still supports IPSec, so that shouldn't be an issue for you.  You haven't posted a config, so we don't have much to go on.  If you do decide to post configs, make sure you obscure your public addresses, delete ACLs other than those required for the VPN tunnel, etc.

When you are on the CLI and do "show crypto isakmp sa" what do you see?  
0
 
LVL 3

Assisted Solution

by:jon1966
jon1966 earned 400 total points
ID: 35477439
My suggestion is to fire up the Cisco ASDM-IDM and use the wizard "IPsec VPN Wizard" and configure the tunnel.  
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:Railroad
ID: 35477588
Here are the configs.  Running the command "show crypto isakmp sa" returns "There are no isakmp sas"

"Client" End
ASA Version 8.2(1) 
!
hostname Client
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!             
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.254.0 
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.20.0 255.255.254.0 
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 192.168.20.0 255.255.254.0 
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.254.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer SERVER IP
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 15
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group SERVER IP type ipsec-l2l
tunnel-group SERVER IP ipsec-attributes
 pre-shared-key *
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:07a010b4e15a2cd268669c313c49a06b
: end

Open in new window

"Server" End
ASA Version 8.2(1) 
!
hostname SERVER
names
!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside-tw
 security-level 0
 ip address SERVER IP 255.255.255.240 
!
interface Vlan3
 shutdown
 nameif outside-frontier
 security-level 0
 no ip address
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.254.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!             
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any echo-reply 
access-list 100 extended permit ip 192.168.10.0 255.255.254.0 192.168.200.0 255.255.255.0 
access-list 100 extended permit ip 192.168.20.0 255.255.254.0 192.168.200.0 255.255.255.0 
access-list nonat extended permit ip 192.168.10.0 255.255.254.0 192.168.200.0 255.255.255.0 
access-list nonat extended permit ip 192.168.20.0 255.255.254.0 192.168.200.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging host inside 192.168.10.33
mtu outside-tw 1500
mtu outside-frontier 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside-tw) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside-tw
route outside-tw 0.0.0.0 0.0.0.0 GATEWAY 1
route inside 192.168.20.0 255.255.254.0 GATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer CLIENT IP
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside-tw
crypto isakmp enable outside-tw
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2      
 lifetime 86400
telnet timeout 5
ssh timeout 15
console timeout 0
dhcpd auto_config outside-tw
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group CLIENT IP type ipsec-l2l
tunnel-group CLIENT IP ipsec-attributes
 pre-shared-key *
!
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5ae9aa47c3289bc46c0822a80ddad19d
: end

Open in new window

0
 

Author Comment

by:Railroad
ID: 35477832
Ok, I deleted the hand build VPN and recreated via the wizard.  Still doesn't work.

show crypto isakmp sa still returns: There are no isakmp sas
0
 
LVL 3

Expert Comment

by:jon1966
ID: 35477848
Did you use the wizard on both ASA's?  
0
 

Author Comment

by:Railroad
ID: 35477882
Yes
0
 
LVL 3

Expert Comment

by:jon1966
ID: 35477922
Would you repost both configs please?
0
 

Author Comment

by:Railroad
ID: 35478247
In looking at the configs before posting, I noticed some "old hand entered" lines.  So I reloaded the config from my save before making changes and then rebuild the VPN via the wizard.  Still not working, but here are my current configs

CLIENT:
ASA Version 8.2(1) 
!
hostname CLIENT
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!             
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group network OFFICE
 network-object 192.168.10.0 255.255.254.0
 network-object 192.168.20.0 255.255.254.0
access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 object-group OFFICE 
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 object-group OFFICE 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer SERVER_IP 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group SERVER_IP type ipsec-l2l
tunnel-group SERVER_IP ipsec-attributes
 pre-shared-key *
!
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:facaf804c3cb27ef48285328d4b0d791
: end

Open in new window


SERVER:
ASA Version 8.2(1) 
!
hostname SERVER
names
!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside-tw
 security-level 0
 ip address SERVER_IP 255.255.255.240 
!
interface Vlan3
 shutdown
 nameif outside-frontier
 security-level 0
 no ip address
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.254.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!             
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group network OFFICE
 network-object 192.168.10.0 255.255.254.0
 network-object 192.168.20.0 255.255.254.0
object-group network REMOTE
 network-object 192.168.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside-tw_1_cryptomap extended permit ip object-group OFFICE object-group REMOTE
access-list inside_nat0_outbound extended permit ip object-group OFFICE object-group REMOTE 
pager lines 24
logging enable
logging asdm informational
logging host inside 192.168.10.33
mtu outside-tw 1500
mtu outside-frontier 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside-tw) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside-tw
route outside-tw 0.0.0.0 0.0.0.0 GATEWAY 1
route inside 192.168.20.0 255.255.254.0 192.168.10.80 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.254.0 inside
http 192.168.20.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside-tw_map 1 match address outside-tw_1_cryptomap
crypto map outside-tw_map 1 set pfs group1
crypto map outside-tw_map 1 set peer CLIENT_IP
crypto map outside-tw_map 1 set transform-set ESP-3DES-SHA
crypto map outside-tw_map interface outside-tw
crypto isakmp enable outside-tw
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.20.0 255.255.254.0 inside
ssh 192.168.10.0 255.255.254.0 inside
ssh timeout 15
console timeout 0
dhcpd auto_config outside-tw
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group CLIENT_IP type ipsec-l2l
tunnel-group CLIENT_IP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5f1eac80e54845a214f28171b9aa346b
: end

Open in new window

0
 

Author Comment

by:Railroad
ID: 35478766
Is there any time of logging I can look at to see what's going on?  Kinda of frustrating that Cisco's Wizard doesn't work out of the box.
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35482234
Hi,

on the client side you'll also need a route outside  to get the traffic encrypted.

Joris.
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35482245
Ignore last comment, I just noticed the dhcp setup.
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35482303
Try to generate interesting traffic (ping other side) and do a show log on both.

Also, is this a fixed address you get from your ISP's DHCP ?
0
 

Author Comment

by:Railroad
ID: 35483096
No, this is a true Dynamic.  Although my ISP never changes/adjusts the DHCP server, so I've had the same IP for years. :)

I am simply testing this from my home, which is why it's dynamic.  I have tried the connection from the remote office to the main office, which is static to static.  This isn't working either.

I have tried pinging the other side of the tunnel, but never get a response.  Show Log just returns:

Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 541 messages logged

I have watched the ASDM log and can not see any attempts to connect to the server side IP.

I just changed the ASDM logging to Debug and still don't see any attempts to connect to the server IP.
0
 
LVL 4

Assisted Solution

by:JorisFRST
JorisFRST earned 1600 total points
ID: 35483179
1st enable some more logging, then try again :
logging enable
logging timestamp
logging standby
logging buffer-size 50000
logging buffered debugging
logging history warnings
logging device-id hostname
0
 

Author Comment

by:Railroad
ID: 35483259
Done... Here's what I see when I Ping:

Apr 28 2011 02:02:23 CLIENT : %ASA-7-609001: Built local-host outside:192.168.10.1
Apr 28 2011 02:02:23 CLIENT : %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.10.1/0 gaddr CLIENT_IP/4388 laddr CLIENT_IP/4388
Apr 28 2011 02:02:33 CLIENT : %ASA-5-111008: User 'enable_15' executed the 'ping 192.168.10.1' command.
Apr 28 2011 02:02:33 CLIENT : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.10.1/0 gaddr CLIENT_IP/4388 laddr CLIENT_IP/4388
Apr 28 2011 02:02:33 CLIENT : %ASA-7-609002: Teardown local-host identity:CLIENT_IP duration 0:00:10
Apr 28 2011 02:02:33 CLIENT : %ASA-7-609002: Teardown local-host outside:192.168.10.1 duration 0:00:10

Open in new window

0
 

Author Comment

by:Railroad
ID: 35483285
I don't see the SERVER_IP anywhere in the logs.

Is there anyway to force the tunnel to try to connect?  BTW, who starts the tunnel, server or client?
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35483301
Is this from a ping inside 192.168.10.1 ?
0
 

Author Comment

by:Railroad
ID: 35483404
That was a ping from the client ASA.  This is the log result, from the ASDM filtering on the SERVER_IP, for a ping from one of the workstations on the client network.

