vpn site to site problem

Unanswered Question
Jan 31st, 2011
User Badges:

From Last week the vpn that was working for months, suddenly it doesn't  longer work.


Nobody has changed the rules or the pre-shared key.


On both sites we have done:


1) reload firewalls

2) we have newly written the pre-shared key

3) more times we have done clear crypto isakmp sa

4) We have removed the vpn configuration and we have newly put the vpn configuration.


the error is:


sh crypto isakmp sa


   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2


1   IKE Peer: x.x.x.x /// ip hidden
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5
2   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5
ASA# sh crypto isakmp



   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1




1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5



The firewalls have different system image


One has 8.3 ASA 5520 and the other has 8.2 ASA 5510


Can anyone help me ?


Best Regards

Carmine

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
manish arora Mon, 01/31/2011 - 09:52
User Badges:
  • Silver, 250 points or more

The error that you are seeing is generally due to following reasons :-

1> Incorrect peer configuration.

2> iskamp proposal mismatch.


Please post the vpn revalent configuration from both peers for further troubleshooting.

Manish

Carmine De Rienzo Mon, 01/31/2011 - 10:46
User Badges:

firewall a


object-group network DM_INLINE_NETWORK_1
network-object yyy.xx.7.0 255.255.255.0
network-object yyy.xx.8.0 255.255.255.0
network-object yyy.xx.9.0 255.255.255.0


access-list 110 extended permit ip object-group DM_INLINE_NETWORK_1 host 192.zzz.x.10


crypto ipsec transform-set pippo esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000


crypto map galileo 10 match address 110
crypto map galileo 10 set peer ss.zz.yy.xx
crypto map galileo 10 set transform-set pippo
crypto map galileo interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


tunnel-group ss.zz.yy.xx type ipsec-l2l
tunnel-group ss.zz.yy.xx ipsec-attributes
pre-shared-key pippo


Firewall b


object network ff

host 192.zzz.x.10


object-group network DM_INLINE_NETWORK_2

network-object yyy.xx.7.0 255.255.255.0
  network-object yyy.xx.8.0 255.255.255.0
  network-object yyy.xx.9.0 255.255.255.0


access-list outside_1_cryptomap extended permit ip object ff object-group DM_INLINE_NETWORK_2


nat (INSIDE,any) source static obj-192.zzz.x.0 obj-192.zzzz.x.0 destination static obj-yyy.xx.9.0 obj-yyy.xx.9.0 unidirectional

nat (INSIDE,any) source static obj-yyy.xx.9.0 obj-yyy.xx.9.0 destination static obj-192.zzz.x.0 obj-192.zzz.x.0 unidirectional


crypto ipsec transform-set pippo esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000


crypto map galileo 10 match address 110
crypto map galileo 10 set peer yy.zz.ss.xx
crypto map galileo 10 set transform-set pippo
crypto map galileo interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400


tunnel-group yy.zz.ss.xx type ipsec-l2l
tunnel-group yy.zz.ss.xx ipsec-attributes
  pre-shared-key pippo


The outside interface on the firewall b has private address and then this private address have to be nat with ip pubblic address.


Best regards

Carmine

manish arora Mon, 01/31/2011 - 11:11
User Badges:
  • Silver, 250 points or more

The outside address of firewall B which you said is being Natted , is the NAT happening on another device between the two firewalls ?


Manish

m.kafka Mon, 01/31/2011 - 13:58
User Badges:
  • Bronze, 100 points or more

the recommended configuration of an IPsec endpoint behind a nat (static one-to-one nat) is to use isakmp identity hostname

so that the isakmp identity can match the information of the layer 3


funny it worked in the first place...


on b (which is translated) i would configure:

isakmp identity hostname


on a i would:

change the tunnel-group to the hostname (instead of ip address)

add a name which resolves hostname to the public (translated) ip of b


then i would run deb crypto isakmp on a and initiate a tunnel-negotiation from b

and vice-verse a deb cry isak on b and initiate from a


watch carefuly, the debug output differs on 8.2 and 8.3


look for something like "landing on group" or "matching tunnel group"


PS your config, it says on b:

crypto map galileo 10 match address 110

but:

access-list outside_1_cryptomap extended permit ip object ff object-group DM_INLINE_NETWORK_2

Actions

This Discussion