Two VPN L2L tunnels between one Cisco 871 and two ASA 5500

Unanswered Question
Oct 4th, 2010

Hello, all

I'm trying without succes to establish, from a Cisco 871 VPN router, two IPSEC L2L tunnels :

- one going to an ASA

- another going to another ASA

To do that I found the following on the net, but I can't manage to establish the phase 2 !

First of all, is this configuration suitable to establish two l2L tunnels from one 871 to differents ASAs??

Cordially,

Thanks, Patrick

  1. crypto keyring site-1-keyring   
  2.   pre-shared-key address 1.1.1.1 key abcd  
  3.   pre-shared-key address 2.2.2.2 key abcd  
  4. crypto keyring site-2-keyring   
  5.   pre-shared-key address 3.3.3.3 key abcd  
  6. !  
  7. crypto isakmp policy 1  
  8. encr 3des  
  9. authentication pre-share  
  10. group 2  
  11. crypto isakmp profile site-1-a-prof  
  12.    keyring site-1-keyring  
  13.    match identity address 1.1.1.1 255.255.255.255   
  14. crypto isakmp profile site-1-b-prof  
  15.    keyring site-1-keyring  
  16.    match identity address 2.2.2.2 255.255.255.255   
  17. crypto isakmp profile site-2-prof  
  18.    keyring site-2-keyring  
  19.    match identity address 3.3.3.3 255.255.255.255   
  20. !  
  21. !  
  22. crypto ipsec transform-set strong ah-sha-hmac esp-3des   
  23. !  
  24. crypto map ipsec-maps 10 ipsec-isakmp   
  25. description ** Site 1 VPN A **  
  26. set peer 1.1.1.1  
  27. set transform-set strong   
  28. set isakmp-profile site-1-a-prof  
  29. match address site-1-a-acl  
  30. crypto map ipsec-maps 20 ipsec-isakmp   
  31. description ** Site 1 VPN B **  
  32. set peer 2.2.2.2  
  33. set transform-set strong   
  34. set isakmp-profile site-1-b-prof  
  35. match address site-1-b-acl  
  36. crypto map ipsec-maps 30 ipsec-isakmp   
  37. description ** Site 2 **  
  38. set peer 3.3.3.3  
  39. set transform-set strong   
  40. set isakmp-profile site-2-prof  
  41. match address site-2-acl  
  42. !  
  43. interface Dialer1  
  44. crypto map ipsec-maps  
  45. !  
  46. ip access-list extended site-1-a-acl  
  47. permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255  
  48. ip access-list extended site-1-b-acl  
  49. permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255  
  50. ip access-list extended site-2-acl  
  51. permit ip 192.168.0.0 0.0.0.255 192.168.3.0 0.0.0.255 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Mon, 10/04/2010 - 06:21

please paste the config on the other site or the asa too

verify phase 2 paramenter whether they r matching

ah-sha-hmac esp-3des  - looks like u have ah make sure u need ah and have it configured on the asa if not change this ah to 3 des

also please enable debugs and paste them here

debug crypto isakmp

debug crypto ipsec

roquette Tue, 10/05/2010 - 01:22

Hi,

I've attached the files concerning the lab configuration : 871 and one of the two ASAs.

Also a debug crypto ipsec and isakmp on the 871 and the logging on the ASA.

I can't manage to fix out this issue so then it seems easy to do with the following asa error ...

Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713119: Group = 9.9.9.9, IP = 9.9.9.9, PHASE 1 COMPLETED
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713904: Group = 9.9.9.9, IP = 9.9.9.9, All IPSec SA proposals found unacceptable!
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-3-713902: Group = 9.9.9.9, IP = 9.9.9.9, QM FSM error (P2 struct &0xd89cc148, mess id 0x8b43176a)!
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-3-713902: Group = 9.9.9.9, IP = 9.9.9.9, Removing peer from correlator table failed, no match!
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713259: Group = 9.9.9.9, IP = 9.9.9.9, Session is being torn down. Reason: Phase 2 Mismatch
Oct  5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-4-113019: Group = 9.9.9.9, Username = 9.9.9.9, IP = 9.9.9.9, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

Many thanks for your help

Have a good day.

roquette Fri, 10/08/2010 - 00:05

Hi "Jathaval" ...

Did you spent time on my issue ?

Is the configuration I took as a sample suitable for opening, on a CISCO 871 VPN router, two ipsec l2l tunnels ?

(end-point of the tunnels are CISCO ASA 5500).

Cordially

Patrick Letendart

roquette Fri, 10/08/2010 - 08:24

Hello Stefano,

Thanks for your help.

It's getting better ... one of the two tunnels goes up !

I'm looking at the second one.

After that it'll "just remains" me to deal with the routing ...

I"ll take all of you aware on next monday.

Managing to create a running configuration (with your great help) is getting a contest for me ...

Bye and have a nice we

roquette Fri, 10/08/2010 - 09:14

Hi all,

Thanks to Stefano, I managed to establish the two tunnels (PFS disable, DES instead of 3DES, one reversal in one ACL, an error in an other one ...).

So and then, I get two tunnels up and now it "remains for me" to implement the routing.

OSPF is the solution ? or ?

Following is the configuration of the Cisco 871

!
no ip source-route
ip cef
!
crypto keyring ST
  pre-shared-key address 1.2.3.4 key 6 XAi[WbI_AB\V]Ub[RFDYLDSPI`LObaCL\
crypto keyring Lestrem
  pre-shared-key address 5.6.7.8 key 6 JYR^BARI\LZcGAbec^IZeFWAffB]GZFHM
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile ST-prof
   keyring ST
   match identity address 1.2.3.4 255.255.255.255
crypto isakmp profile Lestrem-prof
   keyring Lestrem
   match identity address 5.6.7.8 255.255.255.255
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map dual-tunnel 10 ipsec-isakmp
description ST
set peer 1.2.3.4
set transform-set ESP-3DES-MD5
set isakmp-profile ST-prof
match address ST
crypto map dual-tunnel 20 ipsec-isakmp
description Lestrem
set peer 5.6.7.8
set transform-set ESP-3DES-MD5
set isakmp-profile Lestrem-prof
match address Lestrem
!
interface FastEthernet4
description $ETH-WAN$
ip address 9.9.9.9 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map dual-tunnel
!
interface Vlan1
description ADMIN
ip address 1.170.128.5 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
standby 1 ip 1.170.128.4
standby 1 priority 20
standby 1 preempt
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 9.9.9.10
ip route 1.170.0.0 255.255.0.0 1.170.128.1
no ip http server
no ip http secure-server
!
ip nat pool branch 9.9.9.9 9.9.9.9 netmask 255.255.255.240
ip nat inside source route-map nonat pool branch overload
!
ip access-list extended Lestrem
permit ip 1.170.0.0 0.0.255.255 1.0.0.0 0.255.255.255
!
ip access-list extended ST
permit ip 1.170.0.0 0.0.255.255 1.36.0.0 0.0.255.255
!
access-list 130 deny   ip 1.170.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 130 permit ip 1.170.0.0 0.0.255.255 any
!
route-map nonat permit 10
match ip address 130
!

Thanks gentlemen !

Stefano De Crescenzo Fri, 10/08/2010 - 23:27

Hi,

I am not sure what you intended with "now i need to configure the routing" . If your goal is to have a routing protocol to be passed via the tunnel so that the internal host can become neighbor, this is not possible with normal L2L and you would need to use either GRE or VTI (that are not supported on ASA).

So you do not have much options:

1- use static routing

2- use GRE or VTI but then you need to put another router behind the ASA to terminate those tunnel (so much more complicated solution)

Hope it helps

Stefano

roquette Mon, 10/11/2010 - 02:58

Thanks Marcin and Stefano,

I'll try to use OSPF following the sample Marcin helpfully gave me.

As soon as I manage to make it runs I come back on this discussion.

cu

Actions

This Discussion

Related Content