DYNAMIC IP with SITE TO SITE VPN

Unanswered Question
Nov 3rd, 2009

i have ASA 8.0 with static ip address and remote site has a ADSL ROuter with dynamic IP address.

I am not able to make the Site to site vpn connection. I have tried dynamic map and standard site to site vpn

connection but nothing is working for me.

Please help me out. I am tottally stuck.I have attached the router and firewall configuration and below error I am getting.

Nov 3 18:08:34.606: IPSEC(key_engine): request timer fired: count = 1,

(identity) local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4)

Nov 3 18:08:34.606: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 83.110.195.120, remote= x.x.x.x,

local_proxy= 172.17.245.210/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

RISTAR-JXB#

RISTAR-JXB#

Nov 3 18:08:34.810: IPSEC(key_engine): got a queue event with 1 KMI message(s)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wasiimcisco Tue, 11/03/2009 - 10:27

If i will give 0.0.0.0 in tunnel group configration I am getting following error.

ENOCDC-FW03(config)# tunnel-group 0.0.0.0 type ipsec-l2l

WARNING: L2L tunnel-groups that have names which are not an IP

address may only be used if the tunnel authentication

method is Digitial Certificates and/or The peer is

configured to use Aggressive Mode

I have changed the Router configurationto aggressive mode but still not luck.

wasiimcisco Wed, 11/04/2009 - 07:25

Thanks for the reply, I tried again all the steps but still not working. SO many times I changed the configuration but still not working.Attached the Logs from Router and Firewall logs.

I even directly connected on computer with the firewall to avoid any routing but still not working.

slmansfield Wed, 11/04/2009 - 10:57

Did you change your router configuration at all from what you first posted? If so, could you post the updated router configuration? thx

slmansfield Wed, 11/04/2009 - 11:18

Another question: Is your ADSL coming up on your remote router? Can you access the Internet from that router?

slmansfield Wed, 11/04/2009 - 13:15

I set up the lab associated with that URL in my home lab.

I found that the PIX configuration was not quite complete.

First, the statement "crypto isakmp enable outside" is missing. Second, it is not clear that you do have to add the shared secret key under the tunnel group. This does not show up in the configuration.

# config t

(config)# tunnel-group DefaultL2LGroup ipsec-attributes

(config-tunnel-ipsec)# pre-shared-key cisco123

Also, the "ip nat outside" is missing from the router's outside interface.

wasiimcisco Thu, 11/05/2009 - 00:38

Internet is working on the remote site router. ASA firewall has mulitple site to site vpn connections along with the remote access vpn connection. So crypto isakmp enable outside is already enable on this.

crypto map ENOCMAP 17 ipsec-isakmp dynamic TRI_MAP

crypto map ENOCMAP interface outside

crypto ipsec transform-set TRI_SET esp-3des esp-md5-hmac

crypto dynamic-map TRI_MAP 17 set transform-set TRI_SET

crypto dynamic-map TRI_MAP 17 set security-association lifetime seconds 28800

crypto dynamic-map TRI_MAP 17 set security-association lifetime kilobytes 4608000

crypto dynamic-map TRI_MAP 17 set reverse-route

crypto map ENOCMAP 17 ipsec-isakmp dynamic TRI_MAP

I have once again entered the key

ENOCDC-FW03(config)# tunnel-group DefaultL2LGroup ipsec-attributes

ENOCDC-FW03(config-tunnel-ipsec)# pre-shared-key cisco123

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 10.1.1.56

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 10.1.0.0 255.255.0.0

nat (inside) 0 access-list acl-nonat

nat (test-dugas) 0 access-list acl-nonat

Please let me know what i m missig.

slmansfield Thu, 11/05/2009 - 06:33

I'm assuming your isakmp policy is still in the firewall configuration. I don't see all the NAT statements in your configuration, for example:

global (outside) 1 interface

nat (inside) 0 access-list acl-nonat

nat (inside) 1 0.0.0.0 0.0.0.0

HTH

slmansfield Thu, 11/05/2009 - 06:40

I would also look at the nonat-acl. These entries should be the mirror image of the crypto access list on the remote router. You don't want to NAT anything that is supposed to be encrypted and sent over the VPN tunnel.

wasiimcisco Thu, 11/05/2009 - 07:42

I have the same configuration for nonat and remote site router access list for VPN interesting traffic.

nat (inside) 0 access-list acl-nonat

nat (test-dugas) 0 access-list acl-nonat

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7

But i dont know what is missing.

slmansfield Thu, 11/05/2009 - 09:00

First, make sure your policies match. Based on the prior listings of the router and ASA configurations, they look slightly different. Please make sure they are exactly the same. Here's what's on the ASA.

crypto isakmp policy 17

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

The nonat-acl on the ASA is not the mirror image of the crypto access list on the router. Any networks that are in nonat-acl are those you want to encrypt. They should match (in a mirror image) what is on the remote router.

HTH

wasiimcisco Thu, 11/05/2009 - 12:26

Exact copy from the firewall nonat acl

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 6.1.1.1

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 6.1.1.1

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 17.1.1.0 255.255.255.0

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.7

access-list acl-nonat extended permit ip 16.1.1.0 255.255.255.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.150

access-list acl-nonat extended permit ip 192.168.0.0 255.255.0.0 host 172.17.245.7

Exact acl copy from the Router

access-list 101 deny ip 172.17.245.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 deny ip 17.1.1.0 0.0.0.255 16.1.1.0 0.0.0.255

access-list 101 deny ip 172.17.245.0 0.0.0.255 16.1.1.0 0.0.0.255

access-list 101 permit ip 172.17.245.0 0.0.0.255 any

access-list 115 permit ip host 172.17.245.210 192.168.0.0 0.0.255.255

access-list 115 permit ip host 172.17.245.150 192.168.0.0 0.0.255.255

access-list 115 permit ip host 172.17.245.150 16.1.1.0 0.0.0.255

access-list 115 permit ip host 17.1.1.1 16.1.1.0 0.0.0.255

dialer-list 1 protocol ip list 101

!

slmansfield Thu, 11/05/2009 - 12:48

Your ASA may have other peers to which it sends VPN traffic, but there should be nonat entries that are mirror images of all the crypto access list entries configured on the router.

Did you have a chance to check to see if the policies were identical?

slmansfield Thu, 11/05/2009 - 17:56

I tried recreating the problem in my lab. Instead of using the Cisco example I pieced together the information you've provided. Attached are the configurations.

I did not get your ping to work, but the ping I ran did bring up the VPN tunnel. I was successful pinging from a device behind the router, with an address of 172.17.245.210, which is within the encryption domain, to 192.168.0.2, a fictitious address on an inside subnet connected to the ASA, also within the encryption domain.

Please review these configurations to see if there is anything that is significantly different from what you are using.

HTH

Actions

This Discussion