Solved: 1841 - ASA 5520 VPN

networker99 · ‎06-22-2010

I have set up a site to site VPN between a Cisco 1841 ISR and a Cisco ASA 5520, all appears to be working however I have a couple of questions.

1. I have to explicitly allow all VPN traffic in the ACL on the outside interface of the 1841, is there a router equivilent of "sysopt connection permit-vpn"?

2. Although the VPN comes up and passes traffic I occasionally see the following?

*Jun 22 14:11:52.883: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 1.1.1.1

Marcin Latosiewicz · ‎06-22-2010

Can you share the full outputs? Both sides at the same time?

Bottom line I don't think it's normal in 12.4 mainline IOS unless packets are leaking out in clear ;/

View solution in original post

Marcin Latosiewicz · ‎06-22-2010

Ad 1.

The "outside" interface on router (I assume we're talking about the one with crypto map applied) will only see encrypted packets or IKE (ESP, UDP/4500 and udp/500). Unless you're running A VERY old IOS version.

Ad.2

Mutiple possibilities Quick Mode is Phase 2 negotiation. Would need to debug and see the configs.

Marcin

networker99 · ‎06-22-2010

I am finding the outside ACL has to include the encryption domain traffic as well.. I have to permit ICMP
etc.. if not it fails

Marcin Latosiewicz · ‎06-22-2010

What is the version of IOS you're using.

Show me the outputs of:

"show ver"

"show crypto map"

"show run interface NAME NUMBER" for interfaces facing LAN and WAN.

networker99 · ‎06-22-2010

Version: (C1841-ADVSECURITYK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)

+++++++++++++++++++

ROUTER#sh crypto map
Crypto Map "MYMAP" 10 ipsec-isakmp
        Peer = 1.1.1.1
        Extended IP access list VPN2OFFICE
            access-list VPN2OFFICE permit ip 10.71.0.0 0.0.3.255 any
        Current peer: 1.1.1.1
        Security association lifetime: 4608000 kilobytes/28800 seconds
        PFS (Y/N): N
        Transform sets={
                TRANSFORM,
        }
        Interfaces using crypto map MYMAP:
                FastEthernet0/0

+++++++++++++++++++++++++++++++++++++

!
interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.0
ip access-group outside_in in
duplex auto
speed auto
crypto map MYMAP
end

+++++++++++++++++++++++++++++++++++++

interface FastEthernet0/1
description inside
ip address 10.71.3.225 255.255.252.0
duplex auto
speed auto
end

Marcin Latosiewicz · ‎06-22-2010

That's odd.

And you're saying that if you ping from other side to 10.71.3.225 traffic gets denied by ACL?

Are you sure it's entering the tunnel in the first place?

"show crypto ipsec sa" on both sides will show you.

Maybe phase 2 does not establish?

Marcin

edit:

Command syntax.

networker99 · ‎06-22-2010

That is correct. If I do "sh crypto ipsec sa" I see packets being encrypted/decrypted

Marcin Latosiewicz · ‎06-22-2010

Can you share the full outputs? Both sides at the same time?

Bottom line I don't think it's normal in 12.4 mainline IOS unless packets are leaking out in clear ;/

networker99 · ‎06-24-2010

Found the issue.. I had not permitted ESP in the ACL, all now working.. Thanks for all your help