10-04-2010 06:03 AM
Hello, all
I'm trying without succes to establish, from a Cisco 871 VPN router, two IPSEC L2L tunnels :
- one going to an ASA
- another going to another ASA
To do that I found the following on the net, but I can't manage to establish the phase 2 !
First of all, is this configuration suitable to establish two l2L tunnels from one 871 to differents ASAs??
Cordially,
Thanks, Patrick
10-04-2010 06:21 AM
please paste the config on the other site or the asa too
verify phase 2 paramenter whether they r matching
ah-sha-hmac esp-3des - looks like u have ah make sure u need ah and have it configured on the asa if not change this ah to 3 des
also please enable debugs and paste them here
debug crypto isakmp
debug crypto ipsec
10-05-2010 01:22 AM
Hi,
I've attached the files concerning the lab configuration : 871 and one of the two ASAs.
Also a debug crypto ipsec and isakmp on the 871 and the logging on the ASA.
I can't manage to fix out this issue so then it seems easy to do with the following asa error ...
Oct 5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713119: Group = 9.9.9.9, IP = 9.9.9.9, PHASE 1 COMPLETED
Oct 5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713904: Group = 9.9.9.9, IP = 9.9.9.9, All IPSec SA proposals found unacceptable!
Oct 5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-3-713902: Group = 9.9.9.9, IP = 9.9.9.9, QM FSM error (P2 struct &0xd89cc148, mess id 0x8b43176a)!
Oct 5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-3-713902: Group = 9.9.9.9, IP = 9.9.9.9, Removing peer from correlator table failed, no match!
Oct 5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-5-713259: Group = 9.9.9.9, IP = 9.9.9.9, Session is being torn down. Reason: Phase 2 Mismatch
Oct 5 09:45:45 ASA_LAB Oct 05 2010 07:45:46: %ASA-4-113019: Group = 9.9.9.9, Username = 9.9.9.9, IP = 9.9.9.9, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
Many thanks for your help
Have a good day.
10-08-2010 12:05 AM
Hi "Jathaval" ...
Did you spent time on my issue ?
Is the configuration I took as a sample suitable for opening, on a CISCO 871 VPN router, two ipsec l2l tunnels ?
(end-point of the tunnels are CISCO ASA 5500).
Cordially
Patrick Letendart
10-08-2010 07:17 AM
Hi,
can you try removing the pfs from the ASA crypto map?
no crypto map outside_map 13 set pfs
Stefano
10-08-2010 08:24 AM
Hello Stefano,
Thanks for your help.
It's getting better ... one of the two tunnels goes up !
I'm looking at the second one.
After that it'll "just remains" me to deal with the routing ...
I"ll take all of you aware on next monday.
Managing to create a running configuration (with your great help) is getting a contest for me ...
Bye and have a nice we
10-08-2010 09:14 AM
Hi all,
Thanks to Stefano, I managed to establish the two tunnels (PFS disable, DES instead of 3DES, one reversal in one ACL, an error in an other one ...).
So and then, I get two tunnels up and now it "remains for me" to implement the routing.
OSPF is the solution ? or ?
Following is the configuration of the Cisco 871
!
no ip source-route
ip cef
!
crypto keyring ST
pre-shared-key address 1.2.3.4 key 6 XAi[WbI_AB\V]Ub[RFDYLDSPI`LObaCL\
crypto keyring Lestrem
pre-shared-key address 5.6.7.8 key 6 JYR^BARI\LZcGAbec^IZeFWAffB]GZFHM
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp profile ST-prof
keyring ST
match identity address 1.2.3.4 255.255.255.255
crypto isakmp profile Lestrem-prof
keyring Lestrem
match identity address 5.6.7.8 255.255.255.255
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-MD5 esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map dual-tunnel 10 ipsec-isakmp
description ST
set peer 1.2.3.4
set transform-set ESP-3DES-MD5
set isakmp-profile ST-prof
match address ST
crypto map dual-tunnel 20 ipsec-isakmp
description Lestrem
set peer 5.6.7.8
set transform-set ESP-3DES-MD5
set isakmp-profile Lestrem-prof
match address Lestrem
!
interface FastEthernet4
description $ETH-WAN$
ip address 9.9.9.9 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map dual-tunnel
!
interface Vlan1
description ADMIN
ip address 1.170.128.5 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
standby 1 ip 1.170.128.4
standby 1 priority 20
standby 1 preempt
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 9.9.9.10
ip route 1.170.0.0 255.255.0.0 1.170.128.1
no ip http server
no ip http secure-server
!
ip nat pool branch 9.9.9.9 9.9.9.9 netmask 255.255.255.240
ip nat inside source route-map nonat pool branch overload
!
ip access-list extended Lestrem
permit ip 1.170.0.0 0.0.255.255 1.0.0.0 0.255.255.255
!
ip access-list extended ST
permit ip 1.170.0.0 0.0.255.255 1.36.0.0 0.0.255.255
!
access-list 130 deny ip 1.170.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 130 permit ip 1.170.0.0 0.0.255.255 any
!
route-map nonat permit 10
match ip address 130
!
Thanks gentlemen !
10-08-2010 11:27 PM
Hi,
I am not sure what you intended with "now i need to configure the routing" . If your goal is to have a routing protocol to be passed via the tunnel so that the internal host can become neighbor, this is not possible with normal L2L and you would need to use either GRE or VTI (that are not supported on ASA).
So you do not have much options:
1- use static routing
2- use GRE or VTI but then you need to put another router behind the ASA to terminate those tunnel (so much more complicated solution)
Hope it helps
Stefano
10-09-2010 03:33 PM
Adding to Stefano's remark.
You can use OSPF with "neighbor" command via IPsec tunnel on ASA.
Config example:
HTH,
Marcin
10-11-2010 02:58 AM
Thanks Marcin and Stefano,
I'll try to use OSPF following the sample Marcin helpfully gave me.
As soon as I manage to make it runs I come back on this discussion.
cu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide