Solved

Cisco Site to Site VPN Tunnel with Dynamic Addressing

Posted on 2016-08-04
32
82 Views
Last Modified: 2016-08-05
Hello Experts,

We're trying to configure Dynamic IPsec Tunnel Between a Statically Addressed ASA and a Dynamically Addressed Cisco IOS Router. We're using the document at the following link as our guide:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

The Configuration on our VPN Router is as follows:
crypto isakmp enable outside
!
crypto isakmp policy 1
 encrypt 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 group 2
!
!
crypto isakmp key jmeu-colo01-bedford01-key address 193.XX.XX.XX
!
!

crypto ipsec transform-set JM-ts1 esp-des esp-md5-hmac
!
!
!
crypto map ColoTun 1 IPSec-isakmp
 description Tunnel to colo
 set peer 193.XX.XX.XX
 set transform-set JM-ts1
 match address 101
!

int cell 0
  crypto map ColoTun
 
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSEC Rule
access-list 101 permit ip 10.16.43.129 0.0.0.127 any

no ip access-list extended Permitted-Inbound-Internet
ip access-list extended Permitted-Inbound-Internet
 permit icmp any any
 remark Permit-Remote-VPN
 remark colo-asa
 permit ahp host 193.XX.XX.XX any
 permit esp host 193.XX.XX.XX any
 permit udp host 193.XX.XX.XX any eq isakmp
 permit gre host 193.XX.XX.XX anya

The configuration on our Cisco ASA is as follows:
object network Bedford_Network
        subnet 10.16.43.128  255.255.255.128

nat (inside,outside) source static any any destination static Bedford_Network Bedford_Network no-proxy-arp

!--- Configure the IPsec transform-set

crypto ipsec transform-set colo2bedfordset esp-des esp-md5-hmac
!
!
!--- Configure the dynamic crypto map

crypto dynamic-map colo2bedford 180 set transform-set colo2bedfordset
crypto dynamic-map colo2bedford 180 set reverse-route

crypto map outside_map 180 IPSec-isakmp dynamic colo2bedford


!
!--- Configure the phase I ISAKMP policy

crypto isakmp policy 180
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
!
!
!--- Configure the default L2L tunnel group parameters

tunnel-group colo2bedford IPSec-attributes
 pre-shared-key jmeu-colo01-bedford01-key
!

route outside 10.16.43.128 255.255.255.128 193.XX.XX.XX

route outside 10.16.43.128 255.255.255.128 193.XX.XX.XX

access-list outside_cryptomap_180 line 1 extended permit ip any4 10.16.43.128 255.255.255.128

However, we can't even get to phase I.

Can someone please help shed some light on why we can't get the tunnels to come up?

Regards

cp
0
Comment
Question by:Member_2_7966113
  • 23
  • 9
32 Comments
 
LVL 13

Expert Comment

by:SIM50
ID: 41742415
crypto isakmp policy 1
 encrypt 3des
 authentication pre-share
 group 2

crypto isakmp policy 180
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400

Also missing hash in the router config.
Did you enable ike on asa outside interface? Which crypto map  is applied to outside interface?
0
 

Author Comment

by:Member_2_7966113
ID: 41742417
SIM50

I seriously hope you're correct.

Gonna try it now .. will let you know
0
 

Author Comment

by:Member_2_7966113
ID: 41742422
SIM50,

I don't understand.

Are you saying I need to add the following to the router

crypto isakmp policy 180
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400

Because the above is already added to the ASA
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41742434
Your isakmp policies don't match. Router has DES encryption and ASA has 3DES.
Since you didn't post all the vpn config, I am not sure which crypto map is applied.
0
 

Author Comment

by:Member_2_7966113
ID: 41742442
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41742461
Ok. Just looked through it. Can you post debug or on what MM_wait_msg phase 1 stops?
0
 

Author Comment

by:Member_2_7966113
ID: 41742478
OK. One moment
0
 

Author Comment

by:Member_2_7966113
ID: 41742481
SIM 50

Here you go:

000156: Aug  4 14:31:57.519 BST: %LINK-3-UPDOWN: Interface Cellular0, changed state to up
000157: Aug  4 14:31:58.519 BST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Cellular0, changed state to up
000158: Aug  4 14:31:59.091 BST: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.17.15.54:500, remote= 193.XX.XX.XX:500,
    local_proxy= 10.16.43.128/255.255.255.128/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
000159: Aug  4 14:31:59.091 BST: ISAKMP: (0):SA request profile is (NULL)
000160: Aug  4 14:31:59.091 BST: ISAKMP: (0):Created a peer struct for 193.XX.XX.XX, peer port 500
000161: Aug  4 14:31:59.091 BST: ISAKMP: (0):New peer created peer = 0x1F8BE98 peer_handle = 0x80000008
000162: Aug  4 14:31:59.091 BST: ISAKMP: (0):Locking peer struct 0x1F8BE98, refcount 1 for isakmp_initiator
000163: Aug  4 14:31:59.091 BST: ISAKMP: (0):local port 500, remote port 500
000164: Aug  4 14:31:59.091 BST: ISAKMP: (0):set new node 0 to QM_IDLE      
000165: Aug  4 14:31:59.091 BST: ISAKMP: (0):insert sa successfully sa = 21FE661C
000166: Aug  4 14:31:59.091 BST: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
000167: Aug  4 14:31:59.091 BST: ISAKMP: (0):found peer pre-shared key matching 193.XX.XX.XX
000168: Aug  4 14:31:59.091 BST: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
jmeu-bedford02#
000169: Aug  4 14:31:59.091 BST: ISAKMP: (0):constructed NAT-T vendor-07 ID
000170: Aug  4 14:31:59.091 BST: ISAKMP: (0):constructed NAT-T vendor-03 ID
000171: Aug  4 14:31:59.091 BST: ISAKMP: (0):constructed NAT-T vendor-02 ID
000172: Aug  4 14:31:59.091 BST: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
000173: Aug  4 14:31:59.091 BST: ISAKMP: (0):Old State = IKE_READY  New State = IKE_I_MM1

000174: Aug  4 14:31:59.091 BST: ISAKMP: (0):beginning Main Mode exchange
000175: Aug  4 14:31:59.091 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_NO_STATE
000176: Aug  4 14:31:59.091 BST: ISAKMP: (0):Sending an IKE IPv4 Packet.
000177: Aug  4 14:31:59.259 BST: ISAKMP-PAK: (0):received packet from 193.XX.XX.XX dport 500 sport 500 Global (I) MM_NO_STATE
000178: Aug  4 14:31:59.259 BST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
000179: Aug  4 14:31:59.259 BST: ISAKMP: (0):Old State = IKE_I_MM1  New State = IKE_I_MM2

000180: Aug  4 14:31:59.263 BST: ISAKMP: (0):processing SA payload. message ID = 0
000181: Aug  4 14:31:59.263 BST: ISAKMP: (0):processing vendor id payload
000182: Aug  4 14:31:59.263 BST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
000183: Aug  4 14:31:59.263 BST: ISAKMP: (0):vendor ID is NAT-T RFC 3947
000184: Aug  4 14:31:59.263 BST: ISAKMP: (0):processing vendor id payload
000185: Aug  4 14:31:59.263 BST: ISAKMP: (0):processing IKE frag vendor id payload
000186: Aug  4 14:31:59.263 BST: ISAKMP: (0):Support for IKE Fragmentation not enabled
000187: Aug  4 14:31:59.263 BST: ISAKMP: (0):found peer pre-shared key matching 193.XX.XX.XX
000188: Aug  4 14:31:59.263 BST: ISAKMP: (0):local preshared key found
000189: Aug  4 14:31:59.263 BST: ISAKMP: (0):Scanning profiles for xauth ...
000190: Aug  4 14:31:59.263 BST: ISAKMP: (0):Checking ISAKMP transform 1 against priority 1 policy
000191: Aug  4 14:31:59.263 BST: ISAKMP: (0):      encryption 3DES-CBC
000192: Aug  4 14:31:59.263 BST: ISAKMP: (0):      hash SHA
000193: Aug  4 14:31:59.263 BST: ISAKMP: (0):      default group 2
000194: Aug  4 14:31:59.263 BST: ISAKMP: (0):      auth pre-share
000195: Aug  4 14:31:59.263 BST: ISAKMP: (0):      life type in seconds
000196: Aug  4 14:31:59.263 BST: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
000197: Aug  4 14:31:59.263 BST: ISAKMP: (0):atts are acceptable. Next payload is 0
000198: Aug  4 14:31:59.263 BST: ISAKMP: (0):Acceptable atts:actual life: 0
000199: Aug  4 14:31:59.263 BST: ISAKMP: (0):Acceptable atts:life: 0
000200: Aug  4 14:31:59.263 BST: ISAKMP: (0):Fill atts in sa vpi_length:4
000201: Aug  4 14:31:59.263 BST: ISAKMP: (0):Fill atts in sa life_in_seconds:86400
000202: Aug  4 14:31:59.263 BST: ISAKMP: (0):Returning Actual lifetime: 86400
000203: Aug  4 14:31:59.263 BST: ISAKMP: (0):Started lifetime timer: 86400.

000204: Aug  4 14:31:59.263 BST: ISAKMP: (0):processing vendor id payload
000205: Aug  4 14:31:59.263 BST: ISAKMP: (0):vendor ID seems Unity/DPD but major 69 mismatch
000206: Aug  4 14:31:59.263 BST: ISAKMP: (0):vendor ID is NAT-T RFC 3947
000207: Aug  4 14:31:59.263 BST: ISAKMP: (0):processing vendor id payload
000208: Aug  4 14:31:59.263 BST: ISAKMP: (0):processing IKE frag vendor id payload
jmeu-bedford02#
000209: Aug  4 14:31:59.263 BST: ISAKMP: (0):Support for IKE Fragmentation not enabled
000210: Aug  4 14:31:59.263 BST: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
000211: Aug  4 14:31:59.263 BST: ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM2

000212: Aug  4 14:31:59.263 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_SA_SETUP
000213: Aug  4 14:31:59.263 BST: ISAKMP: (0):Sending an IKE IPv4 Packet.
000214: Aug  4 14:31:59.263 BST: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
000215: Aug  4 14:31:59.263 BST: ISAKMP: (0):Old State = IKE_I_MM2  New State = IKE_I_MM3

jmeu-bedford02#term len 25
000216: Aug  4 14:32:09.262 BST: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
000217: Aug  4 14:32:09.262 BST: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000218: Aug  4 14:32:09.262 BST: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
000219: Aug  4 14:32:09.262 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_SA_SETUP
0
 

Author Comment

by:Member_2_7966113
ID: 41742509
SIM50

Also

Sending 5, 100-byte ICMP Echos to 10.16.8.1, timeout is 2 seconds:

000358: Aug  4 14:53:05.204 BST: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
000359: Aug  4 14:53:05.204 BST: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
000360: Aug  4 14:53:05.204 BST: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
000361: Aug  4 14:53:05.204 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_SA_SETUP
000362: Aug  4 14:53:05.204 BST: ISAKMP: (0):Sending an IKE IPv4 Packet.
000363: Aug  4 14:53:05.300 BST: ISAKMP-PAK: (0):received packet from 193.XX.XX.XX dport 500 sport 500 Global (I) MM_SA_SETUP
000364: Aug  4 14:53:05.300 BST: ISAKMP-ERROR: (0):Notify has no hash. Rejected.
000365: Aug  4 14:53:05.300 BST: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM3
000366: Aug  4 14:53:05.300 BST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
000367: Aug  4 14:53:05.300 BST: ISAKMP: (0):Old State = IKE_I_MM3  New State = IKE_I_MM3

000368: Aug  4 14:53:05.300 BST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 193.XX.XX.XX.....
Success rate is 0 percent (0/5)
jmeu-bedford02#
000369: Aug  4 14:53:15.204 BST: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP...
000370: Aug  4 14:53:15.204 BST: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
000371: Aug  4 14:53:15.204 BST: ISAKMP: (0):retransmitting phase 1 MM_SA_SETUP
000372: Aug  4 14:53:15.204 BST: ISAKMP-PAK: (0):sending packet to 193.XX.XX.XX my_port 500 peer_port 500 (I) MM_SA_SETUP
000373: Aug  4 14:53:15.204 BST: ISAKMP: (0):Sending an IKE IPv4 Packet.
000374: Aug  4 14:53:15.272 BST: ISAKMP-PAK: (0):received packet from 193.XX.XX.XX dport 500 sport 500 Global (I) MM_SA_SETUP
jmeu-bedford02#
000375: Aug  4 14:53:15.272 BST: ISAKMP-ERROR: (0):Notify has no hash. Rejected.
000376: Aug  4 14:53:15.272 BST: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY:  state = IKE_I_MM3
000377: Aug  4 14:53:15.272 BST: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
000378: Aug  4 14:53:15.272 BST: ISAKMP: (0):Old State = IKE_I_MM3  New State = IKE_I_MM3
0
 

Author Comment

by:Member_2_7966113
ID: 41742516
SIM 50

The configuration on our vpn router is as follows:

controller Cellular 0
 lte modem link-recovery rssi onset-threshold -110
 lte modem link-recovery monitor-timer 20
 lte modem link-recovery wait-timer 10
 lte modem link-recovery debounce-count 6
!
vlan 28
 name xxxxxx
!
vlan 100
 name XXXXx
!
vlan 700
 name xxxxx
no cdp run
!
track 1 interface Cellular0 line-protocol
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 group 2
crypto isakmp key jmeu-colo01-bedford01-key address 193.XX.XX.XX
!
!
crypto ipsec transform-set JM-ts1 esp-des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile JMEU-DMVPN
 set transform-set JM-ts1
!
!
!
crypto map ColoTun 1 ipsec-isakmp
 description Tunnel to colo
 set peer 193.XX.XX.XX
 set transform-set JM-ts1
 match address 101
!

!
!
!
interface Loopback0
 description Management Int
 ip address 10.9.252.129 255.255.255.255
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
!
interface Null0
 no ip unreachables
!
interface Cellular0
 ip address negotiated
 ip access-group Permitted-Inbound-Internet in
 encapsulation slip
 dialer in-band
 dialer string lte
 dialer-group 1
 crypto map ColoTun
!
interface Cellular1
 no ip address
 encapsulation slip
!
interface FastEthernet0
 switchport access vlan 100
 no ip address
!
interface FastEthernet1
 switchport access vlan 100
 no ip address
!
interface FastEthernet2
 switchport access vlan 100
 no ip address
!
interface FastEthernet3
 description Line to Distribution Switch
 switchport trunk native vlan 700
 switchport mode trunk
 no ip address
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan100
 description Bedford LAN
 ip address 10.16.43.130 255.255.255.128
 standby version 2
 standby 10 ip 10.16.43.129
 standby 10 priority 120
 standby 10 preempt
 standby 10 track 1 decrement 50
!
!
router eigrp 65100
 network 10.0.0.0
 network 10.16.43.128 0.0.0.127
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
ip route 81.xx.xx.xx 255.255.255.255 Cellular0 name london_dsl
ip route 172.30.7.204 255.255.255.255 10.16.143.129
ip route 192.168.1.0 255.255.255.0 Cellular0
ip route 193.XX.XX.XX 255.255.255.255 Cellular0 name jmasa-london-colo
ip tacacs source-interface Loopback0
!

ip access-list extended Permitted-Inbound-Internet
 permit icmp any any
 remark Permit-Remote-VPN
 remark colo-asa
 permit ahp host 193.XX.XX.XX any
 permit esp host 193.XX.XX.XX any
 permit udp host 193.XX.XX.XX any eq isakmp
 permit gre host 193.XX.XX.XX any
!
logging trap notifications
logging source-interface Loopback0
logging host 192.168.151.154
dialer-list 1 protocol ip permit
!
snmp-server community JMGCABNS RO
snmp-server enable traps tty
snmp-server enable traps config
snmp-server host 192.168.151.154 JMGCABNS
tacacs server gbroenacs01
 address ipv4 172.30.5.181
 key 7 031354190A0B314342000D0C141307
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSEC Rule
access-list 101 permit ip 10.16.43.128 0.0.0.127 any
access-list 199 deny   ip any host 10.16.24.8
access-list 199 permit ip any any
!
^C
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line 3
 script dialer lte
 no exec
 rxspeed 100000000
 txspeed 50000000
line 8
 no exec
line vty 0 4
 privilege level 15
 logging synchronous
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp server 172.30.4.102
!
end
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41742535
It looks like it fails on the pre-shared key.

Instead of  
tunnel-group colo2bedford IPSec-attributes
 pre-shared-key jmeu-colo01-bedford01-key

try to use this
tunnel-group DefaultL2LGroup IPSec-attributes
 pre-shared-key jmeu-colo01-bedford01-key
0
 

Author Comment

by:Member_2_7966113
ID: 41742547
OK, one moment please
0
 

Author Comment

by:Member_2_7966113
ID: 41742552
sim 40

Where did you get tunnel-group DefaultL2LGroup IPSec-attributes from?
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41742582
It's in the guide you linked.
You can't have named tunnel-groups for L2L vpn and phase 1 fails on the pre-shared key.
0
 

Author Comment

by:Member_2_7966113
ID: 41742592
OK, but I replaced it with the following on the ASA:

tunnel-group colo2bedford ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate req
 no chain    
 no ikev1 trust-point
 isakmp keepalive threshold 10 retry 2
 no ikev2 remote-authentication
 no ikev2 local-authentication
0
 

Author Comment

by:Member_2_7966113
ID: 41742611
I'm not sure if that is where our problem is....
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Member_2_7966113
ID: 41742636
SIM50

I simply changed the name from DefaultL2LGroup to colo2bedford
0
 

Author Comment

by:Member_2_7966113
ID: 41742737
sim50,

What did you mean when you said
missing hash in the router config.
0
 

Author Comment

by:Member_2_7966113
ID: 41742950
Can I get some help with this please...
0
 
LVL 13

Accepted Solution

by:
SIM50 earned 500 total points
ID: 41743060
It looks like it fails on the pre-shared key.

Instead of  
tunnel-group colo2bedford IPSec-attributes
 pre-shared-key jmeu-colo01-bedford01-key

try to use this
tunnel-group DefaultL2LGroup IPSec-attributes
 pre-shared-key jmeu-colo01-bedford01-key
0
 

Author Comment

by:Member_2_7966113
ID: 41743103
OK Sim50

I'm going to swap it around
0
 

Author Comment

by:Member_2_7966113
ID: 41743117
Genius
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41743123
Did the tunnel come up?
0
 

Author Comment

by:Member_2_7966113
ID: 41743139
sim50

It was working, and now its stopped.
0
 

Author Comment

by:Member_2_7966113
ID: 41743141
Should I remove

tunnel-group colo2bedford IPSec-attributes
0
 

Author Comment

by:Member_2_7966113
ID: 41743157
SIM50

The ASA won't let me enter the command:

crypto map outside_map 180 match address my_access-list
0
 

Author Comment

by:Member_2_7966113
ID: 41743162
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
193.113.135.68  172.17.9.74     QM_IDLE           2001 ACTIVE




jmeu-bedford02#show crypto ipsec sa

interface: Cellular0
    Crypto map tag: ColoTun, local addr 172.17.9.74

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.16.43.128/255.255.255.128/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 193.113.135.68 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.17.9.74, remote crypto endpt.: 193.XX.XX.XX
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Cellular0
     current outbound spi: 0xDDA57F7A(3718610810)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x8E5AC66A(2388313706)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80004040, crypto map: ColoTun
        sa timing: remaining key lifetime (k/sec): (4211640/2143)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xDDA57F7A(3718610810)
        transform: esp-des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80004040, crypto map: ColoTun
        sa timing: remaining key lifetime (k/sec): (4211637/2143)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41743178
That's on the router, right?
On ASA, modify ACL applied on the outside interface to allow traffic from the remote network.
0
 

Author Comment

by:Member_2_7966113
ID: 41743184
Correct, on the router

I was able ping across but it then suddenly stopped working
0
 
LVL 13

Expert Comment

by:SIM50
ID: 41743189
On ASA, modify ACL applied on the outside interface to allow traffic from the remote network.

You need to allow traffic from the remote network to access your internal network behind the ASA.
0
 

Author Comment

by:Member_2_7966113
ID: 41743196
If the ASA would keep the following command it would work, but it allows the command to be issued but when I do a show run the command disappears
0
 

Author Closing Comment

by:Member_2_7966113
ID: 41744606
Great solution and follow through. Thanks
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now