ASA-dynamic to static VPN fails
I have an ASA 5510 with an address of STIC and a 5505 with a dynamics.
I created a dynamic the 5510 virtual private network. When the 5505 with it's dynamic address, tried to connect with me, I get the following errors:
' Mar 25 05:45:14 [IKEv1]: IP = 213.137.6.203, message received ISAKMP Aggressive Mode 1 with the name of the unknown group tunnel ' 213.137.6.203 '.
Mar 25 05:45:14 [IKEv1]: Group = DefaultRAGroup, IP = 213.137.6.203, Removing peer to peer table does not, no match!
Mar 25 05:45:14 [IKEv1]: Group = DefaultRAGroup, IP = 213.137.6.203, error: cannot delete PeerTblEntry
I also get a similar error 5505 a aggressive Mode disabled
Looks like the 5510 believes it is an application for connection (site-to-site) L2L as opposed to a connection established dynamically. It doesn't have a group of tunnel for 213.137.6.203. You can create a group of tunnel with that name to resolve this problem.
The other option is to implement the ASA for a remote access connection (for example, Easy VPN).
Here's a URL that describes how to configure Easy VPN with NEM and L2L. HTH
http://www.Cisco.com/application/PDF/paws/100313/pixasa_easy_l2l_vpn.PDF
Tags: Cisco Security
Similar Questions
-
PIX and ASA static, dynamic and RA VPN does not
Hello
I am facing a very interesting problem between a PIX 515 and an ASA 5510.
The PIX is in HQ and has several dynamic VPN connections (around 130) and IPsec vpn remote works very well. I had to add a PIX to ASA L2L VPN static and it does not work as it is supposed to be. The ASA 5510, at the remote end, connects and rest for a small period of time, however, all other VPN connections stop working.
The most interesting thing is that ASA is associated with the dynamic map and not the static map that I created (check by sh crypto ipsec his counterpart x.x.x.x). However, if I make any changes in the ACL 'ACL-Remote' it affects the tunnel between the PIX and ASA.
Someone saw something like that?
Here is more detailed information:
HQ - IOS 8.0 (3) - PIX 515
ASA 5510 - IOS 7.2 (3) - remote provider
Several Huawei and Cisco routers dynamically connected via ADSL
Several users remote access IPsec
A VPN site-to site static between PIX and ASA - does not.
Here is the config on the PIX:
Crypto ipsec transform-set ESP-3DES-ESP-SHA-HMAC-IPSec esp-3des esp-sha-hmac
Dyn - VPN game 100 Dynamics-card crypto transform-set ESP-3DES-ESP-SHA-HMAC-IPSec
Crypto dynamic-map Dyn - VPN 100 the value reverse-road
VPN - card 30 crypto card matches the ACL address / remote
card crypto VPN-card 30 peers set 20 x. XX. XX. XX
card crypto VPN-card 30 the transform-set ESP-3DES-ESP-SHA-HMAC-IPSec value
VPN crypto card - 100 - isakmp dynamic Dyn - VPN ipsec
interface card crypto VPN-card outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 65535
preshared authentication
3des encryption
sha hash
Group 2
life 86400
access list ACL-remote ext ip 10.0.0.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
Thank you.
Marcelo Pinheiro
The problem is that the ASA has a crypto acl defined between host and network, while the remote end has to the network.
Make sure that the acl is reversed.
-
VPN site-to-site dynamic-to-static
Dear
I have a few sites already connected with ASA 5505 VPN site to site with both ending static IP address. Normally, all traffic can be found without any problems. Even, I used 'inside access management' for the two ASA.
Now I have a new office with only the ADSL pppoe. I used to install between Site B:remote the site dynamic IP and IP SiteA:static with a similar example of this easy VPN: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml
All my ASA 5505 run 1 8.4 (4)
Site A - Static IP
Site B - Dynamic IP with pppoe connection.
After EasyVPN connected, I don't know how I remote manangment of the site a lan at the ASA 5505 B site?
Best regards
Alan.
If you're ok with or the other solution, it is probably easier to use dynamic to static lan-to-lan, so, at least, that your solution is consistent and fair use lan-to-lan tunnel instead of customer vpn solution mixture and lan-to-lan.
