ASA with several L2L VPN Dynamics

I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.

I need also some VPN L2L with dynamic peer remote.

While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?

Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).

But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:

tunnel-group ipsec-attributes ABCD

pre-shared-key *.

This configuration is correct?

Best regards

Claudio

Hello

Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA

http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml

Hope this helps

-Jouni

Tags: Cisco Security

Similar Questions

Should I apply a single to several L2L VPN VPN filter, or each VPN tunnel have their own VPN on an ASA filter?

Currently, I am trying to decide if what VPN creation filters, if I just create one and apply to multiple VPN tunnels or if each must have their own VPN tunnel filter VPN. Creating a VPN filter for each VPN tunnel seems like extra work but do not know if this is the best choice. I looked through the documentation, but they never mention the VPN application filters to several tunnels.

Hello Jork,

If you add filters for each VPN tunnel group, it will be more work, but at the same, you will have more control over the external users trying to connect to your network.

I would say that you have different groups tunnel (each of them will have their own funcionallity) therefore its depends on what you're trying to implement.

If the people who are going to use X tunnel-group are the same as those who use the tunnel-group is then you can use the same than that.

I hope I understood your question.

Kind regards.

Julio

M Note all the useful po

Manage the 5512 ASA with SSH via VPN

Hello

We are facing problems with ssh access on our ASA5512 on a Site-2-Site VPN tunnel.

SSH seems to be implemented properly, because we can login from inside and outside on both Interfaces.

But when we try to connect the ASA from a remote location with SSH Putty reports a timeout.

We set up a lot of these configurations with ASA5510 and ASA Image 8.x without any problem, so I guess it must have something to do with the new version of the ASA.

The value by defect-rsa-key was generated successfully.

VPN is ok and log viewer shows:

March 21, 2016

10:21:44

302013

192.168.0.100

51682

192.168.1.1

Built of TCP connections incoming 597903 for outside:192.168.0.100/51682 (192.168.0.100/51682) at inside:192.168.1.1/22 (192.168.1.1/22)

That's how we set up the configuration:

the ssh LOCAL console AAA authentication

SSH 192.168.0.0 255.255.255.0 inside (192.168.0.0 is the remote VPN network)

management-access inside

username privilege 15 PASSWORD USER password

We missed something?

Thank you

Best regards

Dennis

Hi Dennis,

The config looks very good.

Are you able to ping inside the interface through the tunnel.

If not can check you the nat for traffic and adds the route search key word.

If you use not all certificates on the SAA you can use the command for related on the SAA rsa keys:

encryption key tied rsa or try to be specific: related encryption rsa label key<>

Try to remove the SSH configuration and reapply.

I would like to know if it works or not. If this isn't the case, then take debug ssh 255 and part.

Kind regards

Aditya

Please evaluate the useful messages.

L2l VPN between ASA with the IP address public and CISCO2911 behind the ISP router with port forwarding

Hi all

My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.

I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:

company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN

where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.

I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...

! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y

! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymap

Gi0/2 interface
card crypto VPN TUNNEL

Hello

debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.

What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.

So I suggest:

no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">

Then try tunnel initiate.

Kind regards

Jan

ASA 5505 - several VPN subnet

I'm trying to set up a VPN for use with the Cisco VPN Client. I currently have operational VPN, but I cannot allow access to several subnets connected to the ASA. My current stock of VPN DHCP is 10.0.0.0/24. I want to VPN users to talk to one of my other VLAN (172.16.20.0/24). That's what I can't understand. If I change my VPN DHCP pool to something like 172.16.20.100 - 110 can I talk to about everything on this fine subnet. But as soon as I change the DHCP pool to the other subnet so I can't. Any suggestions?

Here is my config:

Nysyr-SBO-ASA (config) # sh run

: Saved

:

ASA Version 8.4 (1)

!

names of

!

interface Vlan1

No nameif

no level of security

no ip address

!

interface Vlan2

Description connection to the ISP (FiOS)

nameif primaryisp

security-level 0

IP address

!

interface Vlan3

Description secondary connection ISP (Time Warner)

nameif backupisp

security-level 0

IP address

!

interface Vlan5

Description Connection to the subnet internal internet access (192.168.5.0/24)

nameif inside

security-level 100

192.168.5.1 IP address 255.255.255.0

!

interface Vlan20

Description Connection to the internal management network (172.16.20.0/24)

nameif insidemgmt

security-level 100

address 172.16.20.1 IP 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 5

!

interface Ethernet0/3

switchport access vlan 20

!

interface Ethernet0/4

Shutdown

!

interface Ethernet0/5

Shutdown

!

interface Ethernet0/6

Shutdown

!

interface Ethernet0/7

Shutdown

!

passive FTP mode

clock timezone IS - 5

clock to summer time EDT recurring

internal network object

192.168.5.0 subnet 255.255.255.0

network of the object asp-wss-1-tw

Home 192.168.5.11

network of the object asp-wss-1-vz

Home 192.168.5.11

network vpn-ip-pool of objects

10.0.0.0 subnet 255.255.255.0

access-list outside_access_in_1 note access list to allow outside in traffic

outside_access_in_1 list extended access permit tcp any object asp-wss-1-vz eq www

outside_access_in_1 list extended access permit tcp any object asp-wss-1-vz eq https

outside_access_in_1 list extended access permit tcp any object asp-wss-1-tw eq www

outside_access_in_1 list extended access permit tcp any object asp-wss-1-tw eq https

SBOnet_VPN_Tunnel_splitTunnelAcl standard access list allow 172.16.20.0 255.255.255.0

pager lines 24

Enable logging

asdm of logging of information

primaryisp MTU 1500

backupisp MTU 1500

Within 1500 MTU

insidemgmt MTU 1500

vpn-ip-pool 10.0.0.10 mask - 255.255.255.0 IP local pool 10.0.0.250

no failover

ICMP unreachable rate-limit 1 burst-size 1

don't allow no asdm history

ARP timeout 14400

NAT (inside primaryisp) source Dynamics one interface

NAT (inside backupisp) source Dynamics one interface

!

network of the object asp-wss-1-tw

NAT (inside backupisp) static

network of the object asp-wss-1-vz

NAT (inside primaryisp) static

Access-group outside_access_in_1 in the primaryisp interface

Access-group outside_access_in_1 in the backupisp interface

Route 0.0.0.0 primaryisp 0.0.0.0 1 track 1

Route 0.0.0.0 backupisp 0.0.0.0 10

Timeout xlate 03:00

Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-registration DfltAccessPolicy

the ssh LOCAL console AAA authentication

Enable http server

http 192.168.5.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 primaryisp

http 0.0.0.0 0.0.0.0 backupisp

http 0.0.0.0 0.0.0.0 insidemgmt

No snmp server location

No snmp Server contact

Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start

monitor SLA 123

type echo protocol ipIcmpEcho 8.8.8.8 interface primaryisp

threshold of 3000

frequency 10

Annex ALS life monitor 123 to always start-time now

Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac

Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac

Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac

Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ikev1

primaryisp_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

card crypto primaryisp_map interface primaryisp

backupisp_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP

card crypto backupisp_map interface backupisp

Crypto ca trustpoint ASDM_TrustPoint0

Terminal registration

name of the object CN =

Configure CRL

IKEv2 crypto policy 1

aes-256 encryption

integrity sha

Group 5

FRP sha

second life 86400

Crypto ikev2 enable primaryisp

Crypto ikev2 enable backupisp

Crypto ikev1 enable primaryisp

Crypto ikev1 enable backupisp

IKEv1 crypto policy 30

preshared authentication

aes-256 encryption

sha hash

Group 2

life 86400

!

