vpn site to site problem

Unanswered Question
Jan 31st, 2011

From Last week the vpn that was working for months, suddenly it doesn't  longer work.

Nobody has changed the rules or the pre-shared key.

On both sites we have done:

1) reload firewalls

2) we have newly written the pre-shared key

3) more times we have done clear crypto isakmp sa

4) We have removed the vpn configuration and we have newly put the vpn configuration.

the error is:

sh crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: x.x.x.x /// ip hidden
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5
2   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5
ASA# sh crypto isakmp

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG5

The firewalls have different system image

One has 8.3 ASA 5520 and the other has 8.2 ASA 5510

Can anyone help me ?

Best Regards

Carmine

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
manisharora111 Mon, 01/31/2011 - 09:52

The error that you are seeing is generally due to following reasons :-

1> Incorrect peer configuration.

2> iskamp proposal mismatch.

Please post the vpn revalent configuration from both peers for further troubleshooting.

Manish

Carmine De Rienzo Mon, 01/31/2011 - 10:46

firewall a

object-group network DM_INLINE_NETWORK_1
network-object yyy.xx.7.0 255.255.255.0
network-object yyy.xx.8.0 255.255.255.0
network-object yyy.xx.9.0 255.255.255.0

access-list 110 extended permit ip object-group DM_INLINE_NETWORK_1 host 192.zzz.x.10

crypto ipsec transform-set pippo esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map galileo 10 match address 110
crypto map galileo 10 set peer ss.zz.yy.xx
crypto map galileo 10 set transform-set pippo
crypto map galileo interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group ss.zz.yy.xx type ipsec-l2l
tunnel-group ss.zz.yy.xx ipsec-attributes
pre-shared-key pippo

Firewall b

object network ff

host 192.zzz.x.10

object-group network DM_INLINE_NETWORK_2

network-object yyy.xx.7.0 255.255.255.0
  network-object yyy.xx.8.0 255.255.255.0
  network-object yyy.xx.9.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip object ff object-group DM_INLINE_NETWORK_2

nat (INSIDE,any) source static obj-192.zzz.x.0 obj-192.zzzz.x.0 destination static obj-yyy.xx.9.0 obj-yyy.xx.9.0 unidirectional

nat (INSIDE,any) source static obj-yyy.xx.9.0 obj-yyy.xx.9.0 destination static obj-192.zzz.x.0 obj-192.zzz.x.0 unidirectional

crypto ipsec transform-set pippo esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map galileo 10 match address 110
crypto map galileo 10 set peer yy.zz.ss.xx
crypto map galileo 10 set transform-set pippo
crypto map galileo interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400

tunnel-group yy.zz.ss.xx type ipsec-l2l
tunnel-group yy.zz.ss.xx ipsec-attributes
  pre-shared-key pippo

The outside interface on the firewall b has private address and then this private address have to be nat with ip pubblic address.

Best regards

Carmine

manisharora111 Mon, 01/31/2011 - 11:11

The outside address of firewall B which you said is being Natted , is the NAT happening on another device between the two firewalls ?

Manish

m.kafka Mon, 01/31/2011 - 13:58

the recommended configuration of an IPsec endpoint behind a nat (static one-to-one nat) is to use isakmp identity hostname

so that the isakmp identity can match the information of the layer 3

funny it worked in the first place...

on b (which is translated) i would configure:

isakmp identity hostname

on a i would:

change the tunnel-group to the hostname (instead of ip address)

add a name which resolves hostname to the public (translated) ip of b

then i would run deb crypto isakmp on a and initiate a tunnel-negotiation from b

and vice-verse a deb cry isak on b and initiate from a

watch carefuly, the debug output differs on 8.2 and 8.3

look for something like "landing on group" or "matching tunnel group"

PS your config, it says on b:

crypto map galileo 10 match address 110

but:

access-list outside_1_cryptomap extended permit ip object ff object-group DM_INLINE_NETWORK_2

Actions

Login or Register to take actions

This Discussion

Posted January 31, 2011 at 9:44 AM
Stats:
Replies:4 Avg. Rating:
Views:412 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard