07-28-2010 06:32 AM - edited 02-21-2020 04:45 PM
Hi I have a problem with ipsec tunel on ASA
Phase I is OK
but phase II is weard
let's say local ip is 200.4.250.10
local host 192.168.0.1/32
remote net 172.20.0.0/16
peer ip is 100.30.20.10
-----the output of show crypto ipsec sa gives:
local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
current_peer: 100.30.20.10
I think de local ident & remote ident are wrong I should get
local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): 172.20.0.0/255.255.0.0/0/0)
current_peer: 100.30.20.10
--when i execute
debug crypto ipsec 7
IPSEC: No user rule added. No intersection between source source networks (192.168.0.1/255.255.255.255) and (100.30.20.10/255.255.255.255).
IPSEC: No user rule added. No intersection between source source networks (192.168.0.1/255.255.255.255) and (100.30.20.10/255.255.255.255).
Any ideas??
Thanks
07-28-2010 06:46 AM
I think you config is incorrect - posr your ASA's config for review, remove any sensitive information.
07-28-2010 06:48 AM
Just make sure that there is a nat exemption between ur vpn networks, routes for remote networks pointing to vpn gateway and no vpn filter configured in the group-policy. It would help if u had a gist of ur crypto config posted. And wat is the device on the other end?
07-28-2010 07:40 AM
Hi all
OK
outside ip is 200.4.250.10
local host ip is 192.168.10.1/32
local host ip, after nat becomes 192.168.0.1/32
peer ip is 100.30.20.10
remote net 172.20.0.0/16
the ip of the local host is 192.168.10.1 an it is natted to 192.168.0.1/32 if the traffic goes to 172.20.0.0
This is part of the configuration:
access-list outside_cryptomap_3 extended permit ip host 192.168.0.1 172.20.0.0 255.255.0.0
crypto isakmp policy 2
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 2 match address outside_cryptomap_3
crypto map outside_map 2 set connection-type originate-only
crypto map outside_map 2 set peer 100.30.20.10
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 set nat-t-disable
crypto map outside_map interface outside
group-policy VPN_2 internal
group-policy VPN_2 attributes
vpn-filter none
vpn-tunnel-protocol IPSec svc
tunnel-group 100.30.20.10 type ipsec-l2l
tunnel-group 100.30.20.10 general-attributes
default-group-policy VPN_2
tunnel-group 100.30.20.10 ipsec-attributes
pre-shared-key ""
isakmp keepalive disable
Thanks in advance
07-28-2010 08:04 AM
So the phase 2 comes up but u not able to pass traffic?
Can u do a packet tracer between the relevant hosts and post the outputs?
07-28-2010 08:35 AM
Hi
tracer does not give usable information as the packets are not oruted via the vpn
Thanks
07-28-2010 08:10 AM
provide the "no-nat" config i.e "nat inside 0"
Why is this end set to originate only?
07-29-2010 02:59 AM
there is another problem
the output of show crypto ipsec sa gives:
access-list OO_temp_outside_map2 permit ip host 200.4.250.10 host 100.30.20.10
local ident (addr/mask/prot/port): (200.4.250.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): 100.30.20.10/255.255.255.255/0/0)
current_peer: 100.30.20.10
"OO_temp_outside_map2" This is not the acl I put in cryptp map my line states:
crypto map outside_map 2 match address outside_cryptomap_3
07-29-2010 04:28 AM
try removing the set connection originate-only in the crypto map and re-initiate the tunnel.
07-29-2010 06:08 AM
Thanks, but
If I use bidirectional the tunnels stops
how do I re-initiate the tunnel?.
Thanks again
07-29-2010 06:44 AM
clear crypto isakmp sa
and clear crypto ipsec sa peer07-29-2010 03:03 AM
Again - provide the "no-nat" config i.e "nat inside 0"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: