Only 1 way traffic on a 2 way VPN

Unanswered Question
Jun 7th, 2007

Hello, I am having trouble getting a Lan 2 Lan vpn to allow 2 way traffic. I am able to bring up the VPN and send/recieve from my end, the remote end can sometimes bring up the vpn, but can't seem to reach my inside network no matter what.

Any ideas where I may have misconfigured this?

I am using ASA5510

Remote site = sidewinder

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Thu, 06/07/2007 - 10:13

Check ASA config for

version 7.0,7.1

isakmp nat-traversal

version 7.2

crypto isakmp nat-traversal

rschling22 Thu, 06/07/2007 - 10:34

I am running version 7.2 here is the output of the sh crypto command, the line you asked about is there.

ciscoasa# sh run crypto isakmp

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

Anything else? how do I tell if the problem is my end or thiers?

acomiskey Thu, 06/07/2007 - 10:41

Oh, lan 2 lan tunnel, sorry.

Can you post the ASA config minus passwords etc. Also is the topology just like this, no other firewalls etc.?

your inside -- ASA -- Internet -- Sidewinder -- their inside

rschling22 Thu, 06/07/2007 - 11:09

Yes, that is the basic topology

My Inside--ASA--Internet--Sidewinder--Thier Inside

Here is a slimmed down output of my sh run. I tried to delete IP's and most of the stuff that doesn't pertain to this, if I removed too much please let me know, and I'll try to get it right.

Thanks

Rob

vpn-tunnel-protocol l2tp-ipsec

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value A.A.A.199

vpn-tunnel-protocol l2tp-ipsec

!

Deleted

!

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_cryptomap_8

crypto map outside_map 1 set peer REMOTE VPN PROBLEM IP C.C.C.193

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set phase1-mode aggressive

!

Deleted

!

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

Deleted

!

isakmp keepalive disable

tunnel-group REMOTE VPN PROBLEM IP C.C.C.193 type ipsec-l2l

tunnel-group REMOTE VPN PROBLEM IP C.C.C.193 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

!

Deleted

!

acomiskey Thu, 06/07/2007 - 11:29

Can you log on the ASA as they try to bring up the tunnel?

debug crypto isakmp

debug crypto ipsec

rschling22 Thu, 06/07/2007 - 11:41

Hey, good idea, why do I always forget that command.

Ok, tried it, shows nothing, had it tear down and reset the tunnel twice. no debug entries.

Bummer.

rschling22 Thu, 06/07/2007 - 11:24

Heres another tidbit. I have been getting this error message whenever the remote side tries to set a connection

3 Jun 07 2007 13:21:39 713042 IKE Initiator unable to find policy: Intf outside, Src: MY-INSIDE-IP, Dst:THIER-INSIDE-IP

Hope this helps someone

rschling22 Thu, 06/07/2007 - 12:23

Arg, er.. good news!

the remote site finally got it fixed. seems it WAS on thier end.

thanks for all your help

Rob

Actions

This Discussion