Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco L2L VPN problems Phase 2

Posted on 2016-07-26
3
Medium Priority
?
76 Views
Last Modified: 2016-07-27
I have trouble to setup a VPN to another Firewall, for now, it isn't working.

Logging rule i see:

Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: New Phase 2, Intf outside, IKE Peer X.X.X.X  local Proxy Address Y.Y.Y.Y, remote Proxy Address Z.Z.Z.Z,  Crypto map (outside_map)

X.X.X.X = external IP address from remote firewall
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall

Is this correct? is this just a warning I can ignore, or what did I wrong?


settings:

crypto map outside_map XX match address outside_32_cryptomap_1
crypto map outside_map XX set peer X.X.X.X
crypto map outside_map XX set transform-set ESP-AES-256-SHA
crypto map outside_map XX set security-association lifetime seconds 3600

access-list outside_32_cryptomap_1 extended permit ip object-group XXXXXXXXX object-group XXXXXXXXX


If I disable PFS isn't working, then I don't pass Phase 1.

Thanks a lot
0
Comment
Question by:Member_2_7966454
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 14

Expert Comment

by:SIM50
ID: 41729413
Does it complete phase 2? What you posted is not an error message.
Do sh cry ipsec sa
What's the version on ASA?
1
 

Author Comment

by:Member_2_7966454
ID: 41729586
Thanks for the reply. this is the only thing i see in syslog.

the output of your command:

Crypto map tag: outside_map, seq num: XX, local addr: V.V.V.V

      access-list outside_XX_cryptomap_1 extended permit ip Y.Y.Y.Y Z.Z.Z.Z
      local ident (addr/mask/prot/port): (Y.Y.Y.Y)
      remote ident (addr/mask/prot/port): (Z.Z.Z.Z)
      current_peer: B.B.B.B
        
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: V.V.V.V, remote crypto endpt.: B.B.B.B

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: B197E869
      current inbound spi : 64F2C09D

    inbound esp sas:
      spi: 0x64F2C09D (1693630621)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 178917376, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (1699218/3435)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB197E869 (2979522665)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 178917376, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (1699218/3435)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
                      
V.V.V.V = Our Outside IP
B.B.B.B = Remote outside IP
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall

ASA version:

Cisco Adaptive Security Appliance Software Version 8.2(5)59
Device Manager Version 7.5(2)153
0
 
LVL 14

Accepted Solution

by:
SIM50 earned 2000 total points
ID: 41729596
Did you modify ACL on your INSIDE interface to allow the traffic from Y.Y.Y.Y to Z.Z.Z.Z?
Did you modify ACL on your OUTSIDE interface to allow traffic from Z.Z.Z.Z to Y.Y.Y.Y? (if necessary)
After you make changes, do the ping of any IP in Z.Z.Z.Z range. If you don't get replies, rerun sh cry ipsec sa
1

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question