track 1 rtr 123 accessibility

Telnet timeout 5

SSH 0.0.0.0 0.0.0.0 primaryisp

SSH 0.0.0.0 0.0.0.0 backupisp

SSH 0.0.0.0 0.0.0.0 insidemgmt

SSH timeout 20

Console timeout 20

No vpn-addr-assign aaa

No dhcp vpn-addr-assign

a basic threat threat detection

statistical threat detection port

Statistical threat detection Protocol

Statistics-list of access threat detection

no statistical threat detection tcp-interception

WebVPN

internal SBOnet_VPN_Tunnel group strategy

attributes of Group Policy SBOnet_VPN_Tunnel

Ikev1 VPN-tunnel-Protocol

Split-tunnel-policy tunnelall

value of Split-tunnel-network-list SBOnet_VPN_Tunnel_splitTunnelAcl

attributes of Group Policy DfltGrpPolicy

value of Split-tunnel-network-list SBOnet_VPN_Tunnel_splitTunnelAcl

attributes global-tunnel-group DefaultRAGroup

VPN-ip-pool-pool of addresses (primaryisp)

ip vpn-pool address pool

IPSec-attributes tunnel-group DefaultRAGroup

IKEv1 pre-shared-key *.

type tunnel-group SBOnet_VPN_Tunnel remote access

attributes global-tunnel-group SBOnet_VPN_Tunnel

ip vpn-pool address pool

Group Policy - by default-SBOnet_VPN_Tunnel

IPSec-attributes tunnel-group SBOnet_VPN_Tunnel

IKEv1 pre-shared-key *.

!

class-map inspection_default

match default-inspection-traffic

!

!

type of policy-card inspect dns preset_dns_map

parameters

maximum message length automatic of customer

message-length maximum 512

Policy-map global_policy

class inspection_default

inspect the preset_dns_map dns

inspect the ftp

inspect h323 h225

inspect the h323 ras

Review the ip options

inspect the netbios

inspect the rsh

inspect the rtsp

inspect the skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect the tftp

inspect the sip

inspect xdmcp

inspect the icmp

!

global service-policy global_policy

context of prompt hostname

call-home

Profile of CiscoTAC-1

no active account

http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address

email address of destination [email protected] / * /

destination-mode http transport

Subscribe to alert-group diagnosis

Subscribe to alert-group environment

Subscribe to alert-group monthly periodic inventory

monthly periodicals to subscribe to alert-group configuration

daily periodic subscribe to alert-group telemetry

Cryptochecksum:7a817a8679e586dc829c06582c60811d

: end

keep deleted thos lines, you don't need these lines to your remote access VPN.

Please tell me, what is the default gateway assigned on these hosts sitting on the mgmt network segment?

ASA with 2 Tunnels L2L at the same Site / same network

I have an ASA 5510 to A Site with a L2L tunnel to another site, subnet b. site unique to each site. In a few weeks, we will add a second

Internet access to Site B, then the two connections will be active. But we want traffic to go through the new connection unless it breaks down, then use the other. How to configure on the SAA so he doesn't get confused as to what tunnel take to arrive at the B Site subnet? Is this possible?

If ASA on Site B will have two different interfaces, terminating the VPN, Site A, set you two peers (a favorite).

i.e.

cry map mymap 10 set peer 1.1.1.1 2.2.2.2

Assuming that 1.1.1.1 first Site B public IP address of the ASA and 2.2.2.2 is second Site B public IP address of the ASA.

The ASA to Site A will attempt to establish the tunnel to 1.1.1.1 first, and if it fails, it will try 2.2.2.2

On Site B, ASA must have the card encryption on both interfaces.

You can set the Site B ASA come from the tunnel and the SAA on Site A receive.

Federico.

L2l - VPN with NAT incoming

Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)

I need "inbound nat' Site-C network.

Let me explain better:

-Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.

-Now, I've logged on the Site-A site-C, and this must also communicate with site-B

-So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.

Possible?

And how to configure the ASA at the Site-A?

Thank you

Claudio

Hello

What is the level of software on the Site to ASA?

-Jouni

SA520W VPN from Site to Site with several VLANs

Hello

I have a customer here with several VLANS in their places who wants to set up a VPN from Site to site between 2 devices SA520W. Unfortunately I can not find a way to set it up. In the VPN policy, I can choose between everything (which is not what I want, I want only traffict between subnets the routed via VPN), IP address unique, a beach (in a subnet) and a subnet itself - but only one. I don't find a way to configure several subnets in the selection of local traffic and remotely. Adding another IKE policy between the 2 sites does not either (which is good normally).

Any ideas? Anything I'm doing wrong?

Thank you for your help.

Best regards

Thomas

I know that if you have an ASA or a router, you can define as VLANS to pass through the tunnel.

Do not have access to a SA520W to test...

A recommendation might be to post the question on the SMB community where they answered questions related to this product, just to check what other people did.

Federico.

Cisco ASA l2l VPN disorder

Hello Experts from Cisco,

I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.

Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.

What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:

Phase: 10

Type: VPN

Subtype: encrypt

Result: DECLINE

Config:

Additional information:

Direct flow from returns search rule:

ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false

hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol

SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0

DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0

I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.

Useful info:

C SITE

the object-group NoNatDMZ-objgrp network

object-network 10.10.0.0 255.255.0.0

object-network 10.10.12.0 255.255.255.0

network-object 10.20.0.0 255.255.0.0

access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0

IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group

card crypto outside_map 30 match address outside_30_cryptomap

card crypto outside_map 30 peers set x.x.x.x

crypto outside_map 30 card value transform-set ESP-AES256-SHA

crypto outside_map 30 card value reverse-road

outside_map interface card crypto outside

SITE B

object-group network sheep-objgrp

object-network 10.10.0.0 255.255.0.0

object-network 10.21.0.0 255.255.0.0

object-network 10.10.12.0 255.255.255.0

network-object 10.100.8.0 255.255.248.0

IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group

allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0

card crypto outside_map 50 match address outside_50_cryptomap

game card crypto outside_map 50 peers XX. XX. XX. XX

outside_map crypto 50 card value transform-set ESP-AES256-SHA

outside_map crypto 50 card value reverse-road

outside_map interface card crypto outside

I've been struggling with this these days. Any help is very appreciated!

Thank you!!

Follow these steps:

no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map

map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map

clear crypto ipsec its SITE_B_Public peer

Try again and attach the same outputs.

Let me know.

Thank you.

L2l VPN with IPSEC NAT

Hi all!

I have a question about L2L VPN and NAT.

Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.

Thank you!

Hello

You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.

This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.

For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:

access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0

Global (outside) 6 200.200.200.200

NAT (inside) 6 access-L199

Which would be NAT traffic to the public IP address only when the traffic matches the ACL.

Your ACL crypto should then be something like

cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0

That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.

I hope this helps.

Raga

Activation of the NAC HA puts several hosts and ASA with processor clocked at 100%

I installed a NAC Manager and a NAC server in OOB without any problems, but when I configured the AP (high availability) with another server, my ASA and several guests in my network started work ant 100% of the cpu.

I tried to configure each interface of the NAC on a single DMZ and the problem stops there.

-That someone had this problem (NAC version 4.7)

TKX

Miguel Amaral

Hello Miguel.

When I started a NAC InBand HA solution I had a similar problem that I solved the heart rate HA configuration to use ETH0 just instead use ETH0 and ETH1.

Best regards

Luciano Carvalho

ASA EzVPN with several remote subnets

Hello world

I'll have the challenge of EasyVPN installation based on ASA 5520, and ASA 5505 (with the ASA5505 as the vpnclient) with several networks behind the ASA 5505.

Access by the network directly connected on the 5505 to the central site works very well.

But the second network segment (which is behind a router on the directly connected network) cannot connect to the central site.

I guess I need to specify that some sort of acl's to be able to do that.

BTW we do not use tunneling split, because all traffic moves through the tunnel (no local internet access).

The layout looks like this

(--LAN--)-5520---5505-(--LAN1--)-ROUTER-(--LAN2--)-(WAN)-

LAN1 and LAN connection works great through the EZVPN Tunnel.

LAN2 connection to the LAN does not work through the Tunnel of EZVPN.

Here is the configuration used so far (outside the normal SHEEP, groups of objects and stuff ISAKMP crypto):

Client:

vpnclient Server 10.x.x.x

extension-mode network mode vpnclient

EzVPN vpngroup vpnclient password *.

vpnclient username user1 password *.

vpnclient enable

Crypto ipsec df - bit clear-df outdoors

Server:

internal EzVPN group strategy

Group Policy attributes EzVPN

allow to NEM

allow password-storage

tunnel-group EzVPN type ipsec-ra

General characteristics of tunnel-group EzVPN

Group Policy - by default-EzVPN

IPSec-attributes tunnel-group EzVPN

pre-shared key *.

user user1 password *.

I hope you can help

Best regards

Jarle

Unfortunately, it is not supported on the platform of the SAA. With EasyVPN on the SAA, only the connected networks can be advertised. To accomplish what you want to do, you need to configure a static IPSec tunnel and announce local networks via ACL interesting traffic. You can also use an IOS device that does not have the capabilities of "multiple subnet" with EasyVPN.

http://www.Cisco.com/en/us/docs/iOS/sec_secure_connectivity/configuration/guide/sec_easy_vpn_rem.html#wp1098057

VPN IPSec ASA with two ISP active

Hi ALL!

I have a question.

So I have ASA with 9.2 (1) SW connected to ISP with active SLA.

I need to configure redundant IPSec VPN via ISP2, while all other traffic must go through isps1. In case if one of the ISP goes down all including VPN traffic must be routed via ISP alive.

I have configured SLA and it works.

ciscoasa # display route performance
Route 0.0.0.0 isps1 0.0.0.0 10.175.2.5 5 track 1
Route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
Route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 excerpt 2

Here we can see if isps1 and ISP2 are RISING, all traffic passes through isps1, but traffic intended for the remote peer IPSec 172.22.10.5 passes by ISP2.

This configuration works just at the moment when isps1 or isp2 is down or if a static route for 172.22.10.5 deleted. Where two Internet service providers are increasing to ASA does not send the next remote IPSec datagrams.

ciscoasa # display running nat
NAT (inside, isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary
NAT (inside isps1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary

Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
card crypto cm_vpnc 10 correspondence address acl_vpn
card crypto cm_vpnc 10 set pfs
peer set card crypto cm_vpnc 10 172.22.10.5
card crypto cm_vpnc 10 set transform-set ESP-AES-256-SHA ikev1
86400 seconds, duration of life card crypto cm_vpnc 10 set - the security association
card crypto cm_vpnc interface isps1
cm_vpnc interface isp2 crypto card
trustpool crypto ca policy
isps1 enable ikev1 crypto
isp2 enable ikev1 crypto
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400

ciscoasa # show ip
System of IP addresses:
Subnet mask IP address name interface method
Vlan1 in 192.168.2.1 255.255.255.0 CONFIG
Isps1 Vlan2 10.175.2.10 255.255.255.0 CONFIG
Isp2 Vlan3 10.175.3.10 255.255.255.0 CONFIG

The main question why?

Thank you in advance,

Anton

Hi anton,.

If you check the log message on your ASA R301-IS , he's trying to build the tunnel VPN with both IP and it receives packets of asymmetrically your distance ciscoasa.

TO avoid this asymmetrical connection, point your IP from peers as primary & secondary on your R301-EAST

set peer 10.175.3.10 10.175.2.10

Delete the track on your routing entries

Route isp2 172.22.10.5 255.255.255.255 10.175.3.5

This should work for you.

Similalry lower your ISP 2, you should see VPN tunnel is mounted with isps1 one.

HTH

Sandy

L2l VPN tunnel is reset during the generate a new IPSec key

I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association. Although there are several SAs, it always resets all of the tunnel.

I see the following in the log errors when this happens:

03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection. Reason: Peer terminate Proxy remote n/a, Proxy Local n/a

03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested

03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested

03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED

Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099

03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)

03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)

Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d

03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)

Any thoughts on why she would do that?

Thank you.

Jason

Hello

Both the log messages seems to suggest that the remote end is closed/compensation connection.

Is this a new connection that suffer from this problem or has it started on an existing connection?

The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.

I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.

I wonder if the following configuration can help even if this situation persists

Sysopt preserve-vpn-flow of connection

Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.

http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395

It is not enabled by default on the SAA.

Hope this helps

-Jouni

Press L2L VPN, IPSEC, and L2TP PIX connections

Hi all

I'm trying to implement a solution on my FW PIX (pix804 - 24.bin) to be able to support a VPN L2L session with VPN dynamic user sessions where clients will use a mix of IPSEC(Nat detection) and L2TP. We have always supported things IPSEC and that worked great for many years. I'm now trying to Add L2TP support, so that I can support Android phones/ipads, etc. as well as Windows with built in VPN l2tp clients clients. Everything works well except for the new features of L2TP. Allows you to complete one phase but then tries to use the card encryption that is used for the VPN L2L. It seems to fail because IP addresses are not in the configured ACL to the crypto-map L2L. Does anyone know if there are any questions all these configurations support both. And if not can you see what I have wrong here, which would make it not work. Here are the relevant training:

C515 - A # sh run crypto
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set of society-ras-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac company-l2tp
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map company-ras 1 correspondence address company-dynamic
company Dynamics-card crypto-ras 1 set pfs
Dynamic crypto map company-ras 1 transform-set ESP-SHA-3DES ESP-3DES-MD5 company-ras
Dynamic crypto map company-ras 1 lifetime of security association set seconds 28800
company Dynamics-card crypto-ras 1 kilobytes of life together - the association of safety 4608000
crypto dynamic-map-ras company 2 address company-dynamic game
crypto dynamic-map company-ras 2 transform-set of society-l2tp
crypto dynamic-map company-ras 2 set security association lifetime seconds 28800
company Dynamics-card crypto-ras 2 kilobytes of life together - the association of safety 4608000
card crypto company-map 1 correspondence address company-colo
card crypto company-card 1 set pfs
card crypto company-card 1 set counterpart colo-pix-ext
card crypto card company 1 value transform-set ESP-3DES-MD5 SHA-ESP-3DES
company-map 1 lifetime of security association set seconds 28800 crypto
card company-card 1 set security-association life crypto kilobytes 4608000
company-card 1 set nat-t-disable crypto card
company-card 2 card crypto ipsec-isakmp dynamic company-ras
business-card interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outside

Crypto isakmp nat-traversal 3600

crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 2
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
C515 - A # sh run tunnel-group
attributes global-tunnel-group DefaultRAGroup
company-ras address pool
Group-LOCAL radius authentication server
Group Policy - by default-l2tp
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
No chap authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group company-ras remote access
tunnel-group global company-ras-attributes
company-ras address pool
Group-LOCAL radius authentication server
tunnel-group company-ras ipsec-attributes
pre-shared-key *.
type tunnel-group company-admin remote access
attributes global-tunnel-group company-admin
company-admin address pool
Group-LOCAL radius authentication server
company strategy-group-by default-admin
IPSec-attributes of tunnel-group company-admin
pre-shared-key *.
PPP-attributes of tunnel-group company-admin
No chap authentication
ms-chap-v2 authentication
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
ISAKMP keepalive retry threshold 15 10
C515 - A # sh run Group Policy
attributes of Group Policy DfltGrpPolicy
Server DNS 10.10.10.20 value 10.10.10.21
Protocol-tunnel-VPN IPSec
enable PFS
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value company-SPLIT-TUNNEL-ACL
company.int value by default-field
NAC-parameters DfltGrpPolicy-NAC-framework-create value
internal strategy of company-admin group
attributes of the strategy of company-admin group
WINS server no
DHCP-network-scope no
VPN-access-hour no
VPN - 20 simultaneous connections
VPN-idle-timeout 30
VPN-session-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the IP-comp
Re-xauth disable
Group-lock no
enable PFS
Split-tunnel-network-list value company-ADMIN-SPLIT-TUNNEL-ACL
L2TP strategy of Group internal
Group l2tp policy attributes
Server DNS 10.10.10.20 value 10.10.10.21
Protocol-tunnel-VPN l2tp ipsec
disable the PFS
Split-tunnel-policy tunnelall
company.int value by default-field
NAC-parameters DfltGrpPolicy-NAC-framework-create value

