ASA with several L2L VPN Dynamics
I have an ASA 5510 such as VPN, used for about 30 L2L - VPN concentrator.
I need also some VPN L2L with dynamic peer remote.
While the configuration for a single dyn - VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn - VPN?
Basically, all the VPN - dyn must use the same PSK (the DefaultL2LGroup).
But using the "aggressive" on the remote peer mode, I could use a different PSK for every dyn - VPN:
tunnel-group ipsec-attributes ABCD
pre-shared-key *.
This configuration is correct?
Best regards
Claudio
Hello
Maybe the solutions provided in the following document may also be an option to configure multiple dynamic VPN L2L connections on the SAA
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
-Jouni
Tags: Cisco Security
Similar Questions
-
Currently, I am trying to decide if what VPN creation filters, if I just create one and apply to multiple VPN tunnels or if each must have their own VPN tunnel filter VPN. Creating a VPN filter for each VPN tunnel seems like extra work but do not know if this is the best choice. I looked through the documentation, but they never mention the VPN application filters to several tunnels.
Hello Jork,
If you add filters for each VPN tunnel group, it will be more work, but at the same, you will have more control over the external users trying to connect to your network.
I would say that you have different groups tunnel (each of them will have their own funcionallity) therefore its depends on what you're trying to implement.
If the people who are going to use X tunnel-group are the same as those who use the tunnel-group is then you can use the same than that.
I hope I understood your question.
Kind regards.
Julio
M Note all the useful po
-
Manage the 5512 ASA with SSH via VPN
Hello
We are facing problems with ssh access on our ASA5512 on a Site-2-Site VPN tunnel.
SSH seems to be implemented properly, because we can login from inside and outside on both Interfaces.
But when we try to connect the ASA from a remote location with SSH Putty reports a timeout.
We set up a lot of these configurations with ASA5510 and ASA Image 8.x without any problem, so I guess it must have something to do with the new version of the ASA.
The value by defect-rsa-key was generated successfully.
VPN is ok and log viewer shows:
6 March 21, 2016 10:21:44 302013 192.168.0.100 51682 192.168.1.1 22 Built of TCP connections incoming 597903 for outside:192.168.0.100/51682 (192.168.0.100/51682) at inside:192.168.1.1/22 (192.168.1.1/22)
That's how we set up the configuration:
the ssh LOCAL console AAA authentication
SSH 192.168.0.0 255.255.255.0 inside (192.168.0.0 is the remote VPN network)
management-access inside
username privilege 15 PASSWORD USER password
We missed something?
Thank you
Best regards
Dennis
Hi Dennis,
The config looks very good.
Are you able to ping inside the interface through the tunnel.
If not can check you the nat for traffic and adds the route search key word.
If you use not all certificates on the SAA you can use the command for related on the SAA rsa keys:
encryption key tied rsa or try to be specific: related encryption rsa label key<>
Try to remove the SSH configuration and reapply.
I would like to know if it works or not. If this isn't the case, then take debug ssh 255 and part.
Kind regards
Aditya
Please evaluate the useful messages.
-
Hi all
My apologies if this is a trivial question, but I spent considerable time trying to search and had no luck.
I encountered a problem trying to set up a temporary L2L VPN from a Subscriber with CISCO2911 sitting behind the router of the ISP of an ASA. ISP has informed that I can't ignore their device and complete the circuit Internet on the Cisco for a reason, so I'm stuck with it. The Setup is:
company 10.1.17.1 - y.y.y.y - router Internet - z.z.z.z - ISP - LAN - 10.x.x.2 - XXX1 - ASA - 10.1.17.2 - CISCO2911 - 10.1.15.1 LAN
where 10.x.x.x is a corporate LAN Beach private network, y.y.y.y is a public ip address assigned to the external interface of the ASA and the z.z.z.z is the public IP address of the ISP router.
I have forwarded ports 500, 4500 and ESP on the ISP router for 10.1.17.2. The 2911 config attached below, what I can't understand is what peer IP address to configure on the SAA, because if I use z.z.z.z it will be a cause of incompatibility of identity 2911 identifies himself as 10.1.17.2...
! ^ ^ ^ ISAKMP (Phase 1) ^ ^ ^!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address no.-xauth y.y.y.y! ^ ^ ^ IPSEC (Phase 2) ^ ^ ^!
crymap extended IP access list
IP 10.1.15.0 allow 0.0.0.255 10.0.0.0 0.255.255.255
Crypto ipsec transform-set ESP-3DES-SHA 3rd-esp esp-sha-hmac
card crypto 1 TUNNEL VPN ipsec-isakmp
defined peer y.y.y.y
game of transformation-ESP-3DES-SHA
match the address crymapGi0/2 interface
card crypto VPN TUNNELHello
debug output, it seems he's going on IPSEC States at the tunnel of final bud QM_IDLE's.
What I noticed in your configuration of ASA box, it's that you're usig PFS but not on 2911 router.
So I suggest:
no card crypto OUTSIDE_map 4 don't set pfs <-- this="" will="" disable="" pfs="" on="" asa="">-->
Then try tunnel initiate.
Kind regards
Jan
-
I'm trying to set up a VPN for use with the Cisco VPN Client. I currently have operational VPN, but I cannot allow access to several subnets connected to the ASA. My current stock of VPN DHCP is 10.0.0.0/24. I want to VPN users to talk to one of my other VLAN (172.16.20.0/24). That's what I can't understand. If I change my VPN DHCP pool to something like 172.16.20.100 - 110 can I talk to about everything on this fine subnet. But as soon as I change the DHCP pool to the other subnet so I can't. Any suggestions?
Here is my config:
Nysyr-SBO-ASA (config) # sh run
: Saved
:
ASA Version 8.4 (1)
!
names of
!
interface Vlan1
No nameif
no level of security
no ip address
!
interface Vlan2
Description connection to the ISP (FiOS)
nameif primaryisp
security-level 0
IP address
!
interface Vlan3
Description secondary connection ISP (Time Warner)
nameif backupisp
security-level 0
IP address
!
interface Vlan5
Description Connection to the subnet internal internet access (192.168.5.0/24)
nameif inside
security-level 100
192.168.5.1 IP address 255.255.255.0
!
interface Vlan20
Description Connection to the internal management network (172.16.20.0/24)
nameif insidemgmt
security-level 100
address 172.16.20.1 IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 3
!
interface Ethernet0/2
switchport access vlan 5
!
interface Ethernet0/3
switchport access vlan 20
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
internal network object
192.168.5.0 subnet 255.255.255.0
network of the object asp-wss-1-tw
Home 192.168.5.11
network of the object asp-wss-1-vz
Home 192.168.5.11
network vpn-ip-pool of objects
10.0.0.0 subnet 255.255.255.0
access-list outside_access_in_1 note access list to allow outside in traffic
outside_access_in_1 list extended access permit tcp any object asp-wss-1-vz eq www
outside_access_in_1 list extended access permit tcp any object asp-wss-1-vz eq https
outside_access_in_1 list extended access permit tcp any object asp-wss-1-tw eq www
outside_access_in_1 list extended access permit tcp any object asp-wss-1-tw eq https
SBOnet_VPN_Tunnel_splitTunnelAcl standard access list allow 172.16.20.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
primaryisp MTU 1500
backupisp MTU 1500
Within 1500 MTU
insidemgmt MTU 1500
vpn-ip-pool 10.0.0.10 mask - 255.255.255.0 IP local pool 10.0.0.250
no failover
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (inside primaryisp) source Dynamics one interface
NAT (inside backupisp) source Dynamics one interface
!
network of the object asp-wss-1-tw
NAT (inside backupisp) static
network of the object asp-wss-1-vz
NAT (inside primaryisp) static
Access-group outside_access_in_1 in the primaryisp interface
Access-group outside_access_in_1 in the backupisp interface
Route 0.0.0.0 primaryisp 0.0.0.0
1 track 1 Route 0.0.0.0 backupisp 0.0.0.0
10 Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
Enable http server
http 192.168.5.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 primaryisp
http 0.0.0.0 0.0.0.0 backupisp
http 0.0.0.0 0.0.0.0 insidemgmt
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
monitor SLA 123
type echo protocol ipIcmpEcho 8.8.8.8 interface primaryisp
threshold of 3000
frequency 10
Annex ALS life monitor 123 to always start-time now
Crypto ipsec transform-set ikev1 ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ikev1 esp ESP-DES-MD5-esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ikev1 ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ikev1 SHA-ESP-3DES esp-3des esp-sha-hmac
Dynamic crypto map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ikev1
primaryisp_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto primaryisp_map interface primaryisp
backupisp_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
card crypto backupisp_map interface backupisp
Crypto ca trustpoint ASDM_TrustPoint0
Terminal registration
name of the object CN =
Configure CRL
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 5
FRP sha
second life 86400
Crypto ikev2 enable primaryisp
Crypto ikev2 enable backupisp
Crypto ikev1 enable primaryisp
Crypto ikev1 enable backupisp
IKEv1 crypto policy 30
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
!
track 1 rtr 123 accessibility
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 primaryisp
SSH 0.0.0.0 0.0.0.0 backupisp
SSH 0.0.0.0 0.0.0.0 insidemgmt
SSH timeout 20
Console timeout 20
No vpn-addr-assign aaa
No dhcp vpn-addr-assign
a basic threat threat detection
statistical threat detection port
Statistical threat detection Protocol
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal SBOnet_VPN_Tunnel group strategy
attributes of Group Policy SBOnet_VPN_Tunnel
Ikev1 VPN-tunnel-Protocol
Split-tunnel-policy tunnelall
value of Split-tunnel-network-list SBOnet_VPN_Tunnel_splitTunnelAcl
attributes of Group Policy DfltGrpPolicy
value of Split-tunnel-network-list SBOnet_VPN_Tunnel_splitTunnelAcl
attributes global-tunnel-group DefaultRAGroup
VPN-ip-pool-pool of addresses (primaryisp)
ip vpn-pool address pool
IPSec-attributes tunnel-group DefaultRAGroup
IKEv1 pre-shared-key *.
type tunnel-group SBOnet_VPN_Tunnel remote access
attributes global-tunnel-group SBOnet_VPN_Tunnel
ip vpn-pool address pool
Group Policy - by default-SBOnet_VPN_Tunnel
IPSec-attributes tunnel-group SBOnet_VPN_Tunnel
IKEv1 pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
Review the ip options
inspect the netbios
inspect the rsh
inspect the rtsp
inspect the skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect the tftp
inspect the sip
inspect xdmcp
inspect the icmp
!
global service-policy global_policy
context of prompt hostname
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:7a817a8679e586dc829c06582c60811d
: end
keep deleted thos lines, you don't need these lines to your remote access VPN.
Please tell me, what is the default gateway assigned on these hosts sitting on the mgmt network segment?
-
ASA with 2 Tunnels L2L at the same Site / same network
I have an ASA 5510 to A Site with a L2L tunnel to another site, subnet b. site unique to each site. In a few weeks, we will add a second
Internet access to Site B, then the two connections will be active. But we want traffic to go through the new connection unless it breaks down, then use the other. How to configure on the SAA so he doesn't get confused as to what tunnel take to arrive at the B Site subnet? Is this possible?
If ASA on Site B will have two different interfaces, terminating the VPN, Site A, set you two peers (a favorite).
i.e.
cry map mymap 10 set peer 1.1.1.1 2.2.2.2
Assuming that 1.1.1.1 first Site B public IP address of the ASA and 2.2.2.2 is second Site B public IP address of the ASA.
The ASA to Site A will attempt to establish the tunnel to 1.1.1.1 first, and if it fails, it will try 2.2.2.2
On Site B, ASA must have the card encryption on both interfaces.
You can set the Site B ASA come from the tunnel and the SAA on Site A receive.
Federico.
-
Cisco ASA (site A) with 2 L2L-VLNs (call the Site B and Site C)
I need "inbound nat' Site-C network.
Let me explain better:
-Site-B (10.14.63.0/24) accepts only traffic between the local network of the site-A (10.1.6.0/24), and I can't change the VPN.
-Now, I've logged on the Site-A site-C, and this must also communicate with site-B
-So I thought I have nat, the network of Site-C (10.168.3.0/24) in order to present with an IP of A Site.
Possible?
And how to configure the ASA at the Site-A?
Thank you
Claudio
Hello
What is the level of software on the Site to ASA?
-Jouni
-
SA520W VPN from Site to Site with several VLANs
Hello
I have a customer here with several VLANS in their places who wants to set up a VPN from Site to site between 2 devices SA520W. Unfortunately I can not find a way to set it up. In the VPN policy, I can choose between everything (which is not what I want, I want only traffict between subnets the routed via VPN), IP address unique, a beach (in a subnet) and a subnet itself - but only one. I don't find a way to configure several subnets in the selection of local traffic and remotely. Adding another IKE policy between the 2 sites does not either (which is good normally).
Any ideas? Anything I'm doing wrong?
Thank you for your help.
Best regards
Thomas
I know that if you have an ASA or a router, you can define as VLANS to pass through the tunnel.
Do not have access to a SA520W to test...
A recommendation might be to post the question on the SMB community where they answered questions related to this product, just to check what other people did.
Federico.
-
Hello Experts from Cisco,
I run in trouble with one of my l2l ipec vpn between an asa 5510 and 5520 cisco running version 8.2.2.
Our existing l2l VPN are connected fine and work very well. Currently SITE a (10.10.0.0/16) connects to the SITE B (10.20.0.0/16). SITE A connects to SITE C (10.100.8.0/21). These are OK.
What is a failure is when I try to connect SITE B to SITE C. The tunnel coming up and phase 1 and 2 complete successfully. However, even if in the course of execution: ' entry packet - trace within the icmp 10.20.8.2 8 0 detailed 10.100.8.1 ' I get the following:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DECLINE
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xad1c4500, priority = 70, domain = encrypt, deny = false
hits = 609, user_data = 0 x 0, cs_id = 0xad1c2e10, reverse, flags = 0 x 0 = 0 protocol
SRC ip = 10.20.0.0, mask is 255.255.0.0, port = 0
DST ip = 10.100.8.0, mask is 255.255.248.0, port = 0, dscp = 0 x 0
I noticed that when the tunnel came, the road to 10.100.8.0/21 was added in the routing table and cyrpto what ACL has not been applied on the SAA remote. I added the route manually but cannot get the cryto ACL to apply.
Useful info:
C SITE
the object-group NoNatDMZ-objgrp network
object-network 10.10.0.0 255.255.0.0
object-network 10.10.12.0 255.255.255.0
network-object 10.20.0.0 255.255.0.0
access extensive list ip 10.100.8.0 outside_30_cryptomap allow 255.255.248.0 10.20.0.0 255.255.0.0
IP 10.100.8.0 allow Access - list extended sheep 255.255.248.0 sheep-objgrp object-group
card crypto outside_map 30 match address outside_30_cryptomap
card crypto outside_map 30 peers set x.x.x.x
crypto outside_map 30 card value transform-set ESP-AES256-SHA
crypto outside_map 30 card value reverse-road
outside_map interface card crypto outside
SITE B
object-group network sheep-objgrp
object-network 10.10.0.0 255.255.0.0
object-network 10.21.0.0 255.255.0.0
object-network 10.10.12.0 255.255.255.0
network-object 10.100.8.0 255.255.248.0
IP 10.20.0.0 allow Access - list extended sheep 255.255.0.0 sheep-objgrp object-group
allow outside_50_cryptomap to access extended list ip 10.20.0.0 255.255.0.0 10.100.8.0 255.255.248.0
card crypto outside_map 50 match address outside_50_cryptomap
game card crypto outside_map 50 peers XX. XX. XX. XX
outside_map crypto 50 card value transform-set ESP-AES256-SHA
outside_map crypto 50 card value reverse-road
outside_map interface card crypto outside
I've been struggling with this these days. Any help is very appreciated!
Thank you!!
Follow these steps:
no card outside_map 10-isakmp ipsec crypto dynamic outside_dyn_map
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
clear crypto ipsec its SITE_B_Public peer
Try again and attach the same outputs.
Let me know.
Thank you.
-
Hi all!
I have a question about L2L VPN and NAT.
Can I set up the VPN tunnel between two ASAs or routers using the NAT translation from within the private IP addresses to a single public IP address outside the interface and then implement interesting crypto with the source of the public IP address and the destination of the remote private network on the other end (also ASA). For example, I want to translate a private network to the public ip address at one end and use the VPN tunnel with a public IP address as the source. Policy-NAT is not an option, because we really do not want to provide any IP address to the remote end, and IP addresses of the remote end can overlap with our end.
Thank you!
Hello
You can definitely set up an IPSec tunnel between two devices in the translation of your subnet in a single public IP address. You just create the translation and as you mentioned define interesting traffic using the public IP address.
This is exactly what we call political NAT, I don't understand why you say that NAT policy is not an option. Perhapps you misunderstood concept NAT policy or I misunderstood your question.
For example, assuming that the LAN private at your side is 172.16.1.0/24, the remote subnet is 192.168.150.0/24, and that the public IP address that you want to use is 200.200.200.200 your NAT config should look like this:
access-list 199 permit ip 172.16.1.0 255.255.252.0 192.168.150.0 255.255.255.0
Global (outside) 6 200.200.200.200
NAT (inside) 6 access-L199
Which would be NAT traffic to the public IP address only when the traffic matches the ACL.
Your ACL crypto should then be something like
cryptomap list of allowed access host ip 200.200.200.200 192.168.150.0 255.255.255.0
That would hide your address real and all they see is the public IP address you give them. Note that since the NAT takes place on your side your side will be able to raise the tunnel.
