06-03-2008 03:19 AM - edited 02-21-2020 02:02 AM
Hello,
While configuring ipsec tunnel between ASA and ISR 1811 I've got some
negative issues:
pc host (192.168.56.1) <-----> (inside 192.168.56.56) ASA (outside x.x.x.56)
<-------> (outside x.x.x.55) ISR (lo 192.168.55.55)
When I ping from ISR to ASA everyting is ok:
ISR# ping ip 192.168.56.1 source 192.168.55.55
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.56.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.55.55
.!!!!
ASA# sh isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: x.x.x.55
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
But in vise versa ipsec tunnel is not established:
ASA# clear isa sa
PC host# ping -c 2 192.168.55.55
PING 192.168.55.55 (192.168.55.55) 56(84) bytes of data.
--- 192.168.55.55 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1010ms
and on the ASA I have seen follow debug messages:
Jun 02 03:18:07 [IKEv1]: IKE Initiator unable to find policy: Intf inside,
Src: 192.168.56.1, Dst: 192.168.55.55
Jun 02 03:18:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi
0x0
Jun 02 03:18:16 [IKEv1]: IKE Initiator unable to find policy: Intf inside,
Src: 192.168.56.1, Dst: 192.168.55.55
Jun 02 03:18:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi
0x0
Can anybody help me with this problem?
Thanks.
Solved! Go to Solution.
06-03-2008 09:09 AM
Hello, I just noticed you are using a dynamic map, may I ask the reason for that?
I don't think you can be the 'initiator' of a VPN session when using dynamic crypto maps, if you are putting the address of the remote peer, what benefit are you gaining by using the dynamic crypto map?
Regards
Farrukh
06-03-2008 06:40 AM
can you post the ASA configuration or at least the following:
show run crypto all
show run tunnel-group
Regards
Farrrukh
06-03-2008 06:53 AM
Of course, yes.
ASA# sh run cry
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-VPN-MAP1 1 match address VPN
crypto dynamic-map DYN-VPN-MAP1 1 set peer x.x.x.55
crypto dynamic-map DYN-VPN-MAP1 1 set transform-set ESP-AES-MD5
crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime seconds 28800
crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime kilobytes 4608000
crypto map VPN-MAP1 1 ipsec-isakmp dynamic DYN-VPN-MAP1
crypto map VPN-MAP1 interface outside
isakmp enable outside
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp am-disable
ASA# sh run tun
tunnel-group x.x.x.55 type ipsec-l2l
tunnel-group x.x.x.55 ipsec-attributes
pre-shared-key *
ASA# sh access-l VPN
access-list VPN; 1 elements
access-list VPN line 1 extended permit ip 192.168.56.0 255.255.255.0 10.10.10.0 255.255.255.0
And some ipsec related parts from ISR config:
ISR# sh run
Current configuration : 5007 bytes
!
version 12.4
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY1 address x.x.x.56
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set ESP-AES-MD5 esp-aes esp-md5-hmac
!
crypto map VPN_MAP1 1 ipsec-isakmp
set peer x.x.x.56
set transform-set ESP-AES-MD5
match address VPN
!
interface Loopback10
ip address 10.10.10.10 255.255.255.0
!
interface FastEthernet0
description External->ASA
ip address 82.x.x.55 255.255.255.192
speed 100
full-duplex
crypto map VPN_MAP1
ip access-list extended VPN
permit ip 10.10.10.0 0.0.0.255 192.168.56.0 0.0.0.255
!
!
end
06-03-2008 07:04 AM
Can you try to remove the following four commands and then check:
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime seconds 28800
crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime kilobytes 4608000
Regards
Farrukh
06-03-2008 07:31 AM
Yes, I can, but i don't understand the target of
this action.
If I execute statements from your post with 'no' it will not be any changes, because this predefined values in ASA software.
I've tryed to change this values to be equal to ISR.
ISR# sh cry ipsec security-association
Security association lifetime: 4608000 kilobytes/3600 seconds
ASA# sh run cry | i ^crypto_.*_lifetime
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime seconds 3600
crypto dynamic-map DYN-VPN-MAP1 1 set security-association lifetime kilobytes 4608000
and nothing is happend:
PC# ping -c 2 10.10.10.10
PING 10.10.10.10 (10.10.10.10) 56(84) bytes of data.
--- 10.10.10.10 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 999ms
debug from ASA:
Jun 03 07:19:28 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: 192.168.56.1, Dst: 10.10.10.10
Jun 03 07:19:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 03 07:19:29 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: 192.168.56.1, Dst: 10.10.10.10
Jun 03 07:19:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 03 07:19:34 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: 192.168.56.1, Dst: 10.10.10.10
Jun 03 07:19:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Jun 03 07:19:35 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: 192.168.56.1, Dst: 10.10.10.10
06-03-2008 09:09 AM
Hello, I just noticed you are using a dynamic map, may I ask the reason for that?
I don't think you can be the 'initiator' of a VPN session when using dynamic crypto maps, if you are putting the address of the remote peer, what benefit are you gaining by using the dynamic crypto map?
Regards
Farrukh
06-04-2008 02:37 AM
You've absolutely was right about this:
"I don't think you can be the 'initiator' of a VPN session when using dynamic crypto maps"
Thanks a lot!
06-04-2008 03:44 AM
Its great to know your problem is solved now, I'm glad I could help :)
Regards
Farrukh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: