Need Site to Site VPN Assistance

bambam4274 · ‎10-03-2007

The VPN Tunnel is up but not passing traffic. I have to believe I missed something simple... Can someone help?

ASA 5550 to 1811

The 5550 is running 7.2(2) and the 1811 is running 12.4. I have attached a cleaned up config for each. I appreciate your help in advance!

JORGE RODRIGUEZ · ‎10-03-2007

Hi Rob, looking at asa config notice you are missing isakmp. Im sure you know the brake down but it is good to double check the process to spot the error, if you brake down the bellow IPsec steps you probably got as far as Ipsec Phase-1 but you have yet to defined Isakmp policy on asa . The Vancouver router config seems ok.

Look into this link example which is very similar to your scenario

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805e8c80.shtml

IPSec negotiation can be broken down into five steps, which includes two Internet Key Exchange (IKE) phases.

1.In IPSec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPSec peers.

2.In IKE Phase 1, the IPSec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using Internet Security Association and Key Management Protocol (ISAKMP).

3.In IKE Phase 2, the IPSec peers use the authenticated and secure tunnel to negotiate IPSec SA transforms. The negotiation of the shared policy determines how the IPSec tunnel is established.

4.The IPSec tunnel is created and data is transferred between the IPSec peers based on the IPSec parameters configured in the IPSec transform sets.

5.The IPSec tunnel terminates when the IPSec SAs are deleted or when their lifetime expires

Jorge Rodriguez

bambam4274 · ‎10-04-2007

This is the result of a "show run iaskmp" on the ASA device:

ASA-5550(config)# sh run isakmp

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

This was and is in the running config.... any other thoughts? Should I strip it out and add it back in?

Thanks.

ajagadee · ‎10-04-2007

Hi,

When you do a "show crypto ipsec sa" on the ASA and 1811, what do you under encrypts and decrypts. Is there anyway, you can post the outputs of "show cry isa sa" and "show crypto ipsec sa" from both the ASA and 1811.

Also, please do mention the source and destination IP Addresses of the traffic that is not working.

Regards,

Arul

bambam4274 · ‎10-04-2007

ASA: {sh crypto ipsec sa}

sh crypto ipsec sa

interface: Outside

Crypto map tag: Outside_map, seq num: 20, local addr: 69.90.31.98

access-list Outside_20_cryptomap permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0

local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

current_peer: 76.77.69.162

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 69.90.31.98, remote crypto endpt.: 76.77.69.162

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 7FB7E9EC

inbound esp sas:

spi: 0x5CDA62D0 (1557816016)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 114, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4274999/2468)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x7FB7E9EC (2142759404)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 114, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4274999/2468)

IV size: 8 bytes

replay detection support: Y

1811 [sh crypto ipsec sa}

sh crypto ipsec sa

interface: FastEthernet1

Crypto map tag: SDM_CMAP_1, local addr 76.77.69.162

protected vrf: (none)

local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)

current_peer 69.90.31.98 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93

#pkts decaps: 114, #pkts decrypt: 114, #pkts verify: 114

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 76.77.69.162, remote crypto endpt.: 69.90.31.98

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1

current outbound spi: 0x5CDA62D0(1557816016)

inbound esp sas:

spi: 0x7FB7E9EC(2142759404)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 35, flow_id: Motorola SEC 2.0:35, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4559507/2385)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x5CDA62D0(1557816016)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 36, flow_id: Motorola SEC 2.0:36, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4559507/2385)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

The addresses are no longer masked!

JORGE RODRIGUEZ · ‎10-04-2007

can you post what the other poster asked.. "show crypto isa sa ", from what you have posted "show crypto ipsec sa" is for Phase-1 can you post the isa sa stats which is IPsec phase-2 .

Do you have any syslog server where you can capture fw logs while trying to connetc to a host from one side to the other .

Jorge Rodriguez

bambam4274 · ‎10-04-2007

from the 1811 -

VANOFINF001#sh crypto isa sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

76.77.69.162 69.90.31.98 QM_IDLE 2023 0 ACTIVE

IPv6 Crypto ISAKMP SA

********************************************

From the ASA-5550

sh crypto isa sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 76.77.69.162

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

ajagadee · ‎10-04-2007

Hi,

Thanks for the outputs. Based on the outputs, the ASA is encrypting as well as decrypting packets but you still dont have connectivity.

One configuration statement that I do not see in your configuration is "sysopt connection permit-ipsec". For traffic that enters the security appliance through an IPSec tunnel and is then decrypted, use the sysopt connection permit-ipsec command in global configuration mode to allow the traffic to bypass interface access lists.

Details in the below URL:

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1541923

In case, if you do not want to use this command, then you need to explicity allow the ipsec traffic on your outside_access_in ACL's, so decrypted traffic can pass through the firewall.

Let me know how it goes.

Regards,

Arul

** Please rate all helpful posts **

bambam4274 · ‎10-04-2007

Arul, according the the link you sent the command is now enabled by default. I have entered it into my config, as well as the permit-vpn variant and wrote it to memory....

Please continue to assist me as this is not working!

bambam4274 · ‎10-05-2007

Perhaps this can help? I see that Phase 1 IS completing, and I believe that Pase 2 is not, but I believe I am being misled by the output from these commands:

UtherVerse-5550# sh crypto ipsec sa

interface: Outside

Crypto map tag: Outside_map, seq num: 20, local addr: 69.90.31.98

access-list Outside_20_cryptomap permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0

local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)

current_peer: 76.77.69.162

#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 69.90.31.98, remote crypto endpt.: 76.77.69.162

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: E62008D2

inbound esp sas:

spi: 0xCCEC280E (3438028814)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 126, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4274999/2903)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xE62008D2 (3860859090)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 126, crypto-map: Outside_map

sa timing: remaining key lifetime (kB/sec): (4274999/2903)

IV size: 8 bytes

replay detection support: Y

UtherVerse-5550# sh crypto isa sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 76.77.69.162

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

UtherVerse-5550#

Can anyone give me a smack upside the head?