I hope this helps.
Raga
-
Activation of the NAC HA puts several hosts and ASA with processor clocked at 100%
I installed a NAC Manager and a NAC server in OOB without any problems, but when I configured the AP (high availability) with another server, my ASA and several guests in my network started work ant 100% of the cpu.
I tried to configure each interface of the NAC on a single DMZ and the problem stops there.
-That someone had this problem (NAC version 4.7)
TKX
Miguel Amaral
Hello Miguel.
When I started a NAC InBand HA solution I had a similar problem that I solved the heart rate HA configuration to use ETH0 just instead use ETH0 and ETH1.
Best regards
Luciano Carvalho
-
ASA EzVPN with several remote subnets
Hello world
I'll have the challenge of EasyVPN installation based on ASA 5520, and ASA 5505 (with the ASA5505 as the vpnclient) with several networks behind the ASA 5505.
Access by the network directly connected on the 5505 to the central site works very well.
But the second network segment (which is behind a router on the directly connected network) cannot connect to the central site.
I guess I need to specify that some sort of acl's to be able to do that.
BTW we do not use tunneling split, because all traffic moves through the tunnel (no local internet access).
The layout looks like this
(--LAN--)-5520---5505-(--LAN1--)-ROUTER-(--LAN2--)-(WAN)-
LAN1 and LAN connection works great through the EZVPN Tunnel.
LAN2 connection to the LAN does not work through the Tunnel of EZVPN.
Here is the configuration used so far (outside the normal SHEEP, groups of objects and stuff ISAKMP crypto):
Client:
vpnclient Server 10.x.x.x
extension-mode network mode vpnclient
EzVPN vpngroup vpnclient password *.
vpnclient username user1 password *.
vpnclient enable
Crypto ipsec df - bit clear-df outdoors
Server:
internal EzVPN group strategy
Group Policy attributes EzVPN
allow to NEM
allow password-storage
tunnel-group EzVPN type ipsec-ra
General characteristics of tunnel-group EzVPN
Group Policy - by default-EzVPN
IPSec-attributes tunnel-group EzVPN
pre-shared key *.
user user1 password *.
I hope you can help
Best regards
Jarle
Unfortunately, it is not supported on the platform of the SAA. With EasyVPN on the SAA, only the connected networks can be advertised. To accomplish what you want to do, you need to configure a static IPSec tunnel and announce local networks via ACL interesting traffic. You can also use an IOS device that does not have the capabilities of "multiple subnet" with EasyVPN.
-
VPN IPSec ASA with two ISP active
Hi ALL!
I have a question.
So I have ASA with 9.2 (1) SW connected to ISP with active SLA.
I need to configure redundant IPSec VPN via ISP2, while all other traffic must go through isps1. In case if one of the ISP goes down all including VPN traffic must be routed via ISP alive.
I have configured SLA and it works.
ciscoasa # display route performance
Route 0.0.0.0 isps1 0.0.0.0 10.175.2.5 5 track 1
Route isp2 0.0.0.0 0.0.0.0 10.175.3.5 10 track 2
Route isp2 172.22.10.5 255.255.255.255 10.175.3.5 1 excerpt 2Here we can see if isps1 and ISP2 are RISING, all traffic passes through isps1, but traffic intended for the remote peer IPSec 172.22.10.5 passes by ISP2.
This configuration works just at the moment when isps1 or isp2 is down or if a static route for 172.22.10.5 deleted. Where two Internet service providers are increasing to ASA does not send the next remote IPSec datagrams.
ciscoasa # display running nat
NAT (inside, isp2) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itinerary
NAT (inside isps1) source static obj-INSIDE_LAN obj-INSIDE_LAN destination static obj-REMOTE_LAN obj-REMOTE_LAN no-proxy-arp-search to itineraryCrypto ipsec transform-set ikev1 ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Crypto ipsec pmtu aging infinite - the security association
card crypto cm_vpnc 10 correspondence address acl_vpn
card crypto cm_vpnc 10 set pfs
peer set card crypto cm_vpnc 10 172.22.10.5
card crypto cm_vpnc 10 set transform-set ESP-AES-256-SHA ikev1
86400 seconds, duration of life card crypto cm_vpnc 10 set - the security association
card crypto cm_vpnc interface isps1
cm_vpnc interface isp2 crypto card
trustpool crypto ca policy
isps1 enable ikev1 crypto
isp2 enable ikev1 crypto
IKEv1 crypto policy 1
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400ciscoasa # show ip
System of IP addresses:
Subnet mask IP address name interface method
Vlan1 in 192.168.2.1 255.255.255.0 CONFIG
Isps1 Vlan2 10.175.2.10 255.255.255.0 CONFIG
Isp2 Vlan3 10.175.3.10 255.255.255.0 CONFIGThe main question why?
Thank you in advance,
Anton
Hi anton,.
If you check the log message on your ASA R301-IS , he's trying to build the tunnel VPN with both IP and it receives packets of asymmetrically your distance ciscoasa.
TO avoid this asymmetrical connection, point your IP from peers as primary & secondary on your R301-EAST
set peer 10.175.3.10 10.175.2.10
Delete the track on your routing entries
Route isp2 172.22.10.5 255.255.255.255 10.175.3.5
This should work for you.
Similalry lower your ISP 2, you should see VPN tunnel is mounted with isps1 one.
HTH
Sandy
-
L2l VPN tunnel is reset during the generate a new IPSec key
I have a tunnel VPN L2L that resets completely, start with Phase 1, at the expiration of the timer of the IPSec Security Association. Although there are several SAs, it always resets all of the tunnel.
I see the following in the log errors when this happens:
03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713050-5-ASA: Group = ipRemoved, IP = ipRemoved, completed for the ipRemoved peer connection. Reason: Peer terminate Proxy remote n/a, Proxy Local n/a
03/06/2013 12:54:41 Local7.Notice ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % 713259-5-ASA: Group = ipRemoved, IP = ipRemoved, Session is be demolished. Reason: The user has requested
03/06/2013 12:54:41 Local7.Warning ipRemoved June 3, 2013 12:54:41 LKM-NVP-L2L-01: % ASA-4-113019: Group = ipRemoved username = ipRemoved, IP = ipRemoved, disconnected Session. Session type: IKE, duration: 4 h: 00 m: 06 s, xmt bytes: 260129, RRs bytes: 223018, reason: the user has requested
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713041-5-ASA: IP = ipRemoved, IKE initiator: New Phase 1, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.24 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713119-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 1 COMPLETED
Local7.Notice ipRemoved June 3, 2013 03/06/2013-12:55:33 12:55:33 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x9213bdc9, outbound SPI = 0x1799a099
03/06/2013 12:55:33 Local7.Notice ipRemoved June 3, 2013 12:55:33 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = b8a47603)
03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713041-5-ASA: Group = ipRemoved, IP = ipRemoved, IKE initiator: New Phase 2, Intf inside, IKE Peer ipRemoved local Proxy 204.139.127.71 address, address remote Proxy 156.30.21.200, Card Crypto (L2LVPN)
Local7.Notice ipRemoved June 3, 2013 03/06/2013-13:02:11 13:02:11 LKM-NVP-L2L-01: % 713049-5-ASA: Group = ipRemoved, IP = ipRemoved, the security negotiation is complete for LAN - to - LAN Group (ipRemoved) initiator, Inbound SPI = 0x93f9be6c, outbound SPI = 0x1799a16d
03/06/2013 13:02:11 Local7.Notice ipRemoved June 3, 2013 13:02:11 LKM-NVP-L2L-01: % 713120-5-ASA: Group = ipRemoved, IP = ipRemoved, PHASE 2 COMPLETED (msgid = 1f6c9acd)
Any thoughts on why she would do that?
Thank you.
Jason
Hello
Both the log messages seems to suggest that the remote end is closed/compensation connection.
Is this a new connection that suffer from this problem or has it started on an existing connection?
The Cisco documentation associated with the Syslog messages does really not all useful information about these log messages.
I guess that your problem is that TCP by L2L VPN connections suffer from the complete renegotiations of the L2L VPN.
I wonder if the following configuration can help even if this situation persists
Sysopt preserve-vpn-flow of connection
Here is a link to the order of the ASA reference (8, 4-8, 6 software) with a better explanation of this configuration.
http://www.Cisco.com/en/us/docs/security/ASA/asa84/command/reference/S8.html#wp1538395
It is not enabled by default on the SAA.
