cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1734
Views
0
Helpful
26
Replies

Site-2-site Dynamic to static config problem

k.gillespie
Level 1
Level 1

I must be missing something in the config, but what I am not sure.

Trying to get a PIX 506e (6.3) to a ASA 5505 (7.2). The PIX is Dynamic IP and the ASA is Static IP. This is a second Site-2 site VPN That is from the PIX to another PIX that has a staitic IP.

I have tryed everything that I can think of. I believe it is on the ASA side, but not sure. I have reset the pre-shared-key several times. I have tryed the sysopt connection permit-vpn on the ASA. It took the command, but it didn't show up in the runn-config. Put in both ipsec-ra and ipsec-l2l tunnels as well as other things. Anyway I have attached my config's.

Almost forgot, I used this link as a guide. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

Thanks for your help --- Keith

1 Accepted Solution

Accepted Solutions

Keith,

I think you Should compare your ASA to the static-IP and the PIX to the Dynamic-IP configs - see what's different (apart from the names of things)

The pre-shared key I used was test1234 at both ends.

View solution in original post

26 Replies 26

andrew.prince
Level 10
Level 10

Hi Andrew,

I have been following that example, but for some reason the link is not working in my post. I did update my post by adding a debug output. I check my debug with Tigers on the link and only post where it was different. It seems the isakmp attributes were OK and the pre-shared-key, but after that something is wrong.

If you have any idea let me know please.

Keith

Hi Keith

Ensure your "Head End" the end with the static IP has some of the below config:-

crypto ipsec transform-set <> <> 

crypto dynamic-map <> <> set transform-set <>

crypto map <> <> ipsec-isakmp dynamic <>

crypto map <> interface outside

isakmp enable outside

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600

isakmp policy 65535 authentication pre-share
isakmp policy 65535 encryption 3des
isakmp policy 65535 hash sha
isakmp policy 65535 group 2
isakmp policy 65535 lifetime 86400

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
   pre-shared-key *

Hi Andrew,

Yes it has the crypto map and isakmp policy 20 that matches my dynamic PIX, but I don't have 65536 policy (will add). The tunnel-group general attributes command is not an option in 7.2 version. The ipsec pre-shared I used the pre-shared-key that matches isakmp key on the dynamic PIX. Should I have used isakmp key ******** address 0.0.0.0 netmask 0.0.0.0?

Thanks --- Keith

keith,,

Changes should be made to the ASA

The url I posted is for config rev's 7.x and later - so everything should work.

Your posted ASA config - which has the static IP address is missing

tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
   authentication-server-group none
tunnel-group DefaultL2LGroup ipsec-attributes
   pre-shared-key *

before any config changes are being made - let me be clear.

The PIX with the dynamic IP only needs basic config to create the VPN.

The ASA with the static IP needs this config, and you need to tell it to accept ANY L2L VPN requests.

I really suggest you read the URL I sent again, in the example Lion is your ASA and Tiger is your PIX.

HTH>

Andrew,

The tunnel-group DefaultL2LGroup would not take, but would take DefaultL2Lgroup. Why I don't know. Also there is no option for tunnel_ ... general-attributes authentication-server-group. Only accounting-server-group or default-group-policy. Let me ask should the pre-shared-key in the DefaultL2Lgroup match the isakmp key on the dynamic PIX or should I add isakmp key **** address 0.0.0.0 netmask 0.0.0.0 that matches the PIX key?

Keith

Andrew,

authen-server-group none has been deprecated and replaced with isakmp ikev1-user-authentication none under ipsec-attributes.

Keith

Andrew,

I got a fresh start this morning. Let me start by telling you that I am useing a ASA5505 with 7.2(4) version. I tried to enter the config you have suggested and it won't take it.

On the tunnel-group DefaultL2LGroup type ipsec-l2l, it gives me error at type. If I change the name to DefaultL2Lgroup type ipsec-l2l, it will take it. Under the general-attributes, thier is no authentication-server-group option. It gives me an error to use isakmp ikev1-user-authentication none. It will take this command, but not show up in the running config. Under tunnel-group DefaultRAGroup genneral-attribrutes, it did take isakmp ikev1 command and it did show up in the runng-config. I used a default psk for this group. The l2l group matches my dynamic PIX. All this to say that I am getting a tunnel to come up,but it is connecting to the defaultRAGroup (see error message).

[IKEv1]: Group = DefaultRAGroup, IP = 71.29.x.x, R
eceived encrypted Oakley Main Mode packet with invalid payloads, MessID = 0

This tunnel doesn't stay up or am I able to ping to the other LAN. I did use the ASDM to configure the DefaultL2LGroup tunnel if that helps any.

any thoughts?

Thanks for your help --- Keith

Keith,

OK - if a command does not show up in the config = it's a default command.

I suggest you post your current ASA config - remove any sensitive information, I will try and get some lab time to test your config.

Andrew,

Here you go. I will also keep trying.

Thanks for your help and time.

Keith

Keith,

I have no spare ASA's in the lab - but I did have 2 PIX's, lucky they already had ver 7.2(4)

So I put a basic config in them and a dynamic VPN config - see attached config & crypto stats.

Works fine.

Andrew,

Wow that was fast. Should I get rid of the tunnel-group configurations in the ASA then and what about the psk?

Keith

Keith,

I think you Should compare your ASA to the static-IP and the PIX to the Dynamic-IP configs - see what's different (apart from the names of things)

The pre-shared key I used was test1234 at both ends.

Andrew,

The tunnel came up after I deleted the DefaultRAGroup tunnel. The problem now is no traffic is going accross. I double check my ACL's and they are fine. Recheck your config's you send me and mine are the same. I have attached my show crypto ipsec and isakmp sa. I have study for the last hour your config's and mine to see what I mybe missing, but no luck. Sorry I kept asking you question, but its been 4 years since my firewall class and I wam the only IT person here at a small non-profit.

again tanks for your help --- Keith

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: