IPSEC VPN With DYNAMIC IP ADDRESS

Unanswered Question
Nov 3rd, 2009
User Badges:

i have ASA 8.0 with static ip address and remote site has a ADSL ROuter with dynamic IP address.

I am not able to make the Site to site vpn connection. I have tried dynamic map and standard site to site vpn

connection but nothing is working for me.


Please help me out. I am tottally stuck.I have attached the router and firewall configuration and below error I am getting.



Nov 3 18:08:34.606: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)

Nov 3 18:08:34.606: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

RISTAR-JXB#

RISTAR-JXB#

Nov 3 18:08:34.810: IPSEC(key_engine): got a queue event with 1 KMI message(s)



If I give 0.0.0.0 in tunnel group configuraion it gave me following error.


ENOCDC-FW03(config)# tunnel-group 0.0.0.0 type ipsec-l2l

WARNING: L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digitial Certificates and/or The peer is

configured to use Aggressive Mode


I have change the rotuer configuration to aggressive mode but still no luck






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acomiskey Tue, 11/03/2009 - 13:43
User Badges:
  • Green, 3000 points or more

You want to use the DefaultL2LGroup for your tunnel group name, not 0.0.0.0.

wasiimcisco Wed, 11/04/2009 - 07:39
User Badges:

Yes Right and i even tried this but still not working. I am getting following errors on router.


my head office firewall has mulitple site to site VPP connection and remote access vpn and it is working fine but only this VPN connection is giving me problem. I have tried all.



acomiskey Thu, 11/05/2009 - 05:56
User Badges:
  • Green, 3000 points or more

First off, your crypto acl's should be mirrors of each other. This is how they are now...


Router

access-list 115 permit ip host 172.17.245.210 192.168.0.0 0.0.255.255


ASA

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0


This is what they should be...


Router

access-list 115 permit ip host 172.17.245.0 0.0.0.255 192.168.0.0 0.0.255.255

ASA

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

wasiimcisco Thu, 11/05/2009 - 07:08
User Badges:

On ASA firewall I am making dynamic map. like

Dynamic IPsec Between a Statically addressed PIX and a Dynamically addressed IOS Router with NAT Configuration Example


In dynanic map I dont have any option to recall the interesting traffic.

acomiskey Thu, 11/05/2009 - 07:12
User Badges:
  • Green, 3000 points or more

Sure you do, it's right here...


crypto dynamic-map TRJXB_MAP 151 match address TRJXB

wasiimcisco Thu, 11/05/2009 - 07:53
User Badges:

I have configured this


crypto dynamic-map TRI_MAP 17 match address TRJXB


access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 17.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 6.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 6.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 172.17.245.0 255.255.255.0

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0


access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7



but still not working.


acomiskey Thu, 11/05/2009 - 08:05
User Badges:
  • Green, 3000 points or more

Those aren't exact mirrors of eachother and the crypto acl on your router isn't acl-nonat, it's acl 115.

acomiskey Thu, 11/05/2009 - 08:14
User Badges:
  • Green, 3000 points or more

Can you get the log from the ASA?

wasiimcisco Thu, 11/05/2009 - 08:26
User Badges:

Please find attached. I am really thankful for your support and time that you are giving me to solving this issue.



Attachment: 
acomiskey Thu, 11/05/2009 - 08:40
User Badges:
  • Green, 3000 points or more

Try this on the ASA.


crypto dynamic-map TRJXB-MAP 151 set pfs

wasiimcisco Thu, 11/05/2009 - 13:49
User Badges:

Tried but still not working. Even reconfigure the complete router. This time configure with the Aggressive mode on the router.

Actions

This Discussion