Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 478
  • Last Modified:

ASA L2L vpn can not connect

Expert
Here is a problem. Any expert can take a look at the configuration of ASA L2L vpn. The two asa can ping each other, but its vpn cannot connect. Thank you.

ASA3# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
ftp mode passive
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set Router-set esp-3des esp-md5-hmac
crypto map outside_map 1 match address nonat
crypto map outside_map 1 set peer 192.168.1.2
crypto map outside_map 1 set ikev1 transform-set Router-set
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5    
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
================================================
client# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname client
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.2.2.1 255.255.255.0
!
!
ftp mode passive
access-list USGA095 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac
crypto map S2SVPN 2 match address USGA095
crypto map S2SVPN 2 set peer 172.16.1.1
crypto map S2SVPN 2 set ikev1 transform-set FIRSTSET
crypto map S2SVPN interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
=================================
client# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
client#

ASA3#  sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
ASA3#
0
EESky
Asked:
EESky
  • 3
  • 2
  • 2
2 Solutions
 
svijay_kCommented:
Nat 0 is missing in the configuration
0
 
Pete LongConsultantCommented:
Hi

>>access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

This has no place in an 8.4 VPN config? Oh wait I see you've delaired that in the cryptomap - thats what confused the first poster. DO NOT attempt to add a Nat0 command it will error!

You have no NAT stement for the VPN
See Cisco ASA 5500 Site to Site VPN (From CLI)


Pete
0
 
svijay_kCommented:
Agreed, Nat 0 is not reqiured post 8.3.

Crypto ipsec transform-set is matching on both the ends. first one it is esp-3des esp-md5-hmac and the second one it is esp-3des esp-sha-hmac. use the same encyrption on both the ends

Also the Shared secret should match at both the ends.

Rest all seems to be good.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
Pete LongConsultantCommented:
Yes Well spotted - your Transform set on the bottom ASA des not match your phase 1 policy

crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac

crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600

for phase 1 you need

1. Matching policy
2. Matching Shared Secret
3. Connectivity
4. Symetrical ACLs for 'Interesting Traffic'

Though if the problm was policy mismatch you should at least see a WAIT_MSG_(number) on the 'show cryptp isakmp' results.
0
 
EESkyAuthor Commented:
Thank you so much for your fast reply

@svijay_k, in fact, I do not use nat, instead I just use nonat as a name of access-less. And you are right about the "esp-3des esp-md5-hmac" now i already correct it.

@PeteLong, I already changed to "esp-3des esp-md5-hmac". And regarding access-list and Policy etc in two ASA, the access-list name is different, but the traffic in two asa is mirror relation. also some names are different, but the content in the two asa are the same.  

However the VPN is still not working. any suggestion ? Thank you.
0
 
Pete LongConsultantCommented:
0
 
EESkyAuthor Commented:
Thank you. I got it after i reconfigured it.
0

Featured Post

Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now