Solved

ASA L2L vpn can not connect

Posted on 2014-09-18
7
453 Views
Last Modified: 2014-09-21
Expert
Here is a problem. Any expert can take a look at the configuration of ASA L2L vpn. The two asa can ping each other, but its vpn cannot connect. Thank you.

ASA3# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ASA3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.1.1.1 255.0.0.0
!
ftp mode passive
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 172.16.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set Router-set esp-3des esp-md5-hmac
crypto map outside_map 1 match address nonat
crypto map outside_map 1 set peer 192.168.1.2
crypto map outside_map 1 set ikev1 transform-set Router-set
crypto map outside_map interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5    
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 192.168.1.2 type ipsec-l2l
tunnel-group 192.168.1.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
================================================
client# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname client
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 10.2.2.1 255.255.255.0
!
!
ftp mode passive
access-list USGA095 extended permit ip 10.2.2.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac
crypto map S2SVPN 2 match address USGA095
crypto map S2SVPN 2 set peer 172.16.1.1
crypto map S2SVPN 2 set ikev1 transform-set FIRSTSET
crypto map S2SVPN interface outside
crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
!
=================================
client# sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
client#

ASA3#  sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs
ASA3#
0
Comment
Question by:EESky
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:svijay_k
ID: 40332032
Nat 0 is missing in the configuration
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 40332142
Hi

>>access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0

This has no place in an 8.4 VPN config? Oh wait I see you've delaired that in the cryptomap - thats what confused the first poster. DO NOT attempt to add a Nat0 command it will error!

You have no NAT stement for the VPN
See Cisco ASA 5500 Site to Site VPN (From CLI)


Pete
0
 
LVL 1

Expert Comment

by:svijay_k
ID: 40332165
Agreed, Nat 0 is not reqiured post 8.3.

Crypto ipsec transform-set is matching on both the ends. first one it is esp-3des esp-md5-hmac and the second one it is esp-3des esp-sha-hmac. use the same encyrption on both the ends

Also the Shared secret should match at both the ends.

Rest all seems to be good.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 500 total points
ID: 40332254
Yes Well spotted - your Transform set on the bottom ASA des not match your phase 1 policy

crypto ipsec ikev1 transform-set FIRSTSET esp-3des esp-sha-hmac

crypto ikev1 enable outside
crypto ikev1 policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 3600

for phase 1 you need

1. Matching policy
2. Matching Shared Secret
3. Connectivity
4. Symetrical ACLs for 'Interesting Traffic'

Though if the problm was policy mismatch you should at least see a WAIT_MSG_(number) on the 'show cryptp isakmp' results.
0
 

Author Comment

by:EESky
ID: 40333994
Thank you so much for your fast reply

@svijay_k, in fact, I do not use nat, instead I just use nonat as a name of access-less. And you are right about the "esp-3des esp-md5-hmac" now i already correct it.

@PeteLong, I already changed to "esp-3des esp-md5-hmac". And regarding access-list and Policy etc in two ASA, the access-list name is different, but the traffic in two asa is mirror relation. also some names are different, but the content in the two asa are the same.  

However the VPN is still not working. any suggestion ? Thank you.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40334164
0
 

Author Comment

by:EESky
ID: 40335739
Thank you. I got it after i reconfigured it.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco MRA Phones 4 69
Can Cisco resolve internet address internally 4 36
Random Terminal Server disconnections. 2 99
RDP on 4321 Router 33 49
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now