08-18-2007 08:17 AM - edited 02-21-2020 01:38 AM
Orginal plan is one uses DYnamic IP and the other uses Statice, but since the dynamic is not working I tried to configure static on both ends but it still will not come up.
Stuck on Pahse 1 - I have used PIX and set them up without any problem.
Here are the configs
#########
REMOTE A
#########
isakmp enable outside
isakmp identity auto
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto map StaticMap 20 match address outside_cryptomap_20
crypto map StaticMap 20 set peer REMOTEIP
crypto map StaticMap 20 set transform-set Site2Site
crypto map StaticMap 20 set pfs group2 [Tried with and without]
tunnel-group REMOTEIP type ipsec-l2l
tunnel-group REMOTEIP ipsec-attributes
pre-shared-key PRESHARE
crypto map StaticMap interface outside
access-list nonat extended permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0
nat (inside) 0 access-list nonat
#########
REMOTE B
#########
isakmp enable outside
isakmp identity auto
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
access-list outside_cryptomap_20 permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0
crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac
crypto map StaticMap 20 match address outside_cryptomap_20
crypto map StaticMap 20 set peer REMOTEIP
crypto map StaticMap 20 set transform-set Site2Site
crypto map StaticMap 20 set pfs group2 [Tried with and without]
tunnel-group REMOTEIP type ipsec-l2l
tunnel-group 99.REMOTEIP ipsec-attributes
pre-shared-key PRESHARE
crypto map StaticMap interface outside
access-list nonat extended permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list nonat
Double check the config, second eyes is always helpfull?
08-18-2007 08:17 AM
#####################################
Here is a part of the debug: REMOTE B
#####################################
Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351ecd8)
Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:1383969c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message
Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!
Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry
Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351f478)
Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:c8b7e093 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message
Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!
Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry
I am starting to think it has to do woth trying XAUTH but ASA does not use isa key .......... noxauth
09-13-2007 04:38 AM
the problem could be with the encryption you use on the isakmp part. You specified 3des on your transform-set but you are using aes on the isakmp.
you should have
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
09-14-2007 01:58 PM
Actually that is not the issue, the issue was a limitation which only allows 10 inside host to connect. The way around this was to acl the inside interface to permit only essential traffic from specific clients/Servers.
09-14-2007 02:02 PM
interesting...I will think that your encryption would have to match. Well, I learn something new today. Thanks indeed.
09-14-2007 03:07 PM
There are two phases. Phase 1 was using AES and Phase 2 is using 3DES. As long as both sides of the tunnel match Phase1 in this case AES and Phase2 which is 3DES then the tunnel will come up.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide