Solved: L2L VPN cisco asa

shijuuu · ‎01-10-2012

Hi,

I am having an issue with establishing L2L VPN with remote site. My side is cisco asa 5520 and other side is check point UTM-- tunnel is not up.

just wnated to confirm on my sidde if the configuration is OK.

al the parameters using are correct for both side. any issue with below conf ? default route is pointing to my next GW address is there additiona default is required for VPN ? to reach the remote LAN somthing like pointing to remote peer address.

to give a brief idea front end device is router as GW wher in internet is terminated and other wan connections ASA is behind ther GW rtr and outside int of asa and lan interface of GW rtr is having public ip. LAN switch is connected to ASA

access-list insideinterface_nat0_outbound extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0

access-list outsideinterface_cryptomap_40 extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0

nat (insideinterface) 0 access-list insideinterface_nat0_outbound

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outsideinterface_map_1 20 match address outsideinterface_cryptomap_20_1

crypto map outsideinterface_map_1 20 set peer 61.95.xxx.xxx

crypto map outsideinterface_map_1 20 set transform-set ESP-3DES-MD5

crypto map outsideinterface_map_1 40 match address outsideinterface_cryptomap_40

crypto map outsideinterface_map_1 40 set peer 61.95.xxx.xxx

crypto map outsideinterface_map_1 40 set transform-set ESP-3DES-MD5

crypto map outsideinterface_map_1 interface outsideinterface

isakmp identity address

isakmp enable outsideinterface

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group 61.95.xxx.xxx type ipsec-l2l

tunnel-group 61.95.xxx.xxx ipsec-attributes

pre-shared