Solved

Cisco L2L VPN problems Phase 2

Posted on 2016-07-26
3
51 Views
Last Modified: 2016-07-27
I have trouble to setup a VPN to another Firewall, for now, it isn't working.

Logging rule i see:

Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: New Phase 2, Intf outside, IKE Peer X.X.X.X  local Proxy Address Y.Y.Y.Y, remote Proxy Address Z.Z.Z.Z,  Crypto map (outside_map)

X.X.X.X = external IP address from remote firewall
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall

Is this correct? is this just a warning I can ignore, or what did I wrong?


settings:

crypto map outside_map XX match address outside_32_cryptomap_1
crypto map outside_map XX set peer X.X.X.X
crypto map outside_map XX set transform-set ESP-AES-256-SHA
crypto map outside_map XX set security-association lifetime seconds 3600

access-list outside_32_cryptomap_1 extended permit ip object-group XXXXXXXXX object-group XXXXXXXXX


If I disable PFS isn't working, then I don't pass Phase 1.

Thanks a lot
0
Comment
Question by:Member_2_7966454
  • 2
3 Comments
 
LVL 13

Expert Comment

by:SIM50
ID: 41729413
Does it complete phase 2? What you posted is not an error message.
Do sh cry ipsec sa
What's the version on ASA?
1
 

Author Comment

by:Member_2_7966454
ID: 41729586
Thanks for the reply. this is the only thing i see in syslog.

the output of your command:

Crypto map tag: outside_map, seq num: XX, local addr: V.V.V.V

      access-list outside_XX_cryptomap_1 extended permit ip Y.Y.Y.Y Z.Z.Z.Z
      local ident (addr/mask/prot/port): (Y.Y.Y.Y)
      remote ident (addr/mask/prot/port): (Z.Z.Z.Z)
      current_peer: B.B.B.B
        
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: V.V.V.V, remote crypto endpt.: B.B.B.B

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: B197E869
      current inbound spi : 64F2C09D

    inbound esp sas:
      spi: 0x64F2C09D (1693630621)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 178917376, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (1699218/3435)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB197E869 (2979522665)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 178917376, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (1699218/3435)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
                      
V.V.V.V = Our Outside IP
B.B.B.B = Remote outside IP
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall

ASA version:

Cisco Adaptive Security Appliance Software Version 8.2(5)59
Device Manager Version 7.5(2)153
0
 
LVL 13

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41729596
Did you modify ACL on your INSIDE interface to allow the traffic from Y.Y.Y.Y to Z.Z.Z.Z?
Did you modify ACL on your OUTSIDE interface to allow traffic from Z.Z.Z.Z to Y.Y.Y.Y? (if necessary)
After you make changes, do the ping of any IP in Z.Z.Z.Z range. If you don't get replies, rerun sh cry ipsec sa
1

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now