Multiple Site-to-Site VPN

Unanswered Question
Jun 27th, 2010

Guys,

I am trying to configure Site-to-Site VPNs as below:

                         ----->Site A (already working)

                         |

ASA 5520 ------------- >Site B

                         |

                         --->Site C

Site A,B,C are cyberguard devices. Any idea how shall i do this. I want to find out how shall i configure ASA thats at head office. I have configured one site-to-site vpn from ASA to Site A that is already working. Now if i have to configure two more VPNs terminatin on the same interface on ASA, how can i do that.

Do i create isakmp, tranform set and crypto maps for each indivual VPNs or how do i do it. Can somebody plz expain this? What aproach shall be taken to configure Headend ASA.

Below is the config on ASA:

====================

asa# sh run crypto isakmp
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable management
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
asa#

asa# sh run crypto ipsec 
crypto ipsec transform-set sha-set esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
asa#


crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 sha-set myset
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
asa#

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Mon, 06/28/2010 - 00:34

Assuming that all the 3 cyberguard sites have static ip addresses, you would be configuring 3 static crypto map on the ASA. The ISAKMP and IPSec policy can remain the same if they are the same on the 3 cyberguard sites.

Here is a sample configuration with 1 ASA as the headend, with multiple VPN tunnels for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml

Hope that helps.

gr11gr11gr11 Mon, 06/28/2010 - 01:40

Thanks very much Halijenn for your response. So i shoukd be using static crypto maps on ASA and not the dynamic ones. Whats difference b/w the two and what shall be the best strategy as eventually i will be migrating lot of sites (using S2SVPNs) to ASA. Right now i am just in testing phase.

Thanks very much for your help - really appreciate!

Jennifer Halim Mon, 06/28/2010 - 01:44

You would use the static crypto map when the peer address is static (ie: the cyberguard outside interface ip address where the vpn is terminated is a statically assigned ip address (normally public ip address).

You would use dynamic crypto map for remote access vpn client access to the ASA, and/or lan-to-lan vpn tunnel when the peer address (cyberguard outside interface ip address) is dynamic (maybe DHCP or PPPoE assigned).

Hope that helps.

gr11gr11gr11 Mon, 06/28/2010 - 03:51

ok - i will try configuring with static crypto maps - will post back if i am able to get them working. Thank u very much for your help. If it works i wil be saved a lot of trouble. I am really under pressure to get it working

Thanks will post soon.

gr11gr11gr11 Tue, 06/29/2010 - 18:24

I tried to configure but i am not able to establish VPN tunnel. Can somebody plz have a look if i am missing anything. Below is the config i have put exactly on the ASA:

1) Create Isakmp policy


isakmp policy 50 encryption 3des
isakmp policy 50 hash md5
isakmp policy 50 group 2
isakmp policy 50 lifetime 34800
isakmp policy 50 authentication pre-share
isakmp enable outside
isakmp key xxxx address 216.0.0.3 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address

2)  ACL

access-list monovpn permit ip 10.8.34.0 255.255.255.0 10.8.11.0 255.255.255.0

3) Transform Set

crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac

4) Crypto map


crypto map monovpnmap 50 ipsec-isakmp
crypto map monovpnmap 50 match address monovpn
crypto map monovpnmap 50 set peer 216.0.0.3
crypto map monovpnmap 50 set transform-set monovpnset

5) Set SA lifetime

crypto map monovpnmap 50 set security-association lifetime seconds 34800
crypto map monovpnmap 50 set security-association lifetime kilobytes 4608000

6) No NAT

access-list nonat permit ip 10.8.34.0 255.255.255.0 10.8.11.0 255.255.255.0
access-list nonat permit ip 10.8.11.0 255.255.255.0 10.8.34.0 255.255.255.0
nat (inside) 0 access-list nonat


7) Apply crypto map to outside interface of ASA

crypto map monovpnmap interface outside

Jennifer Halim Tue, 06/29/2010 - 18:28

Looks correct so far. Can you please share the whole config to see if there is any overlaps with other vpn tunnel?

Where is the VPN failing? Phase 1 (isakmp) or Phase 2 (ipsec).

You might also want to share the output of the following:

show crypto isa sa

show crypto ipsec sa

Also, run the following debugs to see where it's actually failing:

debug cry isa

debug cry ipsec

gr11gr11gr11 Tue, 06/29/2010 - 23:36

Halijenn thx for your help mate.Tunnel is down not even at phase1.

First of all let me explain all the scenario. I have included the diagram. I am trying to configure this setup and test before implementing in production. I want to test the VPNs in lab environment - before actual implementation

so i have 3-4 cyberguards sitting in lab connected to ASA thorugh a switch. I dont have anything connected to both ends (LAN i mean) at the moment, but even in that case i think i should be able to set up a VPN tunnel between ASA and cyberguards.

I have used dynamic crypto map - but using the static ip at CyberguardA and ASA and i have a tunnel thats up. Since i cant apply two different maps in file ASA sh run all config = i had removed the dynamic cryto map and applied monovpn cryto map (static) - but it didnt bring anything up. Tunnel is showing down at cyberguard ends  and cant see anything happening at ASA end too.

In the second file i have re-applied dynamic crypto map and pasted sh crytp ipsec sa and shows tunnel is up.

(do you think i need to send traffic from LAN at both ends to bring VPN tunnel up? but the other tunnel is up and running - althoug i am not able to ping from ASA to 216.0.0.1 and vice versa)

I have attached all the three files. any help is highly appreaciated

Jennifer Halim Wed, 06/30/2010 - 19:32

With dynamic crypto map, you can only initiate the connection from Cyberguard end, not from the ASA end. With static crypto map, you can intiate connection from both end.

With static map on the ASA, you would need to configure the Cyberguard to have static crypto map too and the crypto ACL will need to be mirror image.

Your current static crypto map is missing the "crypto map ... match address" command to match the crypto ACL for that particular tunnel, hence it's failing.

For the first vpn tunnel on the static crypto map, you would need to configure the following:

access-list crypto-acl-1 permit ip 10.8.34.0 255.255.255.0 10.8.11.0 255.255.255.0

crypto map monovpnmap 50 match address crypto-acl-1

For the second vpn tunnel for cyberguard peer: 216.0.0.1 for example, here is what you need to configure:

access-list crypto-acl-2 permit ip 10.8.34.0 255.255.255.0 192.168.0.0 255.255.255.0

crypto map monovpnmap 60 set peer 216.0.0.1
crypto map monovpnmap 60 set transform-set monovpnset

crypto map monovpnmap 60 match address crypto-acl-2

For the third one, it will be the same with a different sequence# for example: 70, and the corresponding "set peer" and crypto ACL for that peer.

Hope that helps.

gr11gr11gr11 Wed, 06/30/2010 - 22:50

I did try that too.  Still no luck - i am getting mad with this... its down!! not even talking....plz help

Halijenn  - mate actually we will be deploying cyberguards at sites - so the traffic/VPN will be initiated by that end only.

I have got one dynamic working - if this thing is not working can you lease help me set dynamic ones? i have tried without any luck.

asa# sh run access-list monovpn
access-list monovpn extended permit ip any any
asa# sh run crypto map
crypto map mymap 20 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map monovpnmap 50 match address monovpn
crypto map monovpnmap 50 set peer 216.0.0.3
crypto map monovpnmap 50 set transform-set monovpnset
crypto map monovpnmap 50 set security-association lifetime seconds 28800
crypto map monovpnmap 50 set security-association lifetime kilobytes 4608000
crypto map monovpnmap interface outside
asa# sh isakmp sa

There are no isakmp sas
asa# sh ipsec sa

There are no ipsec sas
asa#

JORGE RODRIGUEZ Thu, 07/08/2010 - 14:45

Hi Gr,  completely concord with what Halijenn have provided you. Looked  briefly at your ASA configuration, frankly I would recommend since it is a lab testing setup before deployement, to start your tunnels from scratch, specially when you indicate you will have more L2L tunnels down the road it is best to come up with some logic pertaining to crypto maps  sequence numbering acls and respective isakmps and their tunnel groups.  It will be easier to follow, troubleshoot and configure new tunnels down the road when  implementing more.

If you u do have the ability in production  to implement staic Ipsec tunnels you should use static because static-to-dynamic ipsec tunnels only the dynamic side will be the one initiating the tunnel ( Not the static side). So remember that dynamic tunnels changes the behaviour on who the initiator will be, as supposed to static-static tunnels  whereby either side can initiate the traffic, just as Halijenn indicated.


Organize  the Ipsec tunnel configurations and create them through command line,  as it is  easier.:

ASAHUB-SITE:
LAN IP 10.8.34.0/24
Pub IP:216.0.0.2


CyberGuardA SITE: Spoke -  This is working
LAN IP: 192.168.0.0/24
Public IP: Dynamic

CyberGuardB SITE: Spoke -
LAN IP:   ??? info  not in Net diagram, lets use 10.8.40.0/24
Public IP: 216.0.0.4  --> u are probably using .4 for CybergardB gateway - Ip not in net diagram

CyberGuardC SITE: Spoke -
LAN IP: 10.8.11.0/24
Public IP: 216.0.0.3


For  your static tunnels use for example unique acls per tunnel so you can distiguish them. for example , creating the tunnel between HUB-ASA to CyberguardC.

