IPSEC VPN With DYNAMIC IP ADDRESS

wasiimcisco · ‎11-03-2009

i have ASA 8.0 with static ip address and remote site has a ADSL ROuter with dynamic IP address.

I am not able to make the Site to site vpn connection. I have tried dynamic map and standard site to site vpn

connection but nothing is working for me.

Please help me out. I am tottally stuck.I have attached the router and firewall configuration and below error I am getting.

Nov 3 18:08:34.606: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)

Nov 3 18:08:34.606: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

RISTAR-JXB#

Nov 3 18:08:34.810: IPSEC(key_engine): got a queue event with 1 KMI message(s)

If I give 0.0.0.0 in tunnel group configuraion it gave me following error.

ENOCDC-FW03(config)# tunnel-group 0.0.0.0 type ipsec-l2l

WARNING: L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digitial Certificates and/or The peer is

configured to use Aggressive Mode

I have change the rotuer configuration to aggressive mode but still no luck

acomiskey · ‎11-03-2009

You want to use the DefaultL2LGroup for your tunnel group name, not 0.0.0.0.

wasiimcisco · ‎11-04-2009

Yes Right and i even tried this but still not working. I am getting following errors on router.

my head office firewall has mulitple site to site VPP connection and remote access vpn and it is working fine but only this VPN connection is giving me problem. I have tried all.

wasiimcisco · ‎11-05-2009

Can anybody help me out.

acomiskey · ‎11-05-2009

First off, your crypto acl's should be mirrors of each other. This is how they are now...

Router

access-list 115 permit ip host 172.17.245.210 192.168.0.0 0.0.255.255

ASA

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

This is what they should be...

Router

access-list 115 permit ip host 172.17.245.0 0.0.0.255 192.168.0.0 0.0.255.255

ASA

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

wasiimcisco · ‎11-05-2009

On ASA firewall I am making dynamic map. like

Dynamic IPsec Between a Statically addressed PIX and a Dynamically addressed IOS Router with NAT Configuration Example

In dynanic map I dont have any option to recall the interesting traffic.

acomiskey · ‎11-05-2009

Sure you do, it's right here...

crypto dynamic-map TRJXB_MAP 151 match address TRJXB

wasiimcisco · ‎11-05-2009

I have configured this

crypto dynamic-map TRI_MAP 17 match address TRJXB

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 17.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 6.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 6.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list TRJXB extended permit ip 16.1.1.0 255.255.255.0 172.17.245.0 255.255.255.0

access-list TRJXB extended permit ip 192.168.0.0 255.255.0.0 172.17.245.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7

but still not working.

acomiskey · ‎11-05-2009

Those aren't exact mirrors of eachother and the crypto acl on your router isn't acl-nonat, it's acl 115.

acomiskey · ‎11-05-2009

Can you get the log from the ASA?

wasiimcisco · ‎11-05-2009

Please find attached. I am really thankful for your support and time that you are giving me to solving this issue.

acomiskey · ‎11-05-2009

Try this on the ASA.

crypto dynamic-map TRJXB-MAP 151 set pfs

wasiimcisco · ‎11-05-2009

Tried but still not working. Even reconfigure the complete router. This time configure with the Aggressive mode on the router.

wasiimcisco · ‎11-05-2009

See the fresh log after reconfiguration of Router as aggressive mode and ASA with PFS.