×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

problem with vpn ipsec between ASA5510 and RVW110W router

Unanswered Question

Hello,

 

I'm trying to configure a vpn site2site between ASA5510 and RVW110 router, my architecture is like that:

On the central office: the ASA is already connected with other sites trough an ipsec tunnels:

Local network 192.168.1.0/24

The network between the ASA and the ADSL router as: 192.168.254.0/24

 

On the remote site:

The RVW110 router is connected to another router since the RVW110 is not a modem:

The local network 192.168.9.0/24

The network between the RVW110 and the provider router is 192.168.100.0/24

All traffic is permitted between all routers themselves and with the ASA5510

 

After negotiation, I got the status on the ASA:

Responder

MM_Active

 

But on the RVW110: connection not established? I can’t ping any side.

 

Can you please e help on this?

 

thanks in advance

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

there is debug on the ASA side, after this negotiation the asa keep responder status and no connection on the router side

 

ASA-5510# May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 116
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Received DPD VID
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing IKE SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 5
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
May 21 03:45:21 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 21600 seconds.
May 21 03:45:21 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Received encrypted Oakley Informational packet with invalid payloads, MessID = 1268841455

hi Sandy,

First I want to thank you your answer.

on the ASA :

show crypto isakmp

3   IKE Peer: 81.192.197.30
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE


sh crypto ipsec sa 

no information about the tunnel

it shows just the status of the other tunnels.

On the RV110W router :

since he have just a web based access, i cant just enbale the logs and check the connection status page, and theyt doesn't show any helping information

 

Thanks in advance

 

SANTHOSHKUMAR S... Wed, 05/21/2014 - 07:45
User Badges:
  • Silver, 250 points or more

Hi ,

Check on Phase 2 Crypto access-list and transform set . 

HTH

Sandy

I checked the access list it seems ok, please have a look :

I attached screen shoots of configuration on both sides.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map mymap 1 set transform-set ESP-3DES-MD5

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0

crypto map mymap 1 match address outside_1_cryptomap
crypto map mymap 1 set peer 1.1.1.1
crypto map mymap 1 set transform-set ESP-3DES-MD5
crypto map mymap 1 set nat-t-disable

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 3600 retry 2

on the other side all traffic are permitted

Regards

SANTHOSHKUMAR S... Wed, 05/21/2014 - 21:38
User Badges:
  • Silver, 250 points or more

Hi , 

 Your statement says as on the other side all traffic are permitted : it should not be all it must be only remote subnet traffic . 

 Expand your VPN config , you need to specify only remote peer IP subnet 192.168.1.0 255.255.255.0 not every traffic . Crypto map access-list must be matching both side .

 


Remote Security 
Group Type
Subnet
IP Address 192.168.1.0
Subnet Mask 255.255.255.0 

 

HTH

Sandy

Actions

This Discussion