1841 - ASA 5520 VPN

Answered Question
Jun 22nd, 2010

I have set up a site to site VPN between a Cisco 1841 ISR and a Cisco ASA 5520, all appears to be working however I have a couple of questions.

1. I have to explicitly allow all VPN traffic in the ACL on the outside interface of the 1841, is there a router equivilent of "sysopt connection permit-vpn"?

2. Although the VPN comes up and passes traffic I occasionally see the following?

*Jun 22 14:11:52.883: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.1.1.1

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 6 years 5 months ago

Can you share the full outputs? Both sides at the same time?

Bottom line I don't think it's normal in 12.4 mainline IOS unless packets are leaking out in clear ;/

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Tue, 06/22/2010 - 07:49

Ad 1.

The "outside" interface on router (I assume we're talking about the one with crypto map applied) will only see encrypted packets or IKE (ESP, UDP/4500 and udp/500). Unless you're running A VERY old IOS version.

Ad.2

Mutiple possibilities Quick Mode is Phase 2 negotiation. Would need to debug and see the configs.

Marcin

networker99 Tue, 06/22/2010 - 08:05

I am finding the outside ACL has to include the encryption domain traffic as well.. I have to permit ICMP
etc.. if not it fails

Marcin Latosiewicz Tue, 06/22/2010 - 08:12

What is the version of IOS you're using.

Show me the outputs of:

"show ver"

"show crypto map"

"show run interface NAME NUMBER" for interfaces facing LAN and WAN.

networker99 Tue, 06/22/2010 - 08:16

Version: (C1841-ADVSECURITYK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)

+++++++++++++++++++

ROUTER#sh crypto map
Crypto Map "MYMAP" 10 ipsec-isakmp
        Peer = 1.1.1.1
        Extended IP access list VPN2OFFICE
            access-list VPN2OFFICE permit ip 10.71.0.0 0.0.3.255 any
        Current peer: 1.1.1.1
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={
                TRANSFORM,
        }
        Interfaces using crypto map MYMAP:
                FastEthernet0/0

+++++++++++++++++++++++++++++++++++++

!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip access-group outside_in in
duplex auto
speed auto
crypto map MYMAP
end

+++++++++++++++++++++++++++++++++++++

interface FastEthernet0/1
description inside
ip address 10.71.3.225 255.255.252.0
duplex auto
speed auto
end

Marcin Latosiewicz Tue, 06/22/2010 - 08:24

That's odd.

And you're saying that if you ping from other side to 10.71.3.225 traffic gets denied by ACL?


Are you sure it's entering the tunnel in the first place?

"show crypto ipsec sa" on both sides will show you.

Maybe phase 2 does not establish?

Marcin

edit:

Command syntax.

networker99 Tue, 06/22/2010 - 08:26

That is correct.  If I do "sh crypto ipsec sa" I see packets being encrypted/decrypted

Correct Answer
Marcin Latosiewicz Tue, 06/22/2010 - 08:29

Can you share the full outputs? Both sides at the same time?

Bottom line I don't think it's normal in 12.4 mainline IOS unless packets are leaking out in clear ;/

networker99 Thu, 06/24/2010 - 05:14

Found the issue.. I had not permitted ESP in the ACL, all now working..  Thanks for all your help

Actions

This Discussion