IPSEC VPN With DYNAMIC IP ADDRESS

Unanswered Question
Nov 3rd, 2009

i have ASA 8.0 with static ip address and remote site has a ADSL ROuter with dynamic IP address.

I am not able to make the Site to site vpn connection. I have tried dynamic map and standard site to site vpn

connection but nothing is working for me.

Please help me out. I am tottally stuck.I have attached the router and firewall configuration and below error I am getting.

Nov 3 18:08:34.606: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)

Nov 3 18:08:34.606: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

RISTAR-JXB#

RISTAR-JXB#

Nov 3 18:08:34.810: IPSEC(key_engine): got a queue event with 1 KMI message(s)

If I give 0.0.0.0 in tunnel group configuraion it gave me following error.

ENOCDC-FW03(config)# tunnel-group 0.0.0.0 type ipsec-l2l

WARNING: L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digitial Certificates and/or The peer is

configured to use Aggressive Mode

I have change the rotuer configuration to aggressive mode but still no luck

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
acomiskey Tue, 11/03/2009 - 13:43

You want to use the DefaultL2LGroup for your tunnel group name, not 0.0.0.0.

wasiimcisco Wed, 11/04/2009 - 07:39

Yes Right and i even tried this but still not working. I am getting following errors on router.

my head office firewall has mulitple site to site VPP connection and remote access vpn and it is working fine but only this VPN connection is giving me problem. I have tried all.

acomiskey Thu, 11/05/2009 - 05:56

First off, your crypto acl's should be mirrors of each other. This is how they are now...

Router

access-list 115 permit ip host 172.17.245.210 192.168.0.0 0.0.255.255

ASA

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

This is what they should be...

Router

access-list 115 permit ip host 172.17.245.0 0.0.0.255 192.168.0.0 0.0.255.255

ASA

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

wasiimcisco Thu, 11/05/2009 - 07:08

On ASA firewall I am making dynamic map. like

Dynamic IPsec Between a Statically addressed PIX and a Dynamically addressed IOS Router with NAT Configuration Example

In dynanic map I dont have any option to recall the interesting traffic.

acomiskey Thu, 11/05/2009 - 07:12

Sure you do, it's right here...

crypto dynamic-map TRJXB_MAP 151 match address TRJXB

wasiimcisco Thu, 11/05/2009 - 07:53

I have configured this

crypto dynamic-map TRI_MAP 17 match address TRJXB

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 17.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 6.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 6.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 172.17.245.0 255.255.255.0

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7

but still not working.

acomiskey Thu, 11/05/2009 - 08:05

Those aren't exact mirrors of eachother and the crypto acl on your router isn't acl-nonat, it's acl 115.

acomiskey Thu, 11/05/2009 - 08:40

Try this on the ASA.

crypto dynamic-map TRJXB-MAP 151 set pfs

wasiimcisco Thu, 11/05/2009 - 13:49

Tried but still not working. Even reconfigure the complete router. This time configure with the Aggressive mode on the router.

Actions

Login or Register to take actions

This Discussion

Posted November 3, 2009 at 10:09 AM
Stats:
Replies:13 Avg. Rating:
Views:1635 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446