ASA 5510 Site to Site

Unanswered Question
Aug 18th, 2007

Orginal plan is one uses DYnamic IP and the other uses Statice, but since the dynamic is not working I tried to configure static on both ends but it still will not come up.

Stuck on Pahse 1 - I have used PIX and set them up without any problem.

Here are the configs

#########

REMOTE A

#########

isakmp enable outside

isakmp identity auto

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0

crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20

crypto map StaticMap 20 set peer REMOTEIP

crypto map StaticMap 20 set transform-set Site2Site

crypto map StaticMap 20 set pfs group2 [Tried with and without]

tunnel-group REMOTEIP type ipsec-l2l

tunnel-group REMOTEIP ipsec-attributes

pre-shared-key PRESHARE

crypto map StaticMap interface outside

access-list nonat extended permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list nonat extended permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0

nat (inside) 0 access-list nonat

#########

REMOTE B

#########

isakmp enable outside

isakmp identity auto

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0

crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20

crypto map StaticMap 20 set peer REMOTEIP

crypto map StaticMap 20 set transform-set Site2Site

crypto map StaticMap 20 set pfs group2 [Tried with and without]

tunnel-group REMOTEIP type ipsec-l2l

tunnel-group 99.REMOTEIP ipsec-attributes

pre-shared-key PRESHARE

crypto map StaticMap interface outside

access-list nonat extended permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0

nat (inside) 0 access-list nonat

Double check the config, second eyes is always helpfull?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jason.maynard Sat, 08/18/2007 - 08:17

#####################################

Here is a part of the debug: REMOTE B

#####################################

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351ecd8) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:1383969c terminating: flags 0x01000002, refcnt 0, tuncnt 0

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message

Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!

Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351f478) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:c8b7e093 terminating: flags 0x01000002, refcnt 0, tuncnt 0

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message

Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!

Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry

I am starting to think it has to do woth trying XAUTH but ASA does not use isa key .......... noxauth

Tshi M Thu, 09/13/2007 - 04:38

the problem could be with the encryption you use on the isakmp part. You specified 3des on your transform-set but you are using aes on the isakmp.

you should have

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

jason.maynard Fri, 09/14/2007 - 13:58

Actually that is not the issue, the issue was a limitation which only allows 10 inside host to connect. The way around this was to acl the inside interface to permit only essential traffic from specific clients/Servers.

Tshi M Fri, 09/14/2007 - 14:02

interesting...I will think that your encryption would have to match. Well, I learn something new today. Thanks indeed.

jason.maynard Fri, 09/14/2007 - 15:07

There are two phases. Phase 1 was using AES and Phase 2 is using 3DES. As long as both sides of the tunnel match Phase1 in this case AES and Phase2 which is 3DES then the tunnel will come up.

Actions

This Discussion