Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 91
  • Last Modified:

Cisco L2L VPN problems Phase 2

I have trouble to setup a VPN to another Firewall, for now, it isn't working.

Logging rule i see:

Group = X.X.X.X, IP = X.X.X.X, IKE Initiator: New Phase 2, Intf outside, IKE Peer X.X.X.X  local Proxy Address Y.Y.Y.Y, remote Proxy Address Z.Z.Z.Z,  Crypto map (outside_map)

X.X.X.X = external IP address from remote firewall
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall

Is this correct? is this just a warning I can ignore, or what did I wrong?


settings:

crypto map outside_map XX match address outside_32_cryptomap_1
crypto map outside_map XX set peer X.X.X.X
crypto map outside_map XX set transform-set ESP-AES-256-SHA
crypto map outside_map XX set security-association lifetime seconds 3600

access-list outside_32_cryptomap_1 extended permit ip object-group XXXXXXXXX object-group XXXXXXXXX


If I disable PFS isn't working, then I don't pass Phase 1.

Thanks a lot
0
Member_2_7966454
Asked:
Member_2_7966454
  • 2
1 Solution
 
SIM50Commented:
Does it complete phase 2? What you posted is not an error message.
Do sh cry ipsec sa
What's the version on ASA?
1
 
Member_2_7966454Author Commented:
Thanks for the reply. this is the only thing i see in syslog.

the output of your command:

Crypto map tag: outside_map, seq num: XX, local addr: V.V.V.V

      access-list outside_XX_cryptomap_1 extended permit ip Y.Y.Y.Y Z.Z.Z.Z
      local ident (addr/mask/prot/port): (Y.Y.Y.Y)
      remote ident (addr/mask/prot/port): (Z.Z.Z.Z)
      current_peer: B.B.B.B
        
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: V.V.V.V, remote crypto endpt.: B.B.B.B

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: B197E869
      current inbound spi : 64F2C09D

    inbound esp sas:
      spi: 0x64F2C09D (1693630621)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 178917376, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (1699218/3435)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB197E869 (2979522665)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 178917376, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (1699218/3435)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
                      
V.V.V.V = Our Outside IP
B.B.B.B = Remote outside IP
Y.Y.Y.Y = Internal IP range on our firewall
Z.Z.Z.Z = internal IP range on remote firewall

ASA version:

Cisco Adaptive Security Appliance Software Version 8.2(5)59
Device Manager Version 7.5(2)153
0
 
SIM50Commented:
Did you modify ACL on your INSIDE interface to allow the traffic from Y.Y.Y.Y to Z.Z.Z.Z?
Did you modify ACL on your OUTSIDE interface to allow traffic from Z.Z.Z.Z to Y.Y.Y.Y? (if necessary)
After you make changes, do the ping of any IP in Z.Z.Z.Z range. If you don't get replies, rerun sh cry ipsec sa
1
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now