-
Dynamic to static L2L IPSec VPN
Hello
I've implemented a dynamic to static IPSec Site to Site VPN between a branch (ship) ASA5505 and headquarters. Now, this solution does not allow HQ initiate the IPsec connection.
There is a router behind the ASA5505. I heard that if I want to keep the tunnel upward, so that the HQ customers can switch the traffic to remote clients through the tunnel, I would need to run ALS IP icmp probes on the router behind the ASA.
Could someone explain how to implement it?
Thanks for your help.
Frank
The ICMP probe can be done through any device that is able to do ping, not only of the router.
The reason is that it is interesting traffic triggers the traffic is encrypted by the vpn tunnel, tunnel will stay up, so you will be able to open the connection to the AC to your remote site.
Hope that helps.
-
Dynamic to static IPSec with certificate-based authentication
I'm trying to implement a dynamic to static LAN2LAN vpn from an ASA 5505 (with a dynamic IP address) to an ASA5520 (with a static IP address)
I wish I had a small (/ 30) network on the side dynamics which I can connect to a larger (/ 24) network on the static side.
I also try to use the identity for authentication certificates.I produced a root and intermediate CA signed of the intermediate CA with the certificate authority root and then created identity cases for
the ASAs, signed with the intermediate CA using OpenSSL and imported to a trustpointI tried to use the instructions on:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080930f21.shtml
to configure certificates (replacing MS with OpenSSL) and following the instructions to:I tried the ASDM to set up the cert to identity appropriate on the external interface
[Configuration-> Device Management-> advanced-> SSL settings]and establish a connection profile [Configuration-> Device Management-> connection profiles] on both devices,
setting the part that gets its IP via DHCP static and the side that has the IP permanently to accept dynamic.I apply the settings, and nothing happens.
See the crypto isakmp just returns "there is none its isakmp.
I don't know where to start debugging it. How can I force the side DHCP to initiate a connection?
We are sure that both peers are using the same isakmp settings? It seems the policy that uses rsa - sig on one end uses a different Diffie-Hellman group.
-
Static - VPN Site to Site DMVPN Tunnel
Hello
I have two sites, Site-a with Cisco ASA 5505 static IP Configuration & Site-B 1841 Cisco ISR with dynamic IP Configuration.
See the diagram attached for a glimpse.
The goal is to have the tunnel VPN Site to Site between the site of two so that desktop sitting in Site B can access the server applications residing in the Site-A.
Please suggest
Concerning
@Mohammed
Hello
A site to Site IPSec, the ASA is the static side and he should have the 'dynamic' configuration, and the side Dynamics SRI 1841 should have the static side:
I'll give an example configuration to achieve, but you can use a different encryption algorithms:
ASA 5505:
Phase 1:
crypto ISAKMP policy 1
3des encryption
md5 hash
preshared authentication
Group 2
IPSec-attributes tunnel-group DefaultL2LGrouppre-shared-key cisco123 -
Unable to pass traffic between ASA Site to Site VPN Tunnel
Hello
I have problems passing traffic between two ASA firewall. The VPN tunnel is up with a dynamic IP and static IP address. I have attached a diagram of the VPN connection. I'm not sure where the problem lies and what to check next. I think I have all the roads and in the access lists are needed.
I've also attached the ASA5505 config and the ASA5510.
This is the first time that I've set up a VPN connection any guidance would be greatly appreciated.
Thank you
Adam
Hello
Regarding your opinion of configuration Remote Site ASA that you have not added the internal networks of the Central Site VPN L2L configurations at all so the traffic does not pass through the VPN.
access-list outside_1_cryptomap extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.226.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 10.182.0.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.170.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 192.168.172.0 255.255.*.* access-list exempt extended permit ip 10.1.1.0 255.255.255.128 140.15.0.0 255.255.*.*
Take a look at ACL configurations above. The 'exempt' ACL is used in configurations NAT0 and tells the ASA what traffic of exempting from NAT. "outside_1_cryptomap" ACL is used to tell the traffic between the subnets should be using the L2L VPN connection.
So in short on the Remote Site ASA these ACLs should be identical. Make additions to the LIST of VPN L2L, then try again.
I would also like to point out that to ensure that the Central ASAs L2L VPN ACL Site contains the same networks. The ACL on the Central Site will, of course, its internal subnets as the source and the site LAN remote destination.
THW out of ' crypto ipsec to show his " shows you that only the SA between binding Site Central network and the Remote Site LAN was established. Others have not formed as the configuration is lacking at LEAST on the Remote Site ASA. Can also be the Central Site.
-Jouni
-
ASA with several L2L VPN Dynamics
I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.
I need also some VPN L2L with dynamic peer remote.
While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?
Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).
But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:
tunnel-group ipsec-attributes ABCD
pre-shared-key *.
This configuration is correct?
Best regards
Claudio
Hello
Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
-Jouni
-
ASA problem inside the VPN client routing
Hello
I have a problem where I can't reach the VPN clients with their vpn IP pool from the inside or the asa itself. Connect VPN clients can access internal network very well. I have no nat configured for the pool of vpn and packet trace crypt packages and puts it into the tunnel. I'm not sure what's wrong.
Here are a few relevant config:
network object obj - 192.168.245.0
192.168.245.0 subnet 255.255.255.0
192.168.245.1 - 192.168.245.50 vpn IP local pool
NAT (inside, outside) static source any any destination static obj - 192.168.245.0 obj - 192.168.245.0 no-proxy-arp-search to itinerary
Out of Packet trace:
Firewall # entry packet - trace inside the x.x.x.x icmp 8 0 192.168.245.33
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access list
Phase: 2
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 192.168.245.33 255.255.255.255 outside
Phase: 3
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group acl-Interior interface inside
access list acl-Interior extended icmp permitted an echo
Additional information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 5
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
Additional information:
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (inside, outside) static source any any destination static obj - 192.168.245.0
obj - 192.168.245.0 no-proxy-arp-search to itinerary
Additional information:
Definition of static 0/x.x.x.x-x.x.x.x/0
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Phase: 9
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 277723432 id, package sent to the next module
Result:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow
There is no route to the address pool of vpn. Maybe that's the problem? I don't know than that used to work before we went to 8.4.
Check if the firewall is enabled on your host from the client ravpn and blocking your pings.
-
KeepAlive to restore a dynamic to static tunnel?
Hi all
I have a dynamic to static 501 501 configuration of operating system 6.3 pix pix. I would use KeepAlive to re - establish the tunnel where the tunnel down. Is this possible?
Theres a workaround for any solution, you have the pix to the extreme end use a local ntp or server syslog, this traffic would bring the tunnel upward, as it has been defined as interesting.
-
Error of tunneling to ASA 5505 using "Software VPN Client"
Here's my current network:
I'm VPN tunnel in the ASA using the Cisco VPN Client software.
Here is my config ASA config: http://pastebin.com/raw.php?i=ad6p1Zac
Here's my entry for the VPN Client connection information:
(Password: cisco)
When I try to connect, I get the message error "the received HASH load cannot be verified.
What is this error and how can I solve it?
I think you need to enter this information in the fields of group authentiation:
(Just below "Group authentication")
Name: vpnclientgroup
Password: [just what you entered as a pre shared key below]
tunnel-group vpnclientgroup ipsec-attributes pre-shared-key *****
After the establishmet tunnel you will get a password pop up, that you enter "David" and the associated password.
-
8.2 ASA dynamic VPN to ASA static config help
Hello
I'm trying to set up a tunnel l2l between an ASA and ASA remote central where the remote receives a DHCP provider address.
ASA Remote Config:
