Cisco VPN Site to Site with one Static and other dynamic not working

Answered Question
May 28th, 2008
User Badges:

Hi there


I have ASA 5510 in the Headoffice with static IP and ASA 5505 in the remote site behind ADSL router , trying to establish VPN but its failing in phase 1


Config of Head Office


interface Ethernet0/0

description Link to LeaseLine Router

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.248

!

interface Ethernet0/1

description Link to Internal LAN

nameif inside

security-level 100

ip address 172.17.1.15 255.255.255.0


access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0

access-list vpn_to_remote extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0

access-list VPN extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.x 1


crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map cisco 1 match address VPN

crypto dynamic-map cisco 1 set transform-set ESP-AES-256-SHA

crypto map outside_map 10 match address vpn_to_remote

crypto map outside_map 10 set pfs

crypto map outside_map 10 set peer y.y.y.y

crypto map outside_map 10 set transform-set esp-aes-256-md5

crypto map outside_map 10 set reverse-route

crypto map outside_map 30 ipsec-isakmp dynamic cisco

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y ipsec-attributes

pre-shared-key *

tunnel-group parkplace type ipsec-l2l

tunnel-group parkplace ipsec-attributes

pre-shared-key *



Config of Remote Site


interface Vlan1

nameif inside

security-level 100

ip address 172.20.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 192.168.1.2 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1


access-list ICMP extended permit icmp any any

access-list NONAT extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0

access-list VPN extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0 outside

access-group ICMP in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.1.1 1

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address VPN

crypto map outside_map 1 set peer 83.111.252.242

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

tunnel-group fairmount type ipsec-l2l

tunnel-group fairmount ipsec-attributes

pre-shared-key *


Regards/Asfar

Correct Answer by acomiskey about 8 years 10 months ago

On the end with the static ip, assign the pre-shared key to the DefaultL2L group.

Correct Answer by fortis123 about 8 years 10 months ago

Hi,


Did you try replacing 'tunnel-group' entry names with Ip address on both ends..?


thank you

MS


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
asfar.zaidi Wed, 05/28/2008 - 05:50
User Badges:

I am getting this debug error can anybody please check and help regarding the issue


May 28 06:03:03 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed

May 28 06:03:11 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed

May 28 06:03:18 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!

May 28 06:03:18 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry

May 28 06:03:27 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed

Correct Answer
fortis123 Wed, 05/28/2008 - 06:32
User Badges:

Hi,


Did you try replacing 'tunnel-group' entry names with Ip address on both ends..?


thank you

MS


asfar.zaidi Wed, 05/28/2008 - 06:34
User Badges:

ok I will try that but on the headoffice site i can not configure tunnel name with IP address as remote branch is behind ADSL and coming from dynamic ip

asfar.zaidi Wed, 05/28/2008 - 06:40
User Badges:

I have change the tunnel-group to the ip address now the debug at headoffice are


LM-ASA-5510# May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Can't find a valid tunnel group, aborting...!

May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Removing peer from peer table failed, no match!

May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Error: Unable to remove PeerTblEntry

May 28 05:28:58 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)

May 28 05:29:06 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)

asfar.zaidi Wed, 05/28/2008 - 06:42
User Badges:

I have change the remote site tunnel-group from name to ip address now the debugs at headoffice firewall are

LM-ASA-5510# May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Can't find a valid tunnel group, aborting...!

May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Removing peer from peer table failed, no match!

May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Error: Unable to remove PeerTblEntry

May 28 05:28:58 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)

May 28 05:29:06 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)

Correct Answer
acomiskey Wed, 05/28/2008 - 06:47
User Badges:
  • Green, 3000 points or more

On the end with the static ip, assign the pre-shared key to the DefaultL2L group.

Actions

This Discussion