Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
0
Helpful
4
Replies

vpn site to site problem

Carmine De Rienzo
Level 1
Level 1

‎01-31-2011 09:44 AM

From Last week the vpn that was working for months, suddenly it doesn't  longer work.

Nobody has changed the rules or the pre-shared key.

On both sites we have done:

1) reload firewalls

2) we have newly written the pre-shared key

3) more times we have done clear crypto isakmp sa

4) We have removed the vpn configuration and we have newly put the vpn configuration.

the error is:

sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: x.x.x.x /// ip hidden
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5
2   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5
ASA# sh crypto isakmp

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5

The firewalls have different system image

One has 8.3 ASA 5520 and the other has 8.2 ASA 5510

Can anyone help me ?

Best Regards

Carmine

Labels:
0 Helpful
4 Replies 4

manish arora
Level 6
Level 6

‎01-31-2011 09:52 AM

The error that you are seeing is generally due to following reasons :-

1> Incorrect peer configuration.

2> iskamp proposal mismatch.

Please post the vpn revalent configuration from both peers for further troubleshooting.

Manish

0 Helpful

Carmine De Rienzo
Level 1
Level 1
In response to manish arora

‎01-31-2011 10:46 AM

firewall a

object-group network DM_INLINE_NETWORK_1
network-object yyy.xx.7.0 255.255.255.0
network-object yyy.xx.8.0 255.255.255.0
network-object yyy.xx.9.0 255.255.255.0

access-list 110 extended permit ip object-group DM_INLINE_NETWORK_1 host 192.zzz.x.10

crypto ipsec transform-set pippo esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map galileo 10 match address 110
crypto map galileo 10 set peer ss.zz.yy.xx
crypto map galileo 10 set transform-set pippo
crypto map galileo interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group ss.zz.yy.xx type ipsec-l2l
tunnel-group ss.zz.yy.xx ipsec-attributes
pre-shared-key pippo

Firewall b

object network ff

host 192.zzz.x.10

object-group network DM_INLINE_NETWORK_2

network-object yyy.xx.7.0 255.255.255.0
  network-object yyy.xx.8.0 255.255.255.0
  network-object yyy.xx.9.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object ff object-group DM_INLINE_NETWORK_2

nat (INSIDE,any) source static obj-192.zzz.x.0 obj-192.zzzz.x.0 destination static obj-yyy.xx.9.0 obj-yyy.xx.9.0 unidirectional

nat (INSIDE,any) source static obj-yyy.xx.9.0 obj-yyy.xx.9.0 destination static obj-192.zzz.x.0 obj-192.zzz.x.0 unidirectional

crypto ipsec transform-set pippo esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map galileo 10 match address 110
crypto map galileo 10 set peer yy.zz.ss.xx
crypto map galileo 10 set transform-set pippo
crypto map galileo interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400

tunnel-group yy.zz.ss.xx type ipsec-l2l
tunnel-group yy.zz.ss.xx ipsec-attributes
  pre-shared-key pippo

The outside interface on the firewall b has private address and then this private address have to be nat with ip pubblic address.

Best regards

Carmine

0 Helpful

manish arora
Level 6
Level 6
In response to Carmine De Rienzo

‎01-31-2011 11:11 AM

The outside address of firewall B which you said is being Natted , is the NAT happening on another device between the two firewalls ?

Manish

0 Helpful

m.kafka
Level 4
Level 4
In response to Carmine De Rienzo

‎01-31-2011 01:58 PM

the recommended configuration of an IPsec endpoint behind a nat (static one-to-one nat) is to use isakmp identity hostname

so that the isakmp identity can match the information of the layer 3

funny it worked in the first place...

on b (which is translated) i would configure:

isakmp identity hostname

on a i would:

change the tunnel-group to the hostname (instead of ip address)

add a name which resolves hostname to the public (translated) ip of b

then i would run deb crypto isakmp on a and initiate a tunnel-negotiation from b

and vice-verse a deb cry isak on b and initiate from a

watch carefuly, the debug output differs on 8.2 and 8.3

look for something like "landing on group" or "matching tunnel group"

PS your config, it says on b:

crypto map galileo 10 match address 110

but:

access-list outside_1_cryptomap extended permit ip object ff object-group DM_INLINE_NETWORK_2

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents