asked on
Cisco L2L VPN problems Phase 2
I have trouble to setup a VPN to another Firewall, for now, it isn't working.
Logging rule i see:
Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: New Phase 2, Intf outside, IKE Peer X.X.X.X local Proxy Address Y.Y.Y.Y, remote Proxy Address Z.Z.Z.Z, Crypto map (outside_map)
X.X.X.X = external IP address from remote firewall
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall
Is this correct? is this just a warning I can ignore, or what did I wrong?
settings:
crypto map outside_map XX match address outside_32_cryptomap_1
crypto map outside_map XX set peer X.X.X.X
crypto map outside_map XX set transform-set ESP-AES-256-SHA
crypto map outside_map XX set security-association lifetime seconds 3600
access-list outside_32_cryptomap_1 extended permit ip object-group XXXXXXXXX object-group XXXXXXXXX
If I disable PFS isn't working, then I don't pass Phase 1.
Thanks a lot
Logging rule i see:
Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: New Phase 2, Intf outside, IKE Peer X.X.X.X local Proxy Address Y.Y.Y.Y, remote Proxy Address Z.Z.Z.Z, Crypto map (outside_map)
X.X.X.X = external IP address from remote firewall
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall
Is this correct? is this just a warning I can ignore, or what did I wrong?
settings:
crypto map outside_map XX match address outside_32_cryptomap_1
crypto map outside_map XX set peer X.X.X.X
crypto map outside_map XX set transform-set ESP-AES-256-SHA
crypto map outside_map XX set security-association lifetime seconds 3600
access-list outside_32_cryptomap_1 extended permit ip object-group XXXXXXXXX object-group XXXXXXXXX
If I disable PFS isn't working, then I don't pass Phase 1.
Thanks a lot
CiscoVPNInternet Protocol SecurityHardware Firewalls
Last Comment
SIM50
ASKER
Thanks for the reply. this is the only thing i see in syslog.
the output of your command:
Crypto map tag: outside_map, seq num: XX, local addr: V.V.V.V
access-list outside_XX_cryptomap_1 extended permit ip Y.Y.Y.Y Z.Z.Z.Z
local ident (addr/mask/prot/port): (Y.Y.Y.Y)
remote ident (addr/mask/prot/port): (Z.Z.Z.Z)
current_peer: B.B.B.B
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: V.V.V.V, remote crypto endpt.: B.B.B.B
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: B197E869
current inbound spi : 64F2C09D
inbound esp sas:
spi: 0x64F2C09D (1693630621)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 178917376, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1699218/3435)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xB197E869 (2979522665)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 178917376, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1699218/3435)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
V.V.V.V = Our Outside IP
B.B.B.B = Remote outside IP
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall
ASA version:
Cisco Adaptive Security Appliance Software Version 8.2(5)59
Device Manager Version 7.5(2)153
the output of your command:
Crypto map tag: outside_map, seq num: XX, local addr: V.V.V.V
access-list outside_XX_cryptomap_1 extended permit ip Y.Y.Y.Y Z.Z.Z.Z
local ident (addr/mask/prot/port): (Y.Y.Y.Y)
remote ident (addr/mask/prot/port): (Z.Z.Z.Z)
current_peer: B.B.B.B
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: V.V.V.V, remote crypto endpt.: B.B.B.B
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: B197E869
current inbound spi : 64F2C09D
inbound esp sas:
spi: 0x64F2C09D (1693630621)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 178917376, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1699218/3435)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xB197E869 (2979522665)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 178917376, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1699218/3435)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
V.V.V.V = Our Outside IP
B.B.B.B = Remote outside IP
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall
ASA version:
Cisco Adaptive Security Appliance Software Version 8.2(5)59
Device Manager Version 7.5(2)153
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Do sh cry ipsec sa
What's the version on ASA?