4|Apr 28 2011|09:24:13|713903|||||IP = SERVER_IP, Error: Unable to remove PeerTblEntry
3|Apr 28 2011|09:24:13|713902|||||IP = SERVER_IP, Removing peer from peer table failed, no match!
7|Apr 28 2011|09:24:13|713906|||||IP = SERVER_IP, sending delete/delete with reason message
7|Apr 28 2011|09:24:13|713906|||||IP = SERVER_IP, IKE SA MM:318143d2 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
7|Apr 28 2011|09:24:13|715065|||||IP = SERVER_IP, IKE MM Initiator FSM error history (struct &0xc66a57d0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
4|Apr 28 2011|09:24:05|713903|||||IP = SERVER_IP, Information Exchange processing failed
5|Apr 28 2011|09:24:05|713904|||||IP = SERVER_IP, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Apr 28 2011|09:24:05|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:24:05|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:24:05|713236|||||IP = SERVER_IP, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
4|Apr 28 2011|09:23:57|713903|||||IP = SERVER_IP, Information Exchange processing failed
5|Apr 28 2011|09:23:57|713904|||||IP = SERVER_IP, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Apr 28 2011|09:23:57|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:23:57|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:23:57|713236|||||IP = SERVER_IP, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
6|Apr 28 2011|09:23:55|713219|||||IP = SERVER_IP, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Apr 28 2011|09:23:50|713219|||||IP = SERVER_IP, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Apr 28 2011|09:23:49|713903|||||IP = SERVER_IP, Information Exchange processing failed
5|Apr 28 2011|09:23:49|713904|||||IP = SERVER_IP, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Apr 28 2011|09:23:49|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:23:49|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:23:49|713236|||||IP = SERVER_IP, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
6|Apr 28 2011|09:23:45|713219|||||IP = SERVER_IP, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
7|Apr 28 2011|09:23:41|713236|||||IP = SERVER_IP, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
7|Apr 28 2011|09:23:41|713906|||||IP = SERVER_IP, computing NAT Discovery hash
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Discovery payload
7|Apr 28 2011|09:23:41|713906|||||IP = SERVER_IP, computing NAT Discovery hash
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Discovery payload
7|Apr 28 2011|09:23:41|715048|||||IP = SERVER_IP, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing VID payload
7|Apr 28 2011|09:23:41|715038|||||IP = SERVER_IP, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Apr 28 2011|09:23:41|715048|||||IP = SERVER_IP, Send IOS VID
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing xauth V6 VID payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing Cisco Unity VID payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing nonce payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing ke payload
7|Apr 28 2011|09:23:41|715064|||||IP = SERVER_IP, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
7|Apr 28 2011|09:23:41|715049|||||IP = SERVER_IP, Received Fragmentation VID
7|Apr 28 2011|09:23:41|715047|||||IP = SERVER_IP, processing VID payload
7|Apr 28 2011|09:23:41|715049|||||IP = SERVER_IP, Received NAT-Traversal ver 02 VID
7|Apr 28 2011|09:23:41|715047|||||IP = SERVER_IP, processing VID payload
7|Apr 28 2011|09:23:41|713906|||||IP = SERVER_IP, Oakley proposal is acceptable
7|Apr 28 2011|09:23:41|715047|||||IP = SERVER_IP, processing SA payload
7|Apr 28 2011|09:23:41|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
6|Apr 28 2011|09:23:41|302015|SERVER_IP|500|CLIENT_IP|500|Built outbound UDP connection 2114 for outside:SERVER_IP/500 (SERVER_IP/500) to identity:CLIENT_IP/500 (CLIENT_IP/500)
7|Apr 28 2011|09:23:41|609001|SERVER_IP||||Built local-host outside:SERVER_IP
7|Apr 28 2011|09:23:41|713236|||||IP = SERVER_IP, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing Fragmentation VID + extended capabilities payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Traversal VID ver RFC payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Traversal VID ver 03 payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Traversal VID ver 02 payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing ISAKMP SA payload
5|Apr 28 2011|09:23:41|713041|||||IP = SERVER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer SERVER_IP  local Proxy Address 192.168.200.0, remote Proxy Address 192.168.10.0,  Crypto map (outside_map)

Open in new window

0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35483413
Standard L2L tunnel setup allows both to initiate, easiest place to verify this is adsm

to initiate the tunnel you have to ping from the 192.168.200.0 subnet (inside interface) or pc on that network to one of the "office" ip's.

Once the traffic is verified as "interesting" it will try to build a tunnel.
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35483457
Are you sure the preshared key is the same on both devices ?
0
 

Author Comment

by:Railroad
ID: 35483511
Ok, so the connection isn't always on, only when it's requested by either end.

So I tried pinging 192.168.10.20 from 192.168.200.90.  The log shows it trying to connect the tunnel.  During the ping attempt I also tried:

CLIENT# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: SERVER_IP
    Type    : user            Role    : initiator 
    Rekey   : no              State   : MM_WAIT_MSG4

Open in new window


None of my pings are successful.
0
 
LVL 4

Accepted Solution

by:
JorisFRST earned 1600 total points
ID: 35483577
Check the SERVER IP and CLIENT IP in your configs if they are all correct.
It looks like your log says that one side is not encrypting for the other side, so somewhere an IP entry must be wrong in the config.
0
 

Author Comment

by:Railroad
ID: 35483720
BTW, a "show crypto isakmp sa" command on the server side, returns "There are no isakmp sas".

So it still doesn't look like the tunnel is being created.

OK... So I checked all my settings AGAIN.  I had reversed two numbers in one the client IP's on the server.  Deleted the tunnel and recreated.  Ping was successful in both directions.

So you can not ping from the actual ASA's?  This may have been my issue all along and why my other VPN "isn't working".  I've deleted the tunnel and recreated it so many times, figures this last time I'd have a typo.

Thank you for you help.
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35483746
you can ping from the asa's, but have to use the command "ping inside" to have it build a tunnel, as it needs to be the asa's inside IP that originates the ping to be interesting.

The command to make all vpn traffic allowed is normally standard enabled, so asa's should respond to ping for vpn traffic.
0
 

Author Comment

by:Railroad
ID: 35483926
Just tried a "ping inside 192.168.10.20" from our remote office ASA, no response.

I tried from a main office workstation to ping 192.168.30.170 (Remote office Printer) and that worked.

Also pinging either ASA's inside IP address doesn't work from the other side of the VPN.

Connection is working other than this, which isn't huge deal.  Thank you!  
0
 
LVL 4

Expert Comment

by:JorisFRST
ID: 35484080
I only have asa 8.3 to compare with, but It might be you need to add :
management-access inside
0
 

Author Comment

by:Railroad
ID: 35484120
Yes, adding that command corrected the issue.
0

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month18 days, 10 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question