vpn tunnel

Answered Question
Sep 27th, 2010

Hello All,

If ASA (acting as on end peer) is used with a non-cisco product ( checkpoint, juniper, microsoft server) for ipsec purpose, Should the asa be configured to allow any specific rules like allowing udp port ah, esp from that remote end on the outside.

thanks in advance.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 2 months ago

Well, phase 2 policy is completely different between the 2 ends.

Assuming that crypto map 50 is assigned transform-set QWERT, the policy does not match at all.

Your end: 3DES and MD5

The peer end: 3DES, SHA1 and PFS group 2

You can create a new transform-set that has the following:

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha1-hmac

Then assign this transform-set to crypto map 50:

crypto map kepp 50 set transform-set 3DES-SHA

crypto map kepp 50 set pfs group2

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.8 (5 ratings)
Loading.
Jennifer Halim Mon, 09/27/2010 - 02:22

No, by default "sysopt connection permit-vpn" is already enabled, and for all traffic coming from VPN, the outside ACL will not be checked anymore.

If you would like to configure specific policy for the decrypted vpn traffic, you can use the vpn-filter attributes within your group-policy.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1570975

The direction of the ACL would be from the remote LAN towards the local LAN, ie: inbound to the local ASA.

Hope that helps.

suthomas1 Mon, 09/27/2010 - 02:29

our asa doesnt seem to exhibit that command in configs. or is it something not directly visible in running configs.

thanks.

suthomas1 Mon, 09/27/2010 - 04:39

if keepalives cant be set on other non-cisco peer, will it cause problems.

this message comes after phase 1 is completed appears.

&  the message "Session disconnected.Reason: crypto map policy not found" is seen . does this indicate the other peer is not proper on crypto part.

this end asa peer is properly set with crypto.

thank You in advance.

Jennifer Halim Mon, 09/27/2010 - 04:41

"crypto map policy not found" seems like crypto map has not been configured correct, or not matching the other end.

Plus if peer is not Cisco device, it is recommended to turn off the keepalive as the keepalive between the 2 different vendor might be different.

suthomas1 Mon, 09/27/2010 - 08:20

crypto map policy no. , transform set name & group no. ; can they be different on either ends. or is it necessary they should match no. to no. and name to name. if my knowhow is not wrong, encryption & hash algorithm should be same on both ends.

Please correct me if this is wrong.

& does it matter if we have 2 tunnels with seperate peer.

  tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 20.20.20.20 type ipsec-l2l   -------> this peer is trying to connect
tunnel-group 20.20.20.20 ipsec-attributes
pre-shared-key *

  Thank You.

Jennifer Halim Mon, 09/27/2010 - 21:42

The crypto policy needs to match, ie: transform-set, then crypto ACL needs to be mirror image.

Please kindly share the output of "sh run crypto map" and corresponding ACL and transform-set.

suthomas1 Tue, 09/28/2010 - 03:09

unfortunately, remote device config is not available. would mismatch in hash algorithm cause problems.

i have read somewhere about other non-cisco devices using sha1 , whereas asa uses either md5/sha & i believe both sha's are the same.

if the interesting list is like permit ip host 192.168.100.10 172.16.1.2  on cisco device and ip host 172.16.1.2 192.168.100.0 255.255.255.0

will it be workable.

TIA.

Jennifer Halim Tue, 09/28/2010 - 03:18

It needs to exactly match. If the non cisco peer is using MD5, just change the ASA to use MD5. Or if the peer uses SHA, you can just configure the ASA to match what the peer configured.

Same with the crypto ACL, if the non cisco peer has "ip host 172.16.1.2 192.168.100.0 255.255.255.0" configured, since you have access to the ASA, you can configure the crypto ACL on the ASA to match the peer (mirror image): "ip 192.168.100.0 255.255.255.0 host 172.16.1.2"

Here is a sample configuration for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml

suthomas1 Tue, 09/28/2010 - 03:31

good link , thanks.

we have sha on this end and other non-cisco peer has sha1. and i cant see sha1 on asa , think both are similar on asa?

should this be ok ..or i will resort to md5.

suthomas1 Wed, 09/29/2010 - 00:09

came across this message,

Session disconnected. Session Type: IKE, Duration: 0h:00m:02 s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

pfs is disabled currently on asa. appreciate your help.

Jennifer Halim Wed, 09/29/2010 - 05:31

Pls check what transform set is configured for this particular peer. It needs to match the remote end.

If you run the following debugs on the ASA and try to initiate the VPN tunnel, it should give you more information on what is not matching:

debug cry isa

debug cry ipsec

suthomas1 Wed, 09/29/2010 - 06:42

thank you, debug was done and the results are attached, some parameters used by other end are also indicated in the file.

think it indicates wrong crypto-map.

i can see difference in security association time.

But not certain if this may be the problem. The other party would be reconfiguring it later.

from the above, is there anything that is required to have a check.

thanks a heaps.

Correct Answer
Jennifer Halim Wed, 09/29/2010 - 06:50

Well, phase 2 policy is completely different between the 2 ends.

Assuming that crypto map 50 is assigned transform-set QWERT, the policy does not match at all.

Your end: 3DES and MD5

The peer end: 3DES, SHA1 and PFS group 2

You can create a new transform-set that has the following:

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha1-hmac

Then assign this transform-set to crypto map 50:

crypto map kepp 50 set transform-set 3DES-SHA

crypto map kepp 50 set pfs group2

Actions

This Discussion