Herbert Baerten Mon, 03/01/2010 - 01:07
User Badges:
  • Cisco Employee,

Hi Shameem,


I see the ASA is configured to do PFS (group 2, if no group is specified), but the router is not.


Try this:


crypto map SDM_CMAP_1 1 ipsec-isakmp
  set pfs group2




If that doesn't help, enable these debugs:

on  the router:

debug crypto isakmp

debug crypto ipsec


on the ASA:

debug crypto isakmp 10

debug crypto ipsec 10


Enable them all at the same time, and try to bring up the tunnel.

Get the debug output, as well as:


show crypto isakmp sa

show crypto ipsec sa peer n.n.n.n (ip address of the other side)



BTW - you are aware of the limited security DES encryption offers? Why not use 3DES or AES (both peers seem to support it) ?


hth

Herbert

smohur123 Mon, 03/01/2010 - 03:39
User Badges:

Hi


It's still not working. How to bring up the tunnel.

Below are the results.


From ASA:


SYCO-ciscoasa# sh crypto isakmp sa


   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1


1   IKE Peer: 41.212.209.215

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

SYCO-ciscoasa# sh crypto ipsec sa peer 212.94.157.121


There are no ipsec sas for peer 212.94.157.121



From Cisco 3825:


MAR#debug crypto isakmp

Crypto ISAKMP debugging is on

MAR#debug crypto ipsec

Crypto IPSEC debugging is on

MAR#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status


IPv6 Crypto ISAKMP SA


MAR#sh crypto ipsec sa peer 121.243.184.199


interface: GigabitEthernet0/0

    Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.28.53.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (172.28.0.0/255.255.0.0/0/0)

   current_peer 121.243.184.199  port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0


     local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x0(0)


     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

MAR#

Herbert Baerten Mon, 03/01/2010 - 03:48
User Badges:
  • Cisco Employee,

Well, the tunnel should come up automatically as soon as there is traffic that matches the crypto access-list (this is usually referred to as "interesting traffic"). So for example try a ping from one network to the other.

If that does not cause the tunnel to come up, please provide the debug output from both sides.

smohur123 Mon, 03/01/2010 - 06:16
User Badges:

Hi


I've done logging ip address of kiwi syslog server. I've done logging trap debugging. Still cannot get debug output.

contech-nelsong Mon, 03/01/2010 - 11:18
User Badges:

your local and remote encryption domains overlap, that's probably causing your problem.



local  ident (addr/mask/prot/port): (172.28.53.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.28.0.0/255.255.0.0/0/0)


nat one side to prevent the overlap

smohur123 Tue, 03/02/2010 - 09:38
User Badges:

Hi


I've changed the access-list as follows and got the following results for isakmp and ipsec sa:

I've attached the debug info for the 3825


access-list 101 remark SDM_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 172.28.53.0 0.0.0.127 172.28.45.0 0.0.0.127

access-list 130 deny   ip 172.28.53.0 0.0.0.127 172.28.45.0 0.0.0.127

access-list 130 permit ip 172.28.53.0 0.0.0.127 any


MAR#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

121.243.184.199   212.94.157.121  MM_NO_STATE       4012    0 ACTIVE (deleted)


IPv6 Crypto ISAKMP SA


MAR#sh crypto ipsec sa


interface: GigabitEthernet0/0

    Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

   remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

   current_peer 121.243.184.199  port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 50, #recv errors 0


     local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x0(0)


     inbound esp sas:


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:


     outbound ah sas:


     outbound pcp sas:

MAR#

nomair_83 Tue, 03/02/2010 - 12:29
User Badges:
  • Bronze, 100 points or more

try removing pfs on both devices and configure same crypto isakmp policy for both.


2nd, remove ipsec over udp commands.(if this is the same vpn group which is not working)


then try..

smohur123 Wed, 03/03/2010 - 00:39
User Badges:

Hi


Thanks, it's working now. Below is the results of isakmp and ipsec sa. But I don't get replies from ping and cannot ssh.




MAR#sh crypto ipsec sa


interface: GigabitEthernet0/0

    Crypto map tag: SDM_CMAP_1, local addr 212.94.157.121


   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

   remote ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

   current_peer 121.243.184.199 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 56, #recv errors 0


     local crypto endpt.: 212.94.157.121, remote crypto endpt.: 121.243.184.199

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

     current outbound spi: 0x9690D5D7(2526074327)


     inbound esp sas:

      spi: 0xCDD5D3C1(3453342657)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3, flow_id: AIM-VPN/SSL-3:3, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4526118/3518)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:

      spi: 0x9690D5D7(2526074327)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 4, flow_id: AIM-VPN/SSL-3:4, crypto map: SDM_CMAP_1

        sa timing: remaining key lifetime (k/sec): (4526116/3503)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE


     outbound ah sas:


     outbound pcp sas:

MAR#



SYCO-ciscoasa# sh isakmp sa


   Active SA: 2

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2


1   IKE Peer: 212.94.157.121

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

2   IKE Peer: 41.212.209.143

    Type    : user            Role    : responder

    Rekey   : no              State   : AM_ACTIVE

SYCO-ciscoasa# sh ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 3, local addr: 121.243.184.199


      access-list outside_3_cryptomap permit ip 172.28.45.0 255.255.255.128 172.                                           28.53.0 255.255.255.128

      local ident (addr/mask/prot/port): (172.28.45.0/255.255.255.128/0/0)

      remote ident (addr/mask/prot/port): (172.28.53.0/255.255.255.128/0/0)

      current_peer: 212.94.157.121


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 121.243.184.199, remote crypto endpt.: 212.94.157.121


      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: CDD5D3C1


    inbound esp sas:

      spi: 0x9690D5D7 (2526074327)

         transform: esp-des esp-sha-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 528384, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4274999/2922)

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xCDD5D3C1 (3453342657)

         transform: esp-des esp-sha-hmac none

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 528384, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4275000/2922)

         IV size: 8 bytes

         replay detection support: Y


    Crypto map tag: outside_dyn_map, seq num: 10, local addr: 121.243.184.199


      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (172.28.45.75/255.255.255.255/0/0)

      current_peer: 41.212.209.143, username: SYCOtelecom

      dynamic allocated peer ip: 172.28.45.75


      #pkts encaps: 152, #pkts encrypt: 152, #pkts digest: 152

      #pkts decaps: 451, #pkts decrypt: 451, #pkts verify: 451

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 164, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 121.243.184.199/4500, remote crypto endpt.: 41.212.209.143/2823

      path mtu 1500, ipsec overhead 66, media mtu 1500

      current outbound spi: 15649486


    inbound esp sas:

      spi: 0x65B06151 (1706058065)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 532480, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 287810

         IV size: 8 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x15649486 (358913158)

         transform: esp-3des esp-sha-hmac none

         in use settings ={RA, Tunnel,  NAT-T-Encaps, }

         slot: 0, conn_id: 532480, crypto-map: outside_dyn_map

         sa timing: remaining key lifetime (sec): 287808

         IV size: 8 bytes

         replay detection support: Y


SYCO-ciscoasa# ping 172.28.53.87

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.28.53.87, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

SYCO-ciscoasa#

contech-nelsong Wed, 03/03/2010 - 05:39
User Badges:

That's almost cetainly failing now because of the overlap in networks.


once the 172.28.53.0/25 network traffic hits the 172.28.0.0/16 network it wont have a return path simply because the router thinks that network is directly connected.


You have to NAT the source before it hits the 172.28.0.0/16 network.


I'm not sure how you do that in IOS, but I'm confident that it'll be possible.


Note that once you've done NAT on the source your encryption domain will no longer be valid, so you'll have to rewrite that part too.

smohur123 Fri, 03/05/2010 - 04:32
User Badges:

Hi

 I think that the ASA is allowing only 172.28.0.0/16 networks to go inside. Because when trying to configure other L2L also I'm are having the same problem.

Please help

Actions

This Discussion

Related Content