interface Vlan1
nameif inside
security-level 100
IP 10.10.10.1 255.255.255.0
# Receives an IP address of 90.0.1.203 from the provider.
interface Vlan2
nameif outside
security-level 0
IP address dhcp setroute
the Corp_Networks object-group network
object-network 172.16.0.0 255.240.0.0
object-network 10.0.0.0 255.0.0.0
object-network 192.168.252.0 255.255.255.0
access-list SHEEP extended ip 10.10.10.0 allow 255.255.255.0 Corp_Networks object-group
Remote access ip 10.10.10.0 extended list allow 255.255.255.0 Corp_Networks object-group
NAT (inside) 0 access-list SHEEP
NAT (inside) 1 0.0.0.0 0.0.0.0
outdoor 10.0.0.0 255.255.255.0 90.0.1.1
Route outside 172.16.0.0 255.240.0.0 90.0.1.1
Route outside 192.168.252.0 255.255.255.0 90.0.1.1
Crypto ipsec transform-set esp-3des esp-sha-hmac ToCorp
outside_map card crypto 10 corresponds to the Remote address
outside_map 10 peer Public_address crypto card game
card crypto outside_map 10 game of transformation-ToCorp
life safety association set card crypto outside_map 10 28800 seconds
card crypto outside_map 10 set security-association life kilobytes 4608000
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 864000
No encryption isakmp nat-traversal
tunnel-group Public_address type ipsec-l2l
IPSec-attributes tunnel-group Public_address
pre-share-key Council
ASA company Config:
the Corp_Networks object-group network
object-network 172.16.0.0 255.240.0.0
object-network 10.0.0.0 255.0.0.0
object-network 192.168.252.0 255.255.255.0
access-list allowed extensive sheep object-group Corp_Networks 10.10.10.0 ip 255.255.255.0
access-list ToRemote allowed ext object-group ip Corp_Networks 10.10.10.0 255.255.255.0
NAT (inside) 0 access-list sheep
Route outside 10.10.10.0 255.255.255.0 Public_Gateway
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
ToRemote game Dynamics-card 65530, crypto transform-set ESP-3DES-SHA
outside_map map 8-isakmp dynamic ipsec ToRemote crypto
outside_map interface card crypto outside
crypto ISAKMP policy 20
preshared authentication
3des encryption
sha hash
Group 2
life 86400
IPSec-attributes tunnel-group DefaultL2LGroup
pre-shared-key *.
Output of remote endpoint:
ISAKMP crypto #sh her
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 1
1 peer IKE: Public_Address
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVE
#sh crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 10, local addr: 90.0.1.203
Hawaii2Avid to access extended list ip 10.10.10.0 allow 255.255.255.0 10.0.0.0 255.0.0.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.0.0.0/255.0.0.0/0/0)
current_peer: Public_address
#pkts program: 616, #pkts encrypt: 616, #pkts digest: 616
#pkts decaps: 22, #pkts decrypt: 22, #pkts check: 22
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 616, #pkts comp failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 90.0.1.203/4500, remote Start crypto. : Public_address/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: D6A48143
current inbound SPI: E0C4F32A
SAS of the esp on arrival:
SPI: 0xE0C4F32A (3771003690)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 36864, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914994/28098)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0 x 00000000 0x007FFFFF
outgoing esp sas:
SPI: 0xD6A48143 (3601105219)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 36864, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914952/28098)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
Tag crypto map: outside_map, seq num: 10, local addr: 90.0.1.203
Hawaii2Avid to access extended list ip 10.10.10.0 allow 255.255.255.0 172.16.0.0 255.240.0.0
local ident (addr, mask, prot, port): (10.10.10.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.16.0.0/255.240.0.0/0/0)
current_peer: Public_Address
#pkts program: 406, #pkts encrypt: 406, #pkts digest: 406
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 406, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
local crypto endpt. : 90.0.1.203/4500, remote Start crypto. : Public_Address/4500
Path mtu 1500, fresh ipsec generals 66, media, mtu 1500
current outbound SPI: 1BE239F9
current inbound SPI: AC615F8D
SAS of the esp on arrival:
SPI: 0xAC615F8D (2892062605)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 36864, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3915000/28095)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001
outgoing esp sas:
SPI: 0x1BE239F9 (467810809)
transform: esp-3des esp-sha-hmac no compression
running parameters = {L2L, Tunnel, NAT-T program,}
slot: 0, id_conn: 36864, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914973/28092)
Size IV: 8 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0 x 000000000
We just seems stuck at this point and can't seem to get the traffic going back and forth, even if the tunnel does not seem to be connected. The only concern I see is pkts getting encrypted but none decrypts. It is usually something to do with the acl, but this one is pretty simple.
Thank you
-Geoff
Please check if you have any other card/LAN-to-LAN crypto configured on the ASA Corporate where the crypto ACL may overlap.
If you can share the map full encryption as well as the ACL of the ASA Corporate crypto, we can check for you.
Misspelling of the ASA remote path statement:
outdoor 10.0.0.0 255.255.255.0 90.0.1.1
I understand that you want to access the full class on the site of the company, where the road should say:
external route 10.0.0.0 255.0.0.0 90.0.1.1
-
I had a hard time getting a VPN configuration from site to site with a dynamic address on IOS on a static address on ASA. I followed the example found here. http://www.Cisco.com/en/us/Products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml , but it won't work if I name the Group of Tunnel on the IP address of the WAN IOS port ASA if I use a generic name such as "cisco" as in the example, it will fail. Here's my current ASA configs and IOS. 192.168.7.5.0/24 is side LAN IOS and 192.168.254.0/24 side LAN ASA any help would be appreciated.
You must use the tunnel group DefaultL2LGroup...
tunnel-group DefaultL2LGroup type ipsec-l2l
-
ASA &; concentrator 3005 VPN fails
Hi guys,.
I set up a VPN between an ASA 5510 running OS 7.2 (Base) and a concentrator 3005.
VPN stands up perfectly if launched from the ASA, but fails the Phase2 when momentum since the (1.1.1.5) 3005. Failing that, the ASA through the following errors:
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, PHASE 1 COMPLETED
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, payload processing ID
Dec 07 00:54:20 [IKEv1 DECODER]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received - 172.19.0.0 - 255.255.0.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, data Proxy received in payload ID remote IP subnet: address 172.19.0.0, the mask 255.255.0.0, protocol 0, Port 0
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, payload processing ID
Dec 07 00:54:20 [IKEv1 DECODER]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received - 192.168.2.0 - 255.255.255.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, received from the IP local subnet in payload ID Proxy data: address 192.168.2.0, mask 255.255.255.0, protocol 0, Port 0
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing notify payload
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, QM IsRekeyed its not found old addr
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, static check card Crypto, check card = mymap, seq = 9...
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, static check card Crypto Card = mymap, seq = 9, ACL does not proxy IDs src:172.19.0.0 dst: 192.168.2.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, remote peer IKE configured crypto card: dynmap
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, ITS processing IPSec payload
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, all IPSec security association proposals found unacceptable.
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, sending prevent messageWhat I gather from the above output is that seq 9 Crypto mymap map does not correspond to the proposal offered by the 3005. And guess what, it's not - so no surprise - but Seq 12 matches. SO I guess that the ASA is not verified the 3005 against the whole proposal Card Crypto. Fair supported? And if yes, what someone know why not?
TIA
See you soon
Scott
Hi Scott,.
We found it.
The dynamic Crypto map must be attached to the static Crypto map only once all static entries have been configured.
The best way is to attach the dynamic map to the last line of the static map which is line no 65535.
So follow these steps and let me know how it goes
No map mymap 10-isakmp ipsec crypto dynamic dynmap
map mymap 65535-isakmp ipsec crypto dynamic dynmap
Please indicate in the commands above in the ASA configuration prompt.
See you soon,.
Nash.
-
VPN L2L dynamic to static w/o DefaultL2LGroup
I was looking for a method to have a VPN L2L static dyn without using DefaultL2LGroup but to set in place several groups of tunnel for each router with a dynamic IP address. Many people say it is not possible, but I found this guide: http://inetpro.org/wiki/LAN-to-LAN_IPSec_VPN_between_PIX/ASA_7.2_hub_and_IOS_spokes_with_dynamic_IP_addresses
Now the problem: the vpn rises, but I can't reach any device with a ping.
