Solved

ASA 8.2 L2L - > 9.1 L2L

Posted on 2013-06-28
9
2,626 Views
1 Endorsement
Last Modified: 2013-06-30
Hey all,

I will keep this to the point. I am setting up a L2L VPN between an ASA 5520 running 8.2 and a 5515x running 9.1.

No phase 1 is taking place...debugs show in no IKE negotiation. Can't quite put my finger on it. There are existing L2L vpns on the asa running 8.2 that are up without issue.

Internet/internal routing is working on both ASA's. Please see heavily sanitized configs: Let me know if more info is needed.
***************************
ASA Version 8.2(5)
!

object-group network Internal_Networks
 network-object 192.168.0.0 255.255.0.0
!
object-group network VPN_NETS
 network-object 172.16.21.0 255.255.255.0
 network-object 172.16.22.0 255.255.255.0
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 1.0.1.2 255.255.255.192
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
 nameif DMZ
 security-level 50
 ip address 172.16.0.1 255.255.255.0
!
access-list outside_3_cryptomap extended permit ip object-group Internal_Network object-group VPN_NETS
!
nat (inside) 0 access-list inside_nat0_outbound
!

route outside 0.0.0.0 0.0.0.0 1.0.1.1
!
crypto map outside_map 3 match address outside_3_cryptomap

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map outside_map 3 set pfs group1
crypto map outside_map 3 set peer 1.0.1.3
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
!
tunnel-group 1.0.1.3 type ipsec-l2l
tunnel-group 1.0.1.3 ipsec-attributes
 pre-shared-key *****
!
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1      
 lifetime 86400
!
*************************
ASA Version 9.1(1)

!
object-group network LOCAL_NETS
 network-object 172.16.21.0 255.255.0.0
 network-object 172.16.22.0 255.255.0.0
!
object network HQ_BLOCK
 subnet 192.168.0.0 255.255.0.0
!
interface GigabitEthernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 1.0.1.3 255.255.255.240
!
interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 172.16.21.10 255.255.255.0
!
access-list OUTSIDE_cryptomap extended permit ip object-group LOCAL_NETS object HQ_BLOCK

!
nat (INSIDE,OUTSIDE) source static LOCAL_NETS LOCAL_NETS destination static HQ_BLOCK HQ_BLOCK
!
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap
crypto map OUTSIDE_map 1 set pfs group1
crypto map OUTSIDE_map 1 set peer 1.0.1.2
crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map OUTSIDE_map interface OUTSIDE
!

crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
!
tunnel-group 1.0.1.2 type ipsec-l2l
tunnel-group 1.0.1.2 ipsec-attributes
 ikev1 pre-shared-key *****
1
Comment
Question by:Leeeee
  • 4
  • 4
9 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39286815
Are you using the public IPs to encrypt or the inside?  If inside, where are your nonat statements?

debug crypto ipsec sa 10 (or similiar)
debug crypto isakmp sa 10 (or similar)
term mon

ping inside to inside.  any debug?
0
 
LVL 5

Author Comment

by:Leeeee
ID: 39286970
Thanks for the reply. The no NAT acl is there on the 8.2 asa I just forgot to include it. There's no debug output on either asa for their respective peer for this tunnel. To me it seems like it may be a routing issue but the default route should be catching everything.

debug crypto condition peer 1.0.1.2 - nothing
debug crypto ikev 255 - nothing

I tried on the asa running 8.2, nothing from the peer debug and normal debugs from the other l2l tunnels on that asa. We should at least see some type of phase 1 exchange taking place and there is nothing.

9.1 ASA FW01# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

I should note there is an ASR that connects to the ASA which aggregates a metro e circuit between these two sites. The l2l vpn will be used as failover with a floating static pointing to the ASA in case the metro e link goes down on the ASR.
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 200 total points
ID: 39287018
Can you ping or traceroute to the peer (each end)?
0
 
LVL 5

Author Comment

by:Leeeee
ID: 39287059
I can ping the outside ip of both firewalls.

Routing to the destination LANS are going through the ASR at each site and over the metro e circuit, this wouldn't affect phase 1 coming up I wouldn't think. Internet traffic passes through the firewall and out.

I have attached a simple visio of the environment.

diagram
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 28

Expert Comment

by:Jan Springer
ID: 39287084
that's a bit confusing.  are your two internal networks really connected from inside?
0
 
LVL 5

Author Comment

by:Leeeee
ID: 39287261
They are. Site to site traffic is routed between ASR's via EIGRP with the end goal of placing  floating statics on the ASR's pointing to the asa for another path out to each site via the l2l tunnel. Each ASR has a default route pointing to the ASA for internet access.

Correct me if I'm wrong, but that shouldn't affect the fact that no phase 1 exchange takes place on the outside interface though. It's not complicated setting up a l2l but I am just baffled why I see no phase 1. Something is getting blocked or I am missing something somewhere.

Let me know if you need more info and I appreciate your responses.
0
 
LVL 12

Accepted Solution

by:
Henk van Achterberg earned 300 total points
ID: 39288198
PHASE 1 only will take place when there is a traffic destined to go over the VPN tunnel. As far as I can see traffic will flow trough the ASR's over the EIGRP track.

When you remove the routes to the internal LAN at the other side from the ASA's you probably will see PHASE 1 traffic taking place and the VPN tunnel being built.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 39288302
If those two interconnected devices are reachable locally, traffic shouldn't hit the ASAs.
0
 
LVL 5

Author Closing Comment

by:Leeeee
ID: 39288352
Routing issue, thanks for your help!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now