Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1640
Views
0
Helpful
5
Replies

ASA 5510 Site to Site

jason.maynard
Level 1
Level 1

‎08-18-2007 08:17 AM - edited ‎02-21-2020 01:38 AM

Orginal plan is one uses DYnamic IP and the other uses Statice, but since the dynamic is not working I tried to configure static on both ends but it still will not come up.

Stuck on Pahse 1 - I have used PIX and set them up without any problem.

Here are the configs

#########

REMOTE A

#########

isakmp enable outside

isakmp identity auto

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0

crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20

crypto map StaticMap 20 set peer REMOTEIP

crypto map StaticMap 20 set transform-set Site2Site

crypto map StaticMap 20 set pfs group2 [Tried with and without]

tunnel-group REMOTEIP type ipsec-l2l

tunnel-group REMOTEIP ipsec-attributes

pre-shared-key PRESHARE

crypto map StaticMap interface outside

access-list nonat extended permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0

access-list nonat extended permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0

nat (inside) 0 access-list nonat

#########

REMOTE B

#########

isakmp enable outside

isakmp identity auto

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0

crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20

crypto map StaticMap 20 set peer REMOTEIP

crypto map StaticMap 20 set transform-set Site2Site

crypto map StaticMap 20 set pfs group2 [Tried with and without]

tunnel-group REMOTEIP type ipsec-l2l

tunnel-group 99.REMOTEIP ipsec-attributes

pre-shared-key PRESHARE

crypto map StaticMap interface outside

access-list nonat extended permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0

access-list nonat extended permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0

nat (inside) 0 access-list nonat

Double check the config, second eyes is always helpfull?

0 Helpful
5 Replies 5

jason.maynard
Level 1
Level 1

‎08-18-2007 08:17 AM

#####################################

Here is a part of the debug: REMOTE B

#####################################

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351ecd8) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:1383969c terminating: flags 0x01000002, refcnt 0, tuncnt 0

Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message

Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!

Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351f478) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:c8b7e093 terminating: flags 0x01000002, refcnt 0, tuncnt 0

Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message

Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!

Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry

I am starting to think it has to do woth trying XAUTH but ASA does not use isa key .......... noxauth

0 Helpful

Tshi M
Level 5
Level 5

‎09-13-2007 04:38 AM

the problem could be with the encryption you use on the isakmp part. You specified 3des on your transform-set but you are using aes on the isakmp.

you should have

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

0 Helpful

jason.maynard
Level 1
Level 1
In response to Tshi M

‎09-14-2007 01:58 PM

Actually that is not the issue, the issue was a limitation which only allows 10 inside host to connect. The way around this was to acl the inside interface to permit only essential traffic from specific clients/Servers.

0 Helpful

Tshi M
Level 5
Level 5
In response to jason.maynard

‎09-14-2007 02:02 PM

interesting...I will think that your encryption would have to match. Well, I learn something new today. Thanks indeed.

0 Helpful

jason.maynard
Level 1
Level 1
In response to Tshi M

‎09-14-2007 03:07 PM

There are two phases. Phase 1 was using AES and Phase 2 is using 3DES. As long as both sides of the tunnel match Phase1 in this case AES and Phase2 which is 3DES then the tunnel will come up.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card