Side static: ASA 5505 - 8.22
Side Dynamics: Zyxel P-661HW-D3
Here is the config for the SAA:
access-list outside extended permit icmp any any
access-list outside extended deny ip any any
access-list inside extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
access-list inside extended deny ip any any
access-list VPN extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0
access-list ST_3710 extended permit ip 10.1.0.0 255.255.248.0 10.51.10.0 255.255.255.0nat (inside) 0 access-list VPN
nat (inside) 1 10.1.0.0 255.255.248.0access-group inside in interface inside
access-group outside in interface outsidecrypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000crypto dynamic-map DN3710 1 match address ST_3710
crypto dynamic-map DN3710 1 set transform-set mysetcrypto map dyn-map 2 ipsec-isakmp dynamic DN3710
crypto map dyn-map interface outsidecrypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400crypto isakmp policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversalgroup-policy GP3710 internal
group-policy GP3710 attributes
vpn-filter value ST_3710
vpn-tunnel-protocol IPSectunnel-group TG3710 type ipsec-l2l
tunnel-group TG3710 general-attributes
default-group-policy GP3710
tunnel-group TG3710 ipsec-attributes
pre-shared-key *********As you can see it the vpn is in place:
2 IKE Peer: ***.***.***.***
Type : L2L Role : responder
Rekey : no State : AM_ACTIVEThanks in advance if anyone can help me with this problem.
Kind regards
Luca
Hello Luca,
You have reason for it, you can have the spokes of landing on a separate tunnel-groups, not only for the DefaultL2LGroup, the ASA follows this sequence when making a tunnel-group looup for L2L tunnels with pre-shared keys:
- ike-id verified first and could be (full fqdn) host name or IP address
-If ike-id search fails ASA tent peer IP address
-DefaultRAGroup/DefaultL2LGroup is used as a last resort
The output of your "sh cry isa his" I can see that at least Phase 1 is in place for your tunnel, please make sure that it landed on the correct tunnel-group.
The problem I see clearly here is the VPN filter that you have applied Group Policy, keep in mind that we must apply filters on incoming management vpn.
When a vpn-filter is applied to a political group that governs a LAN to LAN VPN connection, the ACL must be configured with the
remote network in the position of the ACL src_ip and LAN in the position of dest_ip of the ACL. Be careful during the construction of the
ACL for use with the vpn-filter feature. The ACL are built with traffic after decrypted in mind, however, they are also applied to the traffic
in the direction opposite.In your case, the remote network is 10.51.10.0 255.255.255.0 and the local network 10.1.0.0 255.255.248.0. so let's say you want to allow just telnet:
The following ACE will allow remote Telnet network for LAN:
permit access-list vpnfilt-l2l 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23
The following ACE will allow LAN to Telnet to the remote network:
permit access-list vpnfilt-l2l 10.0.0.0 255.255.255.0 eq 23 10.1.0.0 255.255.248.0Note: The ACE access-list vpnfilt-l2l allowed 10.51.10.0 255.255.255.0 10.1.0.0 255.255.248.0 eq 23 will allow the local network establish a connection to the remote on any TCP port network if he uses a port source from 23.
The access-list vpnfilt-l2l allowed 10.0.0.0 ACE 255.255.255.0 eq 23 10.1.0.0 255.255.248.0 will allow the network to remote connect to the LAN on any TCP port if he uses a port source from 23.
Kind regards
Maybe you are looking for
-
Problem with Windows startup with Toshiba HDD external
HelloWhen I'm away from windows (xp) and I got my external drive connected, the computer can´t departure, he collapsed in "windows start". When I mount the laptop without a disc, it starts good. Do you know a solution?Thank you and sorry for my bad E
-
Cannot install (Server visualSVN 64 bit) software
a required dll! but he did not note the name of the dll.
-
Drivers for Windows 7 Ultimate 32 bit
Is someone can you please tell me where I can download these drivers for Windows 7 Ultimate 32 Bit (I get a BSOD) Intel(r) 8280 1 GB/GR/GH (ICH7 Family) Serial ATA Storage Controller - 27C0 ITS WD device Audio device high definition Intel (r) 1 8280
-
Proportion set to tile horizontally
I have two monitors by-side and want to subdivide the windows open in their breast. If I have app two windows open on the left monitor and two windows open on the right monitor, I can select a window, then right-click on the taskbar and tell Windows
-
Hi all I intend to implement SSL VPN on ASA 8.2.1. For example, I create the DAP following 2 files to assign different access rights. Policy name: sales DAP ldap.memberOf = sales Action: continue Policy name: engineering DAP ldap.memberOf = genius Ac