10-03-2007 01:56 PM
The VPN Tunnel is up but not passing traffic. I have to believe I missed something simple... Can someone help?
ASA 5550 to 1811
The 5550 is running 7.2(2) and the 1811 is running 12.4. I have attached a cleaned up config for each. I appreciate your help in advance!
10-03-2007 06:55 PM
Hi Rob, looking at asa config notice you are missing isakmp. Im sure you know the brake down but it is good to double check the process to spot the error, if you brake down the bellow IPsec steps you probably got as far as Ipsec Phase-1 but you have yet to defined Isakmp policy on asa . The Vancouver router config seems ok.
Look into this link example which is very similar to your scenario
IPSec negotiation can be broken down into five steps, which includes two Internet Key Exchange (IKE) phases.
1.In IPSec tunnel is initiated by interesting traffic. Traffic is considered interesting when it travels between the IPSec peers.
2.In IKE Phase 1, the IPSec peers negotiate the established IKE Security Association (SA) policy. Once the peers are authenticated, a secure tunnel is created using Internet Security Association and Key Management Protocol (ISAKMP).
3.In IKE Phase 2, the IPSec peers use the authenticated and secure tunnel to negotiate IPSec SA transforms. The negotiation of the shared policy determines how the IPSec tunnel is established.
4.The IPSec tunnel is created and data is transferred between the IPSec peers based on the IPSec parameters configured in the IPSec transform sets.
5.The IPSec tunnel terminates when the IPSec SAs are deleted or when their lifetime expires
10-04-2007 06:22 AM
This is the result of a "show run iaskmp" on the ASA device:
ASA-5550(config)# sh run isakmp
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
This was and is in the running config.... any other thoughts? Should I strip it out and add it back in?
Thanks.
10-04-2007 08:16 AM
Hi,
When you do a "show crypto ipsec sa" on the ASA and 1811, what do you under encrypts and decrypts. Is there anyway, you can post the outputs of "show cry isa sa" and "show crypto ipsec sa" from both the ASA and 1811.
Also, please do mention the source and destination IP Addresses of the traffic that is not working.
Regards,
Arul
10-04-2007 09:40 AM
ASA: {sh crypto ipsec sa}
sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 20, local addr: 69.90.31.98
access-list Outside_20_cryptomap permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer: 76.77.69.162
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 69.90.31.98, remote crypto endpt.: 76.77.69.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7FB7E9EC
inbound esp sas:
spi: 0x5CDA62D0 (1557816016)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 114, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/2468)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7FB7E9EC (2142759404)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 114, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/2468)
IV size: 8 bytes
replay detection support: Y
1811 [sh crypto ipsec sa}
sh crypto ipsec sa
interface: FastEthernet1
Crypto map tag: SDM_CMAP_1, local addr 76.77.69.162
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer 69.90.31.98 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 93, #pkts encrypt: 93, #pkts digest: 93
#pkts decaps: 114, #pkts decrypt: 114, #pkts verify: 114
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 76.77.69.162, remote crypto endpt.: 69.90.31.98
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet1
current outbound spi: 0x5CDA62D0(1557816016)
inbound esp sas:
spi: 0x7FB7E9EC(2142759404)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 35, flow_id: Motorola SEC 2.0:35, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4559507/2385)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x5CDA62D0(1557816016)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 36, flow_id: Motorola SEC 2.0:36, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4559507/2385)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
The addresses are no longer masked!
10-04-2007 10:01 AM
can you post what the other poster asked.. "show crypto isa sa ", from what you have posted "show crypto ipsec sa" is for Phase-1 can you post the isa sa stats which is IPsec phase-2 .
Do you have any syslog server where you can capture fw logs while trying to connetc to a host from one side to the other .
10-04-2007 11:25 AM
from the 1811 -
VANOFINF001#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
76.77.69.162 69.90.31.98 QM_IDLE 2023 0 ACTIVE
IPv6 Crypto ISAKMP SA
********************************************
From the ASA-5550
sh crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 76.77.69.162
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
10-04-2007 10:32 AM
Hi,
Thanks for the outputs. Based on the outputs, the ASA is encrypting as well as decrypting packets but you still dont have connectivity.
One configuration statement that I do not see in your configuration is "sysopt connection permit-ipsec". For traffic that enters the security appliance through an IPSec tunnel and is then decrypted, use the sysopt connection permit-ipsec command in global configuration mode to allow the traffic to bypass interface access lists.
Details in the below URL:
http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/s.html#wp1541923
In case, if you do not want to use this command, then you need to explicity allow the ipsec traffic on your outside_access_in ACL's, so decrypted traffic can pass through the firewall.
Let me know how it goes.
Regards,
Arul
** Please rate all helpful posts **
10-04-2007 11:34 AM
Arul, according the the link you sent the command is now enabled by default. I have entered it into my config, as well as the permit-vpn variant and wrote it to memory....
Please continue to assist me as this is not working!
10-05-2007 06:00 AM
Perhaps this can help? I see that Phase 1 IS completing, and I believe that Pase 2 is not, but I believe I am being misled by the output from these commands:
UtherVerse-5550# sh crypto ipsec sa
interface: Outside
Crypto map tag: Outside_map, seq num: 20, local addr: 69.90.31.98
access-list Outside_20_cryptomap permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer: 76.77.69.162
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 69.90.31.98, remote crypto endpt.: 76.77.69.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E62008D2
inbound esp sas:
spi: 0xCCEC280E (3438028814)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 126, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/2903)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xE62008D2 (3860859090)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 126, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/2903)
IV size: 8 bytes
replay detection support: Y
UtherVerse-5550# sh crypto isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 76.77.69.162
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
UtherVerse-5550#
Can anyone give me a smack upside the head?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: