Solved

ASA L2L vpn can not connect

Posted on 2014-09-18
7
457 Views
Last Modified: 2014-09-21
Expert
Here is a problem. Any expert can take a look at the configuration of ASA L2L vpn. The two asa can ping each other, but its vpn cannot connect. Thank you.

ASA3# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
ftp mode passive
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set Router-set esp-3des esp-md5-hmac
crypto map outside_map 1 match address nonat
crypto map outside_map 1 set peer 192.168.1.2
crypto map outside_map 1 set ikev1 transform-set Router-set
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5    
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
================================================
client# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname client
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.2.2.1 255.255.255.0
!
!
ftp mode passive
access-list USGA095 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac
crypto map S2SVPN 2 match address USGA095
crypto map S2SVPN 2 set peer 172.16.1.1
crypto map S2SVPN 2 set ikev1 transform-set FIRSTSET
crypto map S2SVPN interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
=================================
client# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
client#

ASA3#  sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
ASA3#
0
Comment
Question by:EESky
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:svijay_k
ID: 40332032
Nat 0 is missing in the configuration
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40332142
Hi

>>access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

This has no place in an 8.4 VPN config? Oh wait I see you've delaired that in the cryptomap - thats what confused the first poster. DO NOT attempt to add a Nat0 command it will error!

You have no NAT stement for the VPN
See Cisco ASA 5500 Site to Site VPN (From CLI)


Pete
0
 
LVL 1

Expert Comment

by:svijay_k
ID: 40332165
Agreed, Nat 0 is not reqiured post 8.3.

Crypto ipsec transform-set is matching on both the ends. first one it is esp-3des esp-md5-hmac and the second one it is esp-3des esp-sha-hmac. use the same encyrption on both the ends

Also the Shared secret should match at both the ends.

Rest all seems to be good.
0
Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 500 total points
ID: 40332254
Yes Well spotted - your Transform set on the bottom ASA des not match your phase 1 policy

crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac

crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600

for phase 1 you need

1. Matching policy
2. Matching Shared Secret
3. Connectivity
4. Symetrical ACLs for 'Interesting Traffic'

Though if the problm was policy mismatch you should at least see a WAIT_MSG_(number) on the 'show cryptp isakmp' results.
0
 

Author Comment

by:EESky
ID: 40333994
Thank you so much for your fast reply

@svijay_k, in fact, I do not use nat, instead I just use nonat as a name of access-less. And you are right about the "esp-3des esp-md5-hmac" now i already correct it.

@PeteLong, I already changed to "esp-3des esp-md5-hmac". And regarding access-list and Policy etc in two ASA, the access-list name is different, but the traffic in two asa is mirror relation. also some names are different, but the content in the two asa are the same.  

However the VPN is still not working. any suggestion ? Thank you.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40334164
0
 

Author Comment

by:EESky
ID: 40335739
Thank you. I got it after i reconfigured it.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question