Solved: ASA- Cannot set up Dynamic IP remote to central static IP VPN

sandman42 · ‎07-01-2008

Hi,

I'm trying to set up a VPN between an ASA5505 on Central Site with static IP and a remote ASA connected to a router having a dynamic IP.

I've tried tp follow the Cisco site sample named "PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example" (http://cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml), but it doesn't work.

The problem is that when I generate some traffic, on the central ASA I have the message (Remote_Dynamic_IP is just to remove the real IP):

Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1

Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!

Jul 01 10:24:24 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error processing payload: Payload ID: 1

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Removing peer from peer table failed, no match!

Jul 01 10:24:31 [IKEv1]: IP = Remote_Dynamic_IP, Error: Unable to remove PeerTblEntry

Remote router and remote asa are connected on a network with fixed addresses, i.e.:

dynamic_ip-->router<--static_ip(E.F.G.1)--static_ip(E.F.G.2/30)--|<!--remote_lan(A.B.C.0/24)

Attached you'll find the relevant part of CentralASA and RemoteASA configurations

What's wrong?

Thanks in advance

Ciao

a.alekseev · ‎07-01-2008

On RemoteASA

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

View solution in original post

a.alekseev · ‎07-01-2008

try to replace you configuration

####

tunnel-group RemoteAsa type ipsec-l2l

tunnel-group RemoteASA ipsec-attributes

pre-shared-key *

####

with

####

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

authentication-server-group none

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

####

DefaultL2LGroup is a build in group.

sandman42 · ‎07-01-2008

CentralASA(config)# tunnel-group DefaultL2LGroup type ipsec-l2l

^

ERROR: % Invalid input detected at '^' marker.

It gives an error:

CentralASA(config)# tunnel-group DefaultL2LGroup general-attributes

CentralASA(config-tunnel-general)# authentication-server-group none

^

ERROR: % Invalid input detected at '^' marker.

CentralASA(config-tunnel-general)# tunnel-group DefaultL2LGroup ipsec-attributes

CentralASA(config-tunnel-ipsec)#

SW Release is: Cisco Adaptive Security Appliance Software Version 8.0(3)

Thanks

a.alekseev · ‎07-01-2008

tunnel-group DefaultL2LGroup ipsec-attributes

set here the pre-shared-key for DefaultL2LGroup the same as you use on the RemoteASA.

sandman42 · ‎07-01-2008

No way:

Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:38 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:46 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:19:54 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Removing peer from peer table failed, no match!

Jul 01 16:20:02 [IKEv1]: IP = RemoteDynamicIP, Error: Unable to remove PeerTblEntry

I've attached a debug crypto isakmp 255 on the central site asa and on the remote.

Any idea?

Thanks a lot

a.alekseev · ‎07-01-2008

On RemoteASA

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

sandman42 · ‎07-01-2008

Ok. Now VPN is up.

Now one more problem: if I try for example to connect via VNC from a computer on the remote lan to a computer on the central site lan, on the central ASA I have:

3 Jul 02 2008 08:05:26 713042 IKE Initiator unable to find policy: Intf outside, Src: IP_ON_REMOTE_LAN Dst: IP_ON_CENTRAL LAN

Am I missing something else?

Thanks for your answers

a.alekseev · ‎07-01-2008

Hi,

show "sh crypto ipsec sa" on both sides when the vpn is up.

sandman42 · ‎07-02-2008

centralASA# sh crypto ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP

local ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

current_peer: PEER_DYNAMIC_IP

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 7D43EDFE

inbound esp sas:

spi: 0x4552E88B (1163061387)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28771)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x7D43EDFE (2101603838)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28771)

IV size: 16 bytes

replay detection support: Y

remoteASA# sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: REMOTE_LAN_FIREWALL_IP

access-list outside_1_cryptomap permit ip RemoteLAN 255.255.255.0 CentralLAN 255.255.255.0

local ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (CentralLAN/255.255.255.0/0/0)

current_peer: CENTRAL_PUBLIC_IP

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: REMOTE_LAN_FIREWALL_IP, remote crypto endpt.: CENTRAL_PUBLIC_IP

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 4552E88B

inbound esp sas:

spi: 0x7D43EDFE (2101603838)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28797)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x4552E88B (1163061387)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 16384, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28797)

IV size: 16 bytes

replay detection support: Y

Thanks once more

a.alekseev · ‎07-02-2008

I see that the vpn is up but there are no packets encrypted or decrypted.

so could you show the configuations on both sides?

sandman42 · ‎07-02-2008

Here they are.

I've performed some editing, i.e. hiding the real IP's, but in a smart way.

Particulary, the conventions on both files are:

On central site the LAN is X.Y.Z.0/24

CENTRAL_PUBLIC_IP is the static central site public IP (the outside of centralASA). Note: everywhere in the real config, CENTRAL_PUBLIC_IP is explicit, i.e. a normal IP address, let's say 1.2.3.4:

On remote site, lan is A.B.C.0/24, firewall outside is D.E.F.2/30, router is D.E.F.1/30, DYNAMIC_PUBLIC_IP is the dynamic ip at remote.

I've also added a diagram.

Thanks

a.alekseev · ‎07-02-2008

on central

access-list inside_access_in extended permit ip X.Y.Z.0 255.255.255.0 RemoteLAN 255.255.255.0

sysopt connection permit-vpn

on remote

sysopt connection permit-vpn

sandman42 · ‎07-02-2008

It doesn't work.

BTW, these are the show crypto ipsec sa

centralASA# sh crypto ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: CENTRAL_PUBLIC_IP

local ident (addr/mask/prot/port): (X.Y.Z.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (RemoteLAN/255.255.255.0/0/0)

current_peer: PEER_DYNAMIC_IP

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 293, #pkts decrypt: 293, #pkts verify: 293

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: CENTRAL_PUBLIC_IP, remote crypto endpt.: PEER_DYNAMIC_IP

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 3CC70558

inbound esp sas:

spi: 0xDAB0C0C8 (3669016776)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4274982/28294)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x3CC70558 (1019675992)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (4275000/28293)

IV size: 16 bytes

replay detection support: Y

remoteASA# sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 1, local addr: E.F.G.2

access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0

local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)

current_peer: CENTRAL_PUBLIC_IP

#pkts encaps: 294, #pkts encrypt: 294, #pkts digest: 294

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 294, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: E.F.G.2, remote crypto endpt.: CENTRAL_PUBLIC_IP

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: DAB0C0C8

inbound esp sas:

spi: 0x3CC70558 (1019675992)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4275000/28014)

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0xDAB0C0C8 (3669016776)

transform: esp-aes-256 esp-sha-hmac none

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 20480, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (4274982/28014)

IV size: 16 bytes

replay detection support: Y

Notice that remoteASA's has a

access-list outside_1_cryptomap permit ip A.B.C.0 255.255.255.0 ReteKB 255.255.255.0

local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)

while centralASA has only a

local ident (addr/mask/prot/port): (A.B.C.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (ReteKB/255.255.255.0/0/0)

isn't this the problem, i.e. isn't centralASA that doesn't know how to send back packets?

Thanks