Hope this helps
-Jouni
-
Press L2L VPN, IPSEC, and L2TP PIX connections
Hi all
I'm trying to implement a solution on my FW PIX (pix804 - 24.bin) to be able to support a VPN L2L session with VPN dynamic user sessions where clients will use a mix of IPSEC(Nat detection) and L2TP. We have always supported things IPSEC and that worked great for many years. I'm now trying to Add L2TP support, so that I can support Android phones/ipads, etc. as well as Windows with built in VPN l2tp clients clients. Everything works well except for the new features of L2TP. Allows you to complete one phase but then tries to use the card encryption that is used for the VPN L2L. It seems to fail because IP addresses are not in the configured ACL to the crypto-map L2L. Does anyone know if there are any questions all these configurations support both. And if not can you see what I have wrong here, which would make it not work. Here are the relevant training:
C515 - A # sh run crypto
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set of society-ras-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac company-l2tp
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Dynamic crypto map company-ras 1 correspondence address company-dynamic
company Dynamics-card crypto-ras 1 set pfs
Dynamic crypto map company-ras 1 transform-set ESP-SHA-3DES ESP-3DES-MD5 company-ras
Dynamic crypto map company-ras 1 lifetime of security association set seconds 28800
company Dynamics-card crypto-ras 1 kilobytes of life together - the association of safety 4608000
crypto dynamic-map-ras company 2 address company-dynamic game
crypto dynamic-map company-ras 2 transform-set of society-l2tp
crypto dynamic-map company-ras 2 set security association lifetime seconds 28800
company Dynamics-card crypto-ras 2 kilobytes of life together - the association of safety 4608000
card crypto company-map 1 correspondence address company-colo
card crypto company-card 1 set pfs
card crypto company-card 1 set counterpart colo-pix-ext
card crypto card company 1 value transform-set ESP-3DES-MD5 SHA-ESP-3DES
company-map 1 lifetime of security association set seconds 28800 crypto
card company-card 1 set security-association life crypto kilobytes 4608000
company-card 1 set nat-t-disable crypto card
company-card 2 card crypto ipsec-isakmp dynamic company-ras
business-card interface card crypto outside
crypto isakmp identity address
crypto ISAKMP allow outsideCrypto isakmp nat-traversal 3600
crypto ISAKMP policy 1
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 2
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
C515 - A # sh run tunnel-group
attributes global-tunnel-group DefaultRAGroup
company-ras address pool
Group-LOCAL radius authentication server
Group Policy - by default-l2tp
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
No chap authentication
ms-chap-v2 authentication
eap-proxy authentication
type tunnel-group company-ras remote access
tunnel-group global company-ras-attributes
company-ras address pool
Group-LOCAL radius authentication server
tunnel-group company-ras ipsec-attributes
pre-shared-key *.
type tunnel-group company-admin remote access
attributes global-tunnel-group company-admin
company-admin address pool
Group-LOCAL radius authentication server
company strategy-group-by default-admin
IPSec-attributes of tunnel-group company-admin
pre-shared-key *.
PPP-attributes of tunnel-group company-admin
No chap authentication
ms-chap-v2 authentication
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
ISAKMP keepalive retry threshold 15 10
C515 - A # sh run Group Policy
attributes of Group Policy DfltGrpPolicy
Server DNS 10.10.10.20 value 10.10.10.21
Protocol-tunnel-VPN IPSec
enable PFS
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value company-SPLIT-TUNNEL-ACL
company.int value by default-field
NAC-parameters DfltGrpPolicy-NAC-framework-create value
internal strategy of company-admin group
attributes of the strategy of company-admin group
WINS server no
DHCP-network-scope no
VPN-access-hour no
VPN - 20 simultaneous connections
VPN-idle-timeout 30
VPN-session-timeout no
Protocol-tunnel-VPN IPSec l2tp ipsec
disable the IP-comp
Re-xauth disable
Group-lock no
enable PFS
Split-tunnel-network-list value company-ADMIN-SPLIT-TUNNEL-ACL
L2TP strategy of Group internal
Group l2tp policy attributes
Server DNS 10.10.10.20 value 10.10.10.21
Protocol-tunnel-VPN l2tp ipsec
disable the PFS
Split-tunnel-policy tunnelall
company.int value by default-field
NAC-parameters DfltGrpPolicy-NAC-framework-create valueRelevant debug output
C515 - Has # Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, Oakley proposal is acceptable
Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 03 02:09:33 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, previously allocated memory of liberation for permission-dn-attributes
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, PHASE 1 COMPLETED
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, for this connection Keep-alive type: None
Sep 03 02:09:33 [IKEv1]: IP = 66.25.14.195, Keep-alives configured on, but the peer does not support persistent (type = None)
Sep 03 02:09:33 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, timer to generate a new key to start P1: 21600 seconds.
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, detected L2TP/IPSec session.
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, QM IsRekeyed its not found old addr
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa181b866).
Sep 03 02:09:33 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, case of mistaken IKE responder QM WSF (struct & 0x501c1f0), : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 03 02:09:33 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, peer table correlator Removing failed, no match!
Sep 03 02:09:33 [IKEv1]: ignoring msg SA brand with Iddm 204910592 dead because ITS removal
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, Oakley proposal is acceptable
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
Sep 03 02:10:05 [IKEv1 DEBUG]: IP = 66.25.14.195, IKE SA proposal # 1, turn # 1 entry IKE acceptable Matches # 3 overall
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, connection landed on tunnel_group DefaultRAGroup
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, previously allocated memory of liberation for permission-dn-attributes
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, PHASE 1 COMPLETED
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, for this connection Keep-alive type: None
Sep 03 02:10:05 [IKEv1]: IP = 66.25.14.195, Keep-alives configured on, but the peer does not support persistent (type = None)
Sep 03 02:10:05 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, timer to generate a new key to start P1: 21600 seconds.
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, detected L2TP/IPSec session.
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, QM IsRekeyed its not found old addr
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa5db9562).
Sep 03 02:10:05 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 66.25.14.195, case of mistaken IKE responder QM WSF (struct & 0x501c1f0), : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2, EV_COMP_HASH
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, peer table correlator Removing failed, no match!
Sep 03 02:10:05 [IKEv1]: ignoring msg SA brand with Iddm 204914688 dead because ITS removalThe outputs of two debugging who worry are the following:
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID remote Proxy Host: address 172.16.0.104 17 of the Protocol, Port 0
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, data received in payload ID local Proxy Host: address x.x.x.x, 17 of the Protocol, Port 1701Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto, check card company card, seq = 1 =...
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, static check card Crypto card = company-map, seq = 1, ACL does not proxy IDs src:66.25.14.195 dst: x.x.x.x
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, tunnel IPSec rejecting: no entry for crypto for proxy card proxy remote 66.25.14.195/255.255.255.255/17/0 local x.x.x.x/255.255.255.255/17/1701 on the outside interface
Sep 03 02:10:05 [IKEv1]: Group = DefaultRAGroup, IP = 66.25.14.195, error QM WSF (P2 struct & 0x501c1f0, mess id 0xa5db9562).This seems to indicate that his NAT detection but then do not assign to the entry card cryptography because networks are encrypted are not in the configured ACL that is true. He needs to use dynamic input and it doesn't seem to be.
I need to create another dynamic map entry to make it work instead of add lines to the same dynamic with a lower (higher) priority map entry?
Thanks in advance for any help here.
Hello
That won't do the trick, l2tp clients are picky kindda, so you know if they do not hit the correct strategy first they just stop trying. Follow these steps:
correspondence from the company of dynamic-map crypto-ras 1 address company-dynamic
No crypto-card set pfs dynamic company-ras 1
No crypto dynamic-map company-ras-1 transform-set ESP-SHA-3DES ESP-3DES-MD5 company-ras
Dynamic crypto map company-ras 1 transform-set company-l2tp SHA-ESP-3DES ESP-3DES-MD5 company-ras
The foregoing will not affect existing customers of IPsec at all, these clients will not use the statement of pfs and will link even if the correspondence address is not configured (it is optional), besides Cisco IPsec clients will be affected first the mode of transport policy and fail however they will continue to try and hit another police PH2.
Regarding your last question, I was referring specifically to the support of l2tp for android, and Yes, you will need to run one of these versions.
http://www.Cisco.com/en/us/docs/security/ASA/asa82/release/notes/asarn82.html#wp431562
Tavo-
Maybe you are looking for
-
Bring these options please.
I love the new Walkman, the A17 is incredible, in any case, I beg you for the next generations of the Walkman you can take the following options: New song Pop Up http://postimg.org/image/rg3t223pt/ and Add in the trash http://postimg.org/image/5eapqa
-
Small video memory on Satellite Pro L300-165 and Windows XP
To increase the memory on the video card?See what I results now:http://www.freeimagehosting.NET/uploads/c2e34ccdcc.gif
-
Lock the accounts of users without apparent reason
I have a XP laptop with several user accounts that require a password to connect. Some of these accounts are defined for the user to change the password at the next logon. The rest of them have already been modified by the user. I have a user acco
-
Error while you select my computer, I need to include a screenshot.
The error is very complicated to put into words. How can I publish a page of paint?
-
Re: SanDisk Wireless Stick video how
The video for the backup camera IOS show it is 'private' and cannot be played. Actually all for me.