IPSEC between ASA and 877 using profiles for remote vpn policy

stever432 · ‎05-11-2011

I have this working when using "groupauth etc" on the 877 but the site to site tunnel will not come up using vpn policy on the 877 "crypto isakmp profile RemoteAccessVPN"

--------------------------------------------------
ASA
--------------------------------------------------

crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto map ASA1MAP 40 match address JDV-VPN
crypto map ASA1MAP 40 set pfs
crypto map ASA1MAP 40 set peer 120.151.3.247
crypto map ASA1MAP 40 set transform-set ESP-3DES-SHA
crypto map ASA1MAP 40 set security-association lifetime seconds 28800
crypto map OUTSIDE_MAP interface outside

access-list JDV-VPN extended permit ip host 10.10.19.19 host 10.10.10.100
access-list JDV-VPN extended permit ip host 10.10.19.19 host 10.10.9.254
nat (inside) 0 access-list JDV-VPN

tunnel-group 120.151.3.247 type ipsec-l2l
tunnel-group 120.151.3.247 ipsec-attributes
pre-shared-key *

--------------------------------------------------
Router
--------------------------------------------------

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key * address 203.23.17.71 no-xauth
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group jdv
key jdv2011
dns 10.10.10.100
pool ippool
acl 102
crypto isakmp profile RemoteAccessVPN
   match identity group jdv
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set remoteset esp-3des esp-sha-hmac
crypto ipsec transform-set jdvtrans esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set remoteset
!
!
crypto map jdvmap isakmp-profile RemoteAccessVPN
crypto map jdvmap 10 ipsec-isakmp dynamic dynmap
crypto map jdvmap 11 ipsec-isakmp
set peer 203.23.176.71
set transform-set jdvtrans
set pfs group2
match address 104
!
!

!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address 120.151.3.247 255.255.255.0
crypto map jdvmap
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool ippool 192.168.253.50 192.168.253.60
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip nat inside source static tcp 10.10.10.1 22 interface Dialer0 22
ip nat inside source list 101 interface Dialer0 overload
!
logging trap debugging
access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 deny ip host 10.10.10.100 host 10.10.19.19
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip 10.10.10.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 104 permit ip host 10.10.10.100 host 10.10.19.19
dialer-list 1 protocol ip permit

Any comments would be appreciated.

Thank you.

Steve

andamani · ‎05-12-2011

Hi,

I notice the following on the configuration.

You have crypto map OUTSIDE_MAP applied on the outside interface while the peer is defined on the crypto map ASA1MAP. crypto map ASA1MAP is not applied any where.

what does the crypto map OUTSIDE_MAP contain? i.e. are there any other tunnels terminating on the crypto map OUTSIDE_MAP

If yes, then make the peer router a part of the crypto map OUTSIDE_MAP.

e.g. crypto map OUTSIDE_MAP 40 match address JDV-VPN
crypto map OUTSIDE_MAP 40 set pfs
crypto map OUTSIDE_MAP 40 set peer 120.151.3.247
crypto map OUTSIDE_MAP 40 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_MAP 40 set security-association lifetime seconds 28800

If not, then apply the crypto map ASA1MAP on outside interface.

i.e. no crypto map OUTSIDE_MAP interface outside

crypto map ASA1MAP interface outside

On the router i notice you have the following configuration:

crypto map jdvmap 10 ipsec-isakmp dynamic dynmap
crypto map jdvmap 11 ipsec-isakmp

I would request you to make the dynamic map at a higher sequence in the crypto map. If it is at a lower sequence then the L2L tunnel will try and negotiate the tunnel with dynamic map here and create issues.

i.e. no crypto map jdvmap 10 ipsec-isakmp dynamic dynmap

crypto map jdvmap 12 ipsec-isakmp dynamic dynmap

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

stever432 · ‎05-12-2011

Oops that was a typo on the asa config for the interface map. Lowering the l2l sequence appears to have made a difference.

The situation has changed and it both sites have the same local & remote subnets. Nat will need to be implemented on the 877.

Local and remote sides are 10.10.10.0/24 and nat needs to be implemented on the 877 to be translated to 172.20.10.100

Configs are now:

---------------------------------------------------

ASA

---------------------------------------------------

crypto map ASA1MAP 40 match address JDV-VPN
crypto map ASA1MAP 40 set pfs
crypto map ASA1MAP 40 set peer 120.151.31.247
crypto map ASA1MAP 40 set transform-set ESP-3DES-SHA
crypto map ASA1MAP 40 set security-association lifetime seconds 28800

crypto map ASA1MAP interface outside

access-list JDV-VPN extended permit ip host 10.10.18.50 host 172.20.10.100

tunnel...

---------------------------------------------------

877 Router

---------------------------------------------------

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key ### address 203.23.17.71 no-xauth
crypto isakmp nat keepalive 20
!

crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set jdvtrans esp-3des esp-sha-hmac
!
crypto map jdvmap 9 ipsec-isakmp
set peer 203.23.17.71
set transform-set jdvtrans
set pfs group2
match address 104

access-list 104 permit ip host 10.10.10.100 host 172.20.10.100

ip nat inside source list 101 interface Dialer0 overload
!
logging trap debugging
access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 deny ip host 10.10.10.100 host 10.10.10.100
access-list 101 permit ip 10.10.10.0 0.0.0.255 any

Thanks

andamani · ‎05-12-2011

Am confused..

What are the networks which need to talk? Also are any of them getting natted??

Regards,

Anisha

P.S.:please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

stever432 · ‎05-12-2011

On the asa side:

access-list JDV-VPN extended permit ip host 10.10.18.50 host 172.20.10.100

should be

access-list JDV-VPN extended permit ip host 10.10.10.50 host 172.20.10.100

Topology is:

asa has local network 10.10.10.0 on inside

877 has local network 10.10.10.0 on inside

I want to nat on the 877 side the host 10.10.10.100 to 172.20.10.100 so the ASA will see 172.20.10.100 (as defined in the crypto acl)

Not sure of the nat statement to implement on the 877 router.

Pleaes advise if further information is required.

Thanks,

stever432 · ‎05-12-2011

I tried to use a route-map to acheive NAT of the internal ip on the 877 with:

ip nat pool PRIVATEPOOL 172.20.10.100 172.20.10.100 netmask 255.255.255.0
ip nat inside source route-map NATADDR pool PRIVATEPOOL overload

ip nat inside source list 101 interface Dialer0 overload
!

access-list 101 deny ip host 10.10.10.100 host 10.10.18.50
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 permit ip host 172.20.10.100 host 10.10.18.50
access-list 120 permit ip host 10.10.10.100 host 10.10.18.50
!
route-map NATADDR permit 1
match ip address 120

But it bombs out on the router:

2859: May 13 15:14:38.743 PCTime: ISAKMP:(2027):Checking IPSec proposal 1
002860: May 13 15:14:38.743 PCTime: ISAKMP: transform 1, ESP_3DES
002861: May 13 15:14:38.743 PCTime: ISAKMP:   attributes in transform:
002862: May 13 15:14:38.743 PCTime: ISAKMP:      SA life type in seconds
002863: May 13 15:14:38.743 PCTime: ISAKMP:      SA life duration (basic) of 28800
002864: May 13 15:14:38.743 PCTime: ISAKMP:      SA life type in kilobytes
002865: May 13 15:14:38.743 PCTime: ISAKMP:      SA life duration (VPI) of 0x0 0x46 0x50 0x0
002866: May 13 15:14:38.743 PCTime: ISAKMP:      encaps is 1 (Tunnel)
002867: May 13 15:14:38.743 PCTime: ISAKMP:      authenticator is HMAC-SHA
002868: May 13 15:14:38.743 PCTime: ISAKMP:      group is 2
002869: May 13 15:14:38.743 PCTime: ISAKMP:(2027):atts are acceptable.
002870: May 13 15:14:38.743 PCTime: IPSEC(validate_proposal_request): proposal part #1
002871: May 13 15:14:38.747 PCTime: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 120.151.31.247, remote= 203.23.176.71,
    local_proxy= 172.20.10.100/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.10.18.50/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
002872: May 13 15:14:38.747 PCTime: Crypto mapdb : proxy_match
        src addr     : 172.20.10.100
        dst addr     : 10.10.18.50
        protocol     : 0
        src port     : 0
        dst port     : 0
002873: May 13 15:14:38.747 PCTime: map_db_check_isakmp_profile profile did not match
002874: May 13 15:14:38.747 PCTime: map_db_check_isakmp_profile profile did not match
002875: May 13 15:14:38.747 PCTime: map_db_check_isakmp_profile profile did not match
002876: May 13 15:14:38.747 PCTime: map_db_find_best did not find matching map
002877: May 13 15:14:38.747 PCTime: IPSEC(ipsec_process_proposal): proxy identities not supported
002878: May 13 15:14:38.747 PCTime: ISAKMP:(2027): IPSec policy invalidated proposal with error 32
002879: May 13 15:14:38.747 PCTime: ISAKMP:(2027): phase 2 SA policy not acceptable! (local 120.151.3.247 remote 203.23.17.71)
002880: May 13 15:14:38.747 PCTime: ISAKMP: set new node -659687587 to QM_IDLE
002881: May 13 15:14:38.747 PCTime: ISAKMP:(2027):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2204537592, message ID = -659687587

stever432 · ‎05-15-2011

Hi,

Any suggestions on this one?

Thanks,

Steve

stever432 · ‎05-22-2011

Any response on this one? Or would I be better off opening a TAC case?

andamani · ‎05-24-2011

Hi,

I see that you have called the following Transform set on the ASA:

ESP-3DES-SHA

While the transform set configured is:

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

So the transform set ESP-3DES-SHA does not exist. Hence you are getting the following message in the debug:

(key eng. msg.) INBOUND local= 120.151.31.247, remote= 203.23.176.71,
     local_proxy= 172.20.10.100/255.255.255.255/0/0 (type=1),
     remote_proxy= 10.10.18.50/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE (Tunnel),
    lifedur= 0s and 0kb,
     spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

002878: May 13 15:14:38.747 PCTime: ISAKMP:(2027): IPSec policy invalidated proposal with error 32
002879: May 13 15:14:38.747 PCTime: ISAKMP:(2027): phase 2 SA policy not acceptable! (local 120.151.3.247 remote 203.23.17.71)

Please configure the following transform set on the ASA;

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

And try connecting. Let me know how it goes. Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

stever432 · ‎05-24-2011

nope...

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

is configured on the asa and that was updated in the 3rd post...

NOTE I BELIEVE THIS PROBLEM STARTED TO OCCUR WHEN USING PROFILES FOR REMOTE AND L2L VPN

For reference config on both devices is as follows:

ASA:

access-list JDV-VPN extended permit ip host 10.10.18.50 host 172.20.10.100

access-list NO-NAT extended permit ip host 10.10.18.50 host 172.20.10.100

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map ASA1MAP 40 match address JDV-VPN
crypto map ASA1MAP 40 set pfs
crypto map ASA1MAP 40 set peer 120.1.1.1
crypto map ASA1MAP 40 set transform-set ESP-3DES-SHA
crypto map ASA1MAP 40 set security-association lifetime seconds 28800

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400

tunnel-group 120.1.1.1 type ipsec-l2l

tunnel-group 120.1.1.1ipsec-attributes

...

Router:

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key #r$456Jhg address 203.1.1.1 no-xauth
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group jdv
key 1234
dns 10.10.10.100
pool ippool
acl 102
crypto isakmp profile RemoteAccessVPN
   match identity group jdv
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set remoteset esp-3des esp-sha-hmac
crypto ipsec transform-set jdvtrans esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set remoteset
!
!
crypto map jdvmap isakmp-profile RemoteAccessVPN
crypto map jdvmap 9 ipsec-isakmp
set peer 203.1.1.1
set transform-set jdvtrans
set pfs group2
match address 104
crypto map jdvmap 10 ipsec-isakmp dynamic dynmap

ip nat pool PRIVATEPOOL 172.20.10.100 172.20.10.100 netmask 255.255.255.0
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source route-map NATADDR pool PRIVATEPOOL overload

access-list 104 permit ip host 172.20.10.100 host 10.10.18.50
access-list 120 permit ip host 10.10.10.100 host 10.10.18.50
dialer-list 1 protocol ip permit
!
!
route-map NATADDR permit 1
match ip address 120

lginod · ‎05-24-2011

The following changes will make the tunnel to work fine. Please let me know if it helps.

On the Router:

===========

no ip nat inside source route-map NATADDR pool PRIVATEPOOL overload

ip nat inside source route-map NATADDR pool PRIVATEPOOL

and

no crypto map jdvmap isakmp-profile RemoteAccessVPN

crypto dynamic-map dynmap 10
set isakmp-profile RemoteAccessVPN

--

Gino

Please rate the solutions.