  

1-Create first crypto acl , nat exempt acl, ouside_access_in acl and interface NAT exempt rule for NAT exempted tunnel
2-Create your isakmp phase-1 policy
3-Create your ipsec  phase-2 policy , and lastly the tunnel group for CyberguardC
4-Remmenber same Policy should be set exactly the same at other fard end gateway

access-list outside_1_cryptomap extended permit ip 10.8.34.0 255.255.255.0 10.8.11.0 255.255.255.0
access-list nonat                              extended permit ip 10.8.34.0 255.255.255.0 10.8.11.0 255.255.255.0
access-list outside_access_in       extended permit ip 10.8.11.0 255.255.255.0 10.8.34.0 255.255.255.0
nat (inside) 0 access-list nonat

crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


crypto ipsec transform-set CyberguardC esp-3des esp-md5-hmac

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer 216.0.0.3
crypto map outside_map 1 set transform-set CyberguardC
crypto map outside_map 1 set security-association lifetime seconds 3600

tunnel-group 216.0.0.3 type ipsec-l2l
tunnel-group 216.0.0.3 ipsec-attributes
pre-shared-key ********


///////////////////////////////////////

you can use example above to create the next static  tunnel and fruther more down the road  following a naming sequence pattern for easy follow.

Tunnel between HUB-ASA to CyberguardB

access-list outside_2_cryptomap extended permit ip 10.8.34.0 255.255.255.0 10.8.40.0 255.255.255.0
access-list nonat                              extended permit ip 10.8.34.0 255.255.255.0 10.8.40.0 255.255.255.0
access-list outside_access_in      extended permit ip 10.8.40.0 255.255.255.0 10.8.34.0 255.255.255.0


crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


crypto ipsec transform-set CyberguardB esp-3des esp-md5-hmac

crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group2
crypto map outside_map 2 set peer 216.0.0.4
crypto map outside_map 2 set transform-set CyberguardB
crypto map outside_map 2 set security-association lifetime seconds 3600

tunnel-group 216.0.0.4 type ipsec-l2l
tunnel-group 216.0.0.4 ipsec-attributes
pre-shared-key ********

For the Dynamic Tunnel CyberguardA  why not using static tunnel? use same principle above


And so on for future static Tunnels ...

additionally ,  here are some good config examples for references

http://www.cisco.com/en/US/partner/products/ps6120/prod_configuration_examples_list.html

Troubleshooting ispec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

Hope this helps..

Regards

gr11gr11gr11 Fri, 07/09/2010 - 01:40

Thanks very much Jorgemcse!! Really Really appreciate your support!. Now have got another problem. I tested these fine with both static and dynamic - one of the cybergurads was causing problem- changed it and got working VPN tunnels.

Now i have been told to test in one of production ASA before rollong it out ...

The problem here is i realised prod sites all have adsl/dsl connections...so cyberguard end would have to be dynamic ip address - while the ASA has to be static..i tried by connecting cyberguard to ADSL line and pointing but it stuck at negotiating phase1.....not authenticating doesnt go further...

First of all my main concern is if ASA already has some VPNs (to cisco devices-not sure what they are doing) on it and Dynamic crypto map defined and applied to outside interface - i  think i just need to create isakmp policy only (this is how i did in lab and it automatically created Tunnel groups) - can somebody please explain how to add vpn if there are already dynamic maps being used for some other vpns (to cisco devices):

Can somebody throw light on dynamic crypto maps - any example config and what do we need to do if we need to add to existing VPNs

Cyberguard end is quite simple - now the ASA end to configure it to allow dynamic ip to set VPNs...can anyone please explain

gr11gr11gr11 Fri, 07/09/2010 - 02:58

Guys - sorry for spammin - now status has changed to:

Negotiating for phase 1(authenticated) for 2m -

Looks like i need to work out on isakmp policy. But would still like if someone can help understanding configuring Dynamic to static VPN

gr11gr11gr11 Sat, 07/10/2010 - 12:02

No Luck - please somebody can post any example config that i can put on ASA to point to dynamic

ip on cyberguard.

I need to configure ASA end to point to dynamic ip

gr11gr11gr11 Tue, 07/13/2010 - 06:04

Hi Security Specialists

- plz plz help.

I am trying Dynamic to static L2L Ipsec VPN. Dynamic end is ADSL connecting to third party device. Hub Site is ASA 5520 with static ip. I found out (after hell lot of trouble) dynamic tunnels only use defaultL2L Tunnel groups. I got that working fine in Lab. But when i test tried in production enviornment, it stucks at Phase2.

The problem i found out after debugs was that VPN connection is landing on DefaultRA tunnel group instead of DefaultL2L tunnel group. Now that Remote Access group is used by multiple Remote access clients.

What are my opTIONS HERE????    Can i somehow divert that connection to Defaultl2l group (by using tunnel-group-map default-group DefaultL2LGroup - command) somehow without disturbing any of my Remote Access VPN settings.

Any idea how i can fix this?

Please help - very urgently need help. Any security specialist?????

Thanks in advance.

dzingirai_jr Sun, 06/26/2011 - 03:14

Hie, please post your solution (the full run configs) for all the three devices, I am having a similar problem. Thank you

blue phoenix Fri, 06/05/2015 - 09:49

Hi,

 

where did you use this outbound to inbound acl in the configuration above?

access-list outside_access_in

 

Thanks

Actions

This Discussion