07-01-2008 12:57 AM - edited 02-21-2020 03:47 PM
Hi,
I'm trying to set up a VPN between an ASA5505 on Central Site with static IP and a remote ASA connected to a router having a dynamic IP.
I've tried tp follow the Cisco site sample named "PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example" (http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml), but it doesn't work.
The problem is that when I generate some traffic, on the central ASA I have the message (Remote_Dynamic_IP is just to remove the real IP):
Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1
Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!
Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry
Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1
Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!
Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry
Remote router and remote asa are connected on a network with fixed addresses, i.e.:
dynamic_ip-->router<--static_ip(E.F.G.1)--static_ip(E.F.G.2/30)--|<!--remote_lan(A.B.C.0/24)
Attached you'll find the relevant part of CentralASA and RemoteASA configurations
What's wrong?
Thanks in advance
Ciao
Solved! Go to Solution.
07-01-2008 07:40 AM
On RemoteASA
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
07-01-2008 02:11 AM
try to replace you configuration
####
tunnel-group RemoteAsa type ipsec-l2l
tunnel-group RemoteASA ipsec-attributes
pre-shared-key *
####
with
####
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
####
DefaultL2LGroup is a build in group.
07-01-2008 02:33 AM
CentralASA(config)# tunnel-group DefaultL2LGroup type ipsec-l2l
^
ERROR: % Invalid input detected at '^' marker.
It gives an error:
CentralASA(config)# tunnel-group DefaultL2LGroup general-attributes
CentralASA(config-tunnel-general)# authentication-server-group none
^
ERROR: % Invalid input detected at '^' marker.
CentralASA(config-tunnel-general)# tunnel-group DefaultL2LGroup ipsec-attributes
CentralASA(config-tunnel-ipsec)#
SW Release is: Cisco Adaptive Security Appliance Software Version 8.0(3)
Thanks
07-01-2008 02:49 AM
tunnel-group DefaultL2LGroup ipsec-attributes
set here the pre-shared-key for DefaultL2LGroup the same as you use on the RemoteASA.
07-01-2008 06:32 AM
No way:
Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!
Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry
Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!
Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry
Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!
Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry
Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!
Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry
I've attached a debug crypto isakmp 255 on the central site asa and on the remote.
Any idea?
Thanks a lot
07-01-2008 07:40 AM
On RemoteASA
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
07-01-2008 10:17 PM
Ok. Now VPN is up.
Now one more problem: if I try for example to connect via VNC from a computer on the remote lan to a computer on the central site lan, on the central ASA I have:
3 Jul 02 2008 08:05:26 713042 IKE Initiator unable to find policy: Intf outside, Src: IP_ON_REMOTE_LAN Dst: IP_ON_CENTRAL LAN
Am I missing something else?
Thanks for your answers
07-01-2008 11:00 PM
Hi,
show "sh crypto ipsec sa" on both sides when the vpn is up.
07-02-2008 01:16 AM
centralASA# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP
local ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)
current_peer: PEER_DYNAMIC_IP
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 7D43EDFE
inbound esp sas:
spi: 0x4552E88B (1163061387)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4275000/28771)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x7D43EDFE (2101603838)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4275000/28771)
IV size: 16 bytes
replay detection support: Y
remoteASA# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: REMOTE_LAN_FIREWALL_IP
access-list outside_1_cryptomap permit ip RemoteLAN 255.255.255.0 CentralLAN 255.255.255.0
local ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)
current_peer: CENTRAL_PUBLIC_IP
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: REMOTE_LAN_FIREWALL_IP, remote crypto endpt.: CENTRAL_PUBLIC_IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 4552E88B
inbound esp sas:
spi: 0x7D43EDFE (2101603838)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28797)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x4552E88B (1163061387)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 16384, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28797)
IV size: 16 bytes
replay detection support: Y
Thanks once more
07-02-2008 03:52 AM
I see that the vpn is up but there are no packets encrypted or decrypted.
so could you show the configuations on both sides?
07-02-2008 04:44 AM
Here they are.
I've performed some editing, i.e. hiding the real IP's, but in a smart way.
Particulary, the conventions on both files are:
On central site the LAN is X.Y.Z.0/24
CENTRAL_PUBLIC_IP is the static central site public IP (the outside of centralASA). Note: everywhere in the real config, CENTRAL_PUBLIC_IP is explicit, i.e. a normal IP address, let's say 1.2.3.4:
On remote site, lan is A.B.C.0/24, firewall outside is D.E.F.2/30, router is D.E.F.1/30, DYNAMIC_PUBLIC_IP is the dynamic ip at remote.
I've also added a diagram.
Thanks
07-02-2008 05:00 AM
on central
access-list inside_access_in extended permit ip X.Y.Z.0 255.255.255.0 RemoteLAN 255.255.255.0
sysopt connection permit-vpn
on remote
sysopt connection permit-vpn
07-02-2008 05:26 AM
It doesn't work.
BTW, these are the show crypto ipsec sa
centralASA# sh crypto ipsec sa
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP
local ident (addr/mask/prot/port): (X.Y.Z.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)
current_peer: PEER_DYNAMIC_IP
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 293, #pkts decrypt: 293, #pkts verify: 293
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 3CC70558
inbound esp sas:
spi: 0xDAB0C0C8 (3669016776)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4274982/28294)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3CC70558 (1019675992)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4275000/28293)
IV size: 16 bytes
replay detection support: Y
remoteASA# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: E.F.G.2
access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0
local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)
current_peer: CENTRAL_PUBLIC_IP
#pkts encaps: 294, #pkts encrypt: 294, #pkts digest: 294
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 294, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: E.F.G.2, remote crypto endpt.: CENTRAL_PUBLIC_IP
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: DAB0C0C8
inbound esp sas:
spi: 0x3CC70558 (1019675992)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28014)
IV size: 16 bytes
replay detection support: Y
outbound esp sas:
spi: 0xDAB0C0C8 (3669016776)
transform: esp-aes-256 esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 20480, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274982/28014)
IV size: 16 bytes
replay detection support: Y
Notice that remoteASA's has a
access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0
local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)
while centralASA has only a
local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)
isn't this the problem, i.e. isn't centralASA that doesn't know how to send back packets?
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: