05-21-2014 03:38 AM - edited 02-21-2020 07:39 PM
Hello,
I'm trying to configure a vpn site2site between ASA5510 and RVW110 router, my architecture is like that:
On the central office: the ASA is already connected with other sites trough an ipsec tunnels:
Local network 192.168.1.0/24
The network between the ASA and the ADSL router as: 192.168.254.0/24
On the remote site:
The RVW110 router is connected to another router since the RVW110 is not a modem:
The local network 192.168.9.0/24
The network between the RVW110 and the provider router is 192.168.100.0/24
All traffic is permitted between all routers themselves and with the ASA5510
After negotiation, I got the status on the ASA:
Responder
MM_Active
But on the RVW110: connection not established? I can’t ping any side.
Can you please e help on this?
thanks in advance
05-21-2014 06:22 AM
there is debug on the ASA side, after this negotiation the asa keep responder status and no connection on the router side
ASA-5510# May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 116
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Received DPD VID
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing IKE SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 5
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
May 21 03:45:21 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 21600 seconds.
May 21 03:45:21 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Received encrypted Oakley Informational packet with invalid payloads, MessID = 1268841455
05-21-2014 07:11 AM
Hi ,
Your ASA Says Phase 1 tunnel is up , check the same on your remote router for Phase 1 tunnel .
Check with your Crypto ACL at both end .
show crypto ipsec sa { Phase 2 status }
HTH
Sandy
05-21-2014 07:34 AM
hi Sandy,
First I want to thank you your answer.
on the ASA :
show crypto isakmp
3 IKE Peer: 81.192.197.30
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
sh crypto ipsec sa
no information about the tunnel
it shows just the status of the other tunnels.
On the RV110W router :
since he have just a web based access, i cant just enbale the logs and check the connection status page, and theyt doesn't show any helping information
Thanks in advance
05-21-2014 07:45 AM
Hi ,
Check on Phase 2 Crypto access-list and transform set .
HTH
Sandy
05-21-2014 08:15 AM
I checked the access list it seems ok, please have a look :
I attached screen shoots of configuration on both sides.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map mymap 1 set transform-set ESP-3DES-MD5
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
crypto map mymap 1 match address outside_1_cryptomap
crypto map mymap 1 set peer 1.1.1.1
crypto map mymap 1 set transform-set ESP-3DES-MD5
crypto map mymap 1 set nat-t-disable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 3600 retry 2
on the other side all traffic are permitted
Regards
05-21-2014 09:38 PM
Hi ,
Your statement says as on the other side all traffic are permitted : it should not be all it must be only remote subnet traffic .
Expand your VPN config , you need to specify only remote peer IP subnet 192.168.1.0 255.255.255.0 not every traffic . Crypto map access-list must be matching both side .
Remote Security
Group Type
Subnet
IP Address 192.168.1.0
Subnet Mask 255.255.255.0
HTH
Sandy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide