cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2187
Views
0
Helpful
11
Replies

site-to-site ipsec vpn with ASA

roussillon
Level 1
Level 1

Hi I have a problem with ipsec tunel on ASA

Phase I is OK

but phase II is weard

let's say local ip is 200.4.250.10

local host 192.168.0.1/32

remote net 172.20.0.0/16

peer ip is 100.30.20.10

-----the output of show crypto ipsec sa gives:

local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
      current_peer: 100.30.20.10

I think de local ident & remote ident are wrong I should get

local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)
       remote ident (addr/mask/prot/port): 172.20.0.0/255.255.0.0/0/0)
       current_peer: 100.30.20.10

--when i execute

debug crypto ipsec 7

IPSEC: No user rule added. No intersection between source source networks (192.168.0.1/255.255.255.255) and (100.30.20.10/255.255.255.255).

IPSEC: No user rule added. No intersection between source source networks (192.168.0.1/255.255.255.255) and (100.30.20.10/255.255.255.255).

Any ideas??

Thanks

11 Replies 11

andrew.prince
Level 10
Level 10

I think you config is incorrect - posr your ASA's config for review, remove any sensitive information.

rahgovin
Level 4
Level 4

Just make sure that there is a nat exemption between ur vpn networks, routes for remote networks pointing to vpn gateway and no vpn filter configured in the group-policy. It would help if u had a gist of ur crypto config posted. And wat is the device on the other end?

roussillon
Level 1
Level 1

Hi all

OK


outside ip is 200.4.250.10
local host  ip is  192.168.10.1/32
local host ip, after nat becomes 192.168.0.1/32

peer ip is 100.30.20.10

remote net 172.20.0.0/16

the ip of the local host  is 192.168.10.1 an it is natted to 192.168.0.1/32 if the traffic goes to 172.20.0.0

This is part of the configuration:


access-list outside_cryptomap_3 extended permit ip host 192.168.0.1  172.20.0.0 255.255.0.0


crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 2 match address outside_cryptomap_3
crypto map outside_map 2 set connection-type originate-only
crypto map outside_map 2 set peer 100.30.20.10
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside


group-policy VPN_2 internal
group-policy VPN_2 attributes
vpn-filter none
vpn-tunnel-protocol IPSec svc


tunnel-group 100.30.20.10 type ipsec-l2l

tunnel-group 100.30.20.10 general-attributes

default-group-policy VPN_2

tunnel-group 100.30.20.10 ipsec-attributes

pre-shared-key ""

isakmp keepalive disable

Thanks in advance

So the phase 2 comes up but u not able to pass traffic?

Can u do a packet tracer between the relevant hosts and post the outputs?

Hi

tracer does not give usable information as the packets are not oruted via the vpn

Thanks

provide the "no-nat" config i.e "nat inside 0"

Why is this end set to originate only?

roussillon
Level 1
Level 1

there is another problem

the output of show crypto ipsec sa gives:

access-list OO_temp_outside_map2 permit ip host 200.4.250.10 host 100.30.20.10

local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
      current_peer: 100.30.20.10

"OO_temp_outside_map2" This is not the acl I put in cryptp map my line states:

crypto map outside_map 2 match address outside_cryptomap_3

try removing the set connection originate-only in the crypto map and re-initiate the tunnel.


Thanks, but

If I use bidirectional the tunnels stops
how do I re-initiate the tunnel?.

Thanks again

clear crypto isakmp sa

and clear crypto ipsec sa peer and then send interesting traffic again.

andrew.prince
Level 10
Level 10

Again - provide the "no-nat" config i.e "nat inside 0"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: