ASA- Cannot set up Dynamic IP remote to central static IP VPN

Answered Question
Jul 1st, 2008
User Badges:

Hi,


I'm trying to set up a VPN between an ASA5505 on Central Site with static IP and a remote ASA connected to a router having a dynamic IP.

I've tried tp follow the Cisco site sample named "PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example" (http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml), but it doesn't work.


The problem is that when I generate some traffic, on the central ASA I have the message (Remote_Dynamic_IP is just to remove the real IP):


Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1

Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!

Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry


Remote router and remote asa are connected on a network with fixed addresses, i.e.:


dynamic_ip-->router<--static_ip(E.F.G.1)--static_ip(E.F.G.2/30)--|<!--remote_lan(A.B.C.0/24)


Attached you'll find the relevant part of CentralASA and RemoteASA configurations


What's wrong?


Thanks in advance


Ciao



Correct Answer by a.alekseev about 8 years 11 months ago

On RemoteASA

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
a.alekseev Tue, 07/01/2008 - 02:11
User Badges:
  • Gold, 750 points or more

try to replace you configuration

####

tunnel-group RemoteAsa type ipsec-l2l

tunnel-group RemoteASA ipsec-attributes

pre-shared-key *

####


with


####

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

####



DefaultL2LGroup is a build in group.

sandman42 Tue, 07/01/2008 - 02:33
User Badges:

CentralASA(config)# tunnel-group DefaultL2LGroup type ipsec-l2l

^

ERROR: % Invalid input detected at '^' marker.

It gives an error:


CentralASA(config)# tunnel-group DefaultL2LGroup general-attributes

CentralASA(config-tunnel-general)# authentication-server-group none

^

ERROR: % Invalid input detected at '^' marker.

CentralASA(config-tunnel-general)# tunnel-group DefaultL2LGroup ipsec-attributes

CentralASA(config-tunnel-ipsec)#


SW Release is: Cisco Adaptive Security Appliance Software Version 8.0(3)


Thanks


a.alekseev Tue, 07/01/2008 - 02:49
User Badges:
  • Gold, 750 points or more

tunnel-group DefaultL2LGroup ipsec-attributes


set here the pre-shared-key for DefaultL2LGroup the same as you use on the RemoteASA.

sandman42 Tue, 07/01/2008 - 06:32
User Badges:

No way:


Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry


I've attached a debug crypto isakmp 255 on the central site asa and on the remote.


Any idea?


Thanks a lot




Correct Answer
a.alekseev Tue, 07/01/2008 - 07:40
User Badges:
  • Gold, 750 points or more

On RemoteASA

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

sandman42 Tue, 07/01/2008 - 22:17
User Badges:

Ok. Now VPN is up.


Now one more problem: if I try for example to connect via VNC from a computer on the remote lan to a computer on the central site lan, on the central ASA I have:


3 Jul 02 2008 08:05:26 713042 IKE Initiator unable to find policy: Intf outside, Src: IP_ON_REMOTE_LAN Dst: IP_ON_CENTRAL LAN


Am I missing something else?


Thanks for your answers

a.alekseev Tue, 07/01/2008 - 23:00
User Badges:
  • Gold, 750 points or more

Hi,

show "sh crypto ipsec sa" on both sides when the vpn is up.

sandman42 Wed, 07/02/2008 - 01:16
User Badges:

centralASA# sh crypto ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP


local ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

current_peer: PEER_DYNAMIC_IP


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP


path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 7D43EDFE


inbound esp sas:

spi: 0x4552E88B (1163061387)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28771)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x7D43EDFE (2101603838)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28771)

IV size: 16 bytes

replay detection support: Y


remoteASA# sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: REMOTE_LAN_FIREWALL_IP


access-list outside_1_cryptomap permit ip RemoteLAN 255.255.255.0 CentralLAN 255.255.255.0

local ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)

current_peer: CENTRAL_PUBLIC_IP


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: REMOTE_LAN_FIREWALL_IP, remote crypto endpt.: CENTRAL_PUBLIC_IP


path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 4552E88B


inbound esp sas:

spi: 0x7D43EDFE (2101603838)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28797)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x4552E88B (1163061387)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28797)

IV size: 16 bytes

replay detection support: Y


Thanks once more


a.alekseev Wed, 07/02/2008 - 03:52
User Badges:
  • Gold, 750 points or more

I see that the vpn is up but there are no packets encrypted or decrypted.


so could you show the configuations on both sides?

sandman42 Wed, 07/02/2008 - 04:44
User Badges:

Here they are.


I've performed some editing, i.e. hiding the real IP's, but in a smart way.


Particulary, the conventions on both files are:


On central site the LAN is X.Y.Z.0/24

CENTRAL_PUBLIC_IP is the static central site public IP (the outside of centralASA). Note: everywhere in the real config, CENTRAL_PUBLIC_IP is explicit, i.e. a normal IP address, let's say 1.2.3.4:


On remote site, lan is A.B.C.0/24, firewall outside is D.E.F.2/30, router is D.E.F.1/30, DYNAMIC_PUBLIC_IP is the dynamic ip at remote.


I've also added a diagram.


Thanks



Attachment: 
a.alekseev Wed, 07/02/2008 - 05:00
User Badges:
  • Gold, 750 points or more

on central

access-list inside_access_in extended permit ip X.Y.Z.0 255.255.255.0 RemoteLAN 255.255.255.0

sysopt connection permit-vpn


on remote

sysopt connection permit-vpn


sandman42 Wed, 07/02/2008 - 05:26
User Badges:

It doesn't work.


BTW, these are the show crypto ipsec sa


centralASA# sh crypto ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP


local ident (addr/mask/prot/port): (X.Y.Z.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

current_peer: PEER_DYNAMIC_IP


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 293, #pkts decrypt: 293, #pkts verify: 293

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP


path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 3CC70558


inbound esp sas:

spi: 0xDAB0C0C8 (3669016776)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4274982/28294)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x3CC70558 (1019675992)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28293)

IV size: 16 bytes

replay detection support: Y


remoteASA# sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: E.F.G.2


access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0

local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)

current_peer: CENTRAL_PUBLIC_IP


#pkts encaps: 294, #pkts encrypt: 294, #pkts digest: 294

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 294, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: E.F.G.2, remote crypto endpt.: CENTRAL_PUBLIC_IP


path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: DAB0C0C8


inbound esp sas:

spi: 0x3CC70558 (1019675992)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28014)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0xDAB0C0C8 (3669016776)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274982/28014)

IV size: 16 bytes

replay detection support: Y


Notice that remoteASA's has a


access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0

local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)


while centralASA has only a


local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)


isn't this the problem, i.e. isn't centralASA that doesn't know how to send back packets?


Thanks

Actions

This Discussion