Problem to bluild a IPSEC Tunnel

Unanswered Question
Feb 15th, 2007

Hi,

We bought many ASA 5520 and 5510 to replace Nortel Contivitys. I wanted yesterday and today to bluild an IPSEC tunnel "l2l" between one ASA5520 and 5510 without success. Any idea why I can't establish the tunnel with ASAs and I have no problem with Nortel?

Note: OSPF also is not working, can see the neighbour. ASA version 7.2.2

Here is my configs:

ASA5510

=======

ASA Version 7.2(2)

hostname holland

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.18.20.13 255.255.255.252

ospf network point-to-point non-broadcast

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 14.x.87.1 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

same-security-traffic permit intra-interface

access-list outside_20_cryptomap extended permit ip 14.x.87.0 255.255.255.0 14.x.158.0 255.255.255.0

access-list outside_20_cryptomap extended permit ospf host 172.18.20.13 host 172.18.20.1

access-list inside_nat0_outbound extended permit ip 14.x.87.0 255.255.255.0 14.x.158.0 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

!

!IP ADDRESS 172.18.20.14 is the IP address of the TLS cloud

!

route outside 0.0.0.0 0.0.0.x.x.20.14 1

!

router ospf 1

network 14.x.85.0 255.255.255.0 area 0

network 172.x.20.0 255.255.255.0 area 0

log-adj-changes

!

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 172.18.20.1

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 20 set nat-t-disable

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

tunnel-group 172.18.20.1 type ipsec-l2l

tunnel-group 172.18.20.1 ipsec-attributes

pre-shared-key *

AS5520

======

!

hostname France

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 172.18.20.1 255.255.255.252

ospf network point-to-point non-broadcast

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 14.20.158.5 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

same-security-traffic permit intra-interface

access-list outside_20_cryptomap extended permit ip 14.20.158.0 255.255.255.0 14.20.87.0 255.255.255.0

access-list outside_20_cryptomap extended permit ospf host 172.18.20.1 host 172.18.20.13

access-list inside_nat0_outbound extended permit ip 14.20.158.0 255.255.255.0 14.20.87.0 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

!

!IP address 172.18.20.2 is the IP address of TLS Cloud

!

route outside 0.0.0.0 0.0.0.0 172.18.20.2 1

!

router ospf 1

network 14.20.158.0 255.255.255.0 area 0

network 172.18.20.0 255.255.255.0 area 0

log-adj-changes

!

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 20 match address outside_20_cryptomap

crypto map outside_map 20 set peer 172.18.20.13

crypto map outside_map 20 set transform-set ESP-AES-256-SHA

crypto map outside_map 20 set nat-t-disable

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

tunnel-group 172.18.20.13 type ipsec-l2l

tunnel-group 172.18.20.13 ipsec-attributes

pre-shared-key *

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mrinmoy.m Sun, 02/18/2007 - 19:44

Hi

U said that OSPF is not running. How the remote end ASA IP is reachable?

The ACL outside_20_cryptomap is permitting the OSPF traffic through the tunnel. I dont find any problem with the crypto configuration.

U can do one thing.... issue the command on both the ASAs.....

"route outside 0.0.0.0 0.0.0.0 172.18.20.14 tunnelled"

"Sysopt connection permit-ipsec"

Why u are using this command? I guess the NAT traffic is having some problem.

Remove the command......

"same-security traffic permit inta-interface"

Kamal Malhotra Sun, 02/18/2007 - 22:48

Hi,

If it does not work the I would suggest obtaining the 'debug cry isak' and 'debug cry ipsec' outputs.

Regards,

Kamal

Actions

This Discussion