Relevant debug output

C515 - Has # Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, Oakley proposal is acceptable
Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, previously allocated memory of liberation for permission-dn-attributes
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, PHASE 1 COMPLETED
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, for this connection Keep-alive type: None
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, Keep-alives configured on, but the peer does not support persistent (type = None)
Sep 03 02:09:33 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, timer to generate a new key to start P1: 21600 seconds.
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, detected L2TP/IPSec session.
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, QM IsRekeyed its not found old addr
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa181b866).
Sep 03 02:09:33 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, case of mistaken IKE responder QM WSF (struct & 0x501c1f0) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, peer table correlator Removing failed, no match!
Sep 03 02:09:33 [IKEv1]: ignoring msg SA brand with Iddm 204910592 dead because ITS removal
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, Oakley proposal is acceptable
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, previously allocated memory of liberation for permission-dn-attributes
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, PHASE 1 COMPLETED
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, for this connection Keep-alive type: None
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, Keep-alives configured on, but the peer does not support persistent (type = None)
Sep 03 02:10:05 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, timer to generate a new key to start P1: 21600 seconds.
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, detected L2TP/IPSec session.
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, QM IsRekeyed its not found old addr
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa5db9562).
Sep 03 02:10:05 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, case of mistaken IKE responder QM WSF (struct & 0x501c1f0) , : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, peer table correlator Removing failed, no match!
Sep 03 02:10:05 [IKEv1]: ignoring msg SA brand with Iddm 204914688 dead because ITS removal

The outputs of two debugging who worry are the following:

Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701

Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa5db9562).

This seems to indicate that his NAT detection but then do not assign to the entry card cryptography because networks are encrypted are not in the configured ACL that is true. He needs to use dynamic input and it doesn't seem to be.

I need to create another dynamic map entry to make it work instead of add lines to the same dynamic with a lower (higher) priority map entry?

Thanks in advance for any help here.

Hello

That won't do the trick, l2tp clients are picky kindda, so you know if they do not hit the correct strategy first they just stop trying. Follow these steps:

correspondence from the company of dynamic-map crypto-ras 1 address company-dynamic

No crypto-card set pfs dynamic company-ras 1

No crypto dynamic-map company-ras-1 transform-set ESP-SHA-3DES ESP-3DES-MD5 company-ras

Dynamic crypto map company-ras 1 transform-set company-l2tp SHA-ESP-3DES ESP-3DES-MD5 company-ras

The foregoing will not affect existing customers of IPsec at all, these clients will not use the statement of pfs and will link even if the correspondence address is not configured (it is optional), besides Cisco IPsec clients will be affected first the mode of transport policy and fail however they will continue to try and hit another police PH2.

Regarding your last question, I was referring specifically to the support of l2tp for android, and Yes, you will need to run one of these versions.

http://www.Cisco.com/en/us/docs/security/ASA/asa82/release/notes/asarn82.html#wp431562

Tavo-

ASA with several L2L VPN Dynamics

Similar Questions

Maybe you are looking for