07-01-2008 12:57 AM - edited 02-21-2020 03:47 PM
Hi,
I'm trying to set up a VPN between an ASA5505 on Central Site with static IP and a remote ASA connected to a router having a dynamic IP.
I've tried tp follow the Cisco site sample named "PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example" (http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml), but it doesn't work.
The problem is that when I generate some traffic, on the central ASA I have the message (Remote_Dynamic_IP is just to remove the real IP):
Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1
Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!
Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry
Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1
Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!
Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry
Remote router and remote asa are connected on a network with fixed addresses, i.e.:
dynamic_ip-->router<--static_ip(E.F.G.1)--static_ip(E.F.G.2/30)--|<!--remote_lan(A.B.C.0/24)
Attached you'll find the relevant part of CentralASA and RemoteASA configurations
What's wrong?
Thanks in advance
Ciao
Solved! Go to Solution.
07-01-2008 07:40 AM
On RemoteASA
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
07-01-2008 02:11 AM
try to replace you configuration
####
tunnel-group RemoteAsa type ipsec-l2l
tunnel-group RemoteASA ipsec-attributes
pre-shared-key *
####
with
####
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
####
DefaultL2LGroup is a build in group.
07-01-2008 02:33 AM
CentralASA(config)# tunnel-group DefaultL2LGroup type ipsec-l2l
^
ERROR: % Invalid input detected at '^' marker.
It gives an error:
CentralASA(config)# tunnel-group DefaultL2LGroup general-attributes
CentralASA(config-tunnel-general)# authentication-server-group none
^
ERROR: % Invalid input detected at '^' marker.
CentralASA(config-tunnel-general)# tunnel-group DefaultL2LGroup ipsec-attributes
CentralASA(config-tunnel-ipsec)#
SW Release is: Cisco Adaptive Security Appliance Software Version 8.0(3)
Thanks
07-01-2008 02:49 AM
tunnel-group DefaultL2LGroup ipsec-attributes
set here the pre-shared-key for DefaultL2LGroup the same as you use on the RemoteASA.
07-01-2008 06:32 AM
No way:
Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!
Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry
Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!
Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry
Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!
Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry
Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!
Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry
I've attached a debug crypto isakmp 255 on the central site asa and on the remote.
Any idea?
Thanks a lot
07-01-2008 07:40 AM
On RemoteASA
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
07-01-2008 10:17 PM
Ok. Now VPN is up.
Now one more problem: if I try for example to connect via VNC from a computer on the remote lan to a computer on the central site lan, on the central ASA I have:
3 Jul 02 2008 08:05:26 713042 IKE Initiator unable to find policy: Intf outside, Src: IP_ON_REMOTE_LAN Dst: IP_ON_CENTRAL LAN
Am I missing something else?
Thanks for your answers
07-01-2008 11:00 PM
Hi,
show "sh crypto ipsec sa" on both sides when the vpn is up.
07-02-2008 01:16 AM
centralASA# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP
local ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)
current_peer: PEER_DYNAMIC_IP
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 7D43EDFE
inbound esp sas:
spi: 0x4552E88B (1163061387)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4275000/28771)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7D43EDFE (2101603838)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4275000/28771)
IV size: 16 bytes
replay detection support: Y
remoteASA# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: REMOTE_LAN_FIREWALL_IP
access-list outside_1_cryptomap permit ip RemoteLAN 255.255.255.0 CentralLAN 255.255.255.0
local ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)
current_peer: CENTRAL_PUBLIC_IP
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: REMOTE_LAN_FIREWALL_IP, remote crypto endpt.: CENTRAL_PUBLIC_IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 4552E88B
inbound esp sas:
spi: 0x7D43EDFE (2101603838)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28797)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x4552E88B (1163061387)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28797)
IV size: 16 bytes
replay detection support: Y
Thanks once more
07-02-2008 03:52 AM
I see that the vpn is up but there are no packets encrypted or decrypted.
so could you show the configuations on both sides?
07-02-2008 04:44 AM
Here they are.
I've performed some editing, i.e. hiding the real IP's, but in a smart way.
Particulary, the conventions on both files are:
On central site the LAN is X.Y.Z.0/24
CENTRAL_PUBLIC_IP is the static central site public IP (the outside of centralASA). Note: everywhere in the real config, CENTRAL_PUBLIC_IP is explicit, i.e. a normal IP address, let's say 1.2.3.4:
On remote site, lan is A.B.C.0/24, firewall outside is D.E.F.2/30, router is D.E.F.1/30, DYNAMIC_PUBLIC_IP is the dynamic ip at remote.
I've also added a diagram.
Thanks
07-02-2008 05:00 AM
on central
access-list inside_access_in extended permit ip X.Y.Z.0 255.255.255.0 RemoteLAN 255.255.255.0
sysopt connection permit-vpn
on remote
sysopt connection permit-vpn
07-02-2008 05:26 AM
It doesn't work.
BTW, these are the show crypto ipsec sa
centralASA# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP
local ident (addr/mask/prot/port): (X.Y.Z.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)
current_peer: PEER_DYNAMIC_IP
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 293, #pkts decrypt: 293, #pkts verify: 293
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 3CC70558
inbound esp sas:
spi: 0xDAB0C0C8 (3669016776)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4274982/28294)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3CC70558 (1019675992)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4275000/28293)
IV size: 16 bytes
replay detection support: Y
remoteASA# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: E.F.G.2
access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0
local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)
current_peer: CENTRAL_PUBLIC_IP
#pkts encaps: 294, #pkts encrypt: 294, #pkts digest: 294
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 294, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: E.F.G.2, remote crypto endpt.: CENTRAL_PUBLIC_IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: DAB0C0C8
inbound esp sas:
spi: 0x3CC70558 (1019675992)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28014)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDAB0C0C8 (3669016776)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274982/28014)
IV size: 16 bytes
replay detection support: Y
Notice that remoteASA's has a
access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0
local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)
while centralASA has only a
local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)
isn't this the problem, i.e. isn't centralASA that doesn't know how to send back packets?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide