site-to-site ipsec vpn with ASA

Unanswered Question
Jul 28th, 2010

Hi I have a problem with ipsec tunel on ASA

Phase I is OK

but phase II is weard

let's say local ip is 200.4.250.10

local host 192.168.0.1/32

remote net 172.20.0.0/16

peer ip is 100.30.20.10

-----the output of show crypto ipsec sa gives:

local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
      current_peer: 100.30.20.10

I think de local ident & remote ident are wrong I should get

local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): 172.20.0.0/255.255.0.0/0/0)
       current_peer: 100.30.20.10

--when i execute

debug crypto ipsec 7

IPSEC: No user rule added. No intersection between source source networks (192.168.0.1/255.255.255.255) and (100.30.20.10/255.255.255.255).

IPSEC: No user rule added. No intersection between source source networks (192.168.0.1/255.255.255.255) and (100.30.20.10/255.255.255.255).

Any ideas??

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rahul Govindan Wed, 07/28/2010 - 06:48

Just make sure that there is a nat exemption between ur vpn networks, routes for remote networks pointing to vpn gateway and no vpn filter configured in the group-policy. It would help if u had a gist of ur crypto config posted. And wat is the device on the other end?

roussillon Wed, 07/28/2010 - 07:40

Hi all

OK


outside ip is 200.4.250.10
local host  ip is  192.168.10.1/32
local host ip, after nat becomes 192.168.0.1/32

peer ip is 100.30.20.10

remote net 172.20.0.0/16

the ip of the local host  is 192.168.10.1 an it is natted to 192.168.0.1/32 if the traffic goes to 172.20.0.0

This is part of the configuration:


access-list outside_cryptomap_3 extended permit ip host 192.168.0.1  172.20.0.0 255.255.0.0


crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 2 match address outside_cryptomap_3
crypto map outside_map 2 set connection-type originate-only
crypto map outside_map 2 set peer 100.30.20.10
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside


group-policy VPN_2 internal
group-policy VPN_2 attributes
vpn-filter none
vpn-tunnel-protocol IPSec svc


tunnel-group 100.30.20.10 type ipsec-l2l

tunnel-group 100.30.20.10 general-attributes

default-group-policy VPN_2

tunnel-group 100.30.20.10 ipsec-attributes

pre-shared-key ""

isakmp keepalive disable

Thanks in advance

Rahul Govindan Wed, 07/28/2010 - 08:04

So the phase 2 comes up but u not able to pass traffic?

Can u do a packet tracer between the relevant hosts and post the outputs?

roussillon Wed, 07/28/2010 - 08:35

Hi

tracer does not give usable information as the packets are not oruted via the vpn

Thanks

roussillon Thu, 07/29/2010 - 02:59

there is another problem

the output of show crypto ipsec sa gives:

access-list OO_temp_outside_map2 permit ip host 200.4.250.10 host 100.30.20.10

local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
      current_peer: 100.30.20.10

"OO_temp_outside_map2" This is not the acl I put in cryptp map my line states:

crypto map outside_map 2 match address outside_cryptomap_3

Rahul Govindan Thu, 07/29/2010 - 04:28

try removing the set connection originate-only in the crypto map and re-initiate the tunnel.

roussillon Thu, 07/29/2010 - 06:08


Thanks, but

If I use bidirectional the tunnels stops
how do I re-initiate the tunnel?.

Thanks again

Rahul Govindan Thu, 07/29/2010 - 06:44

clear crypto isakmp sa and clear crypto ipsec sa peer and then send interesting traffic again.

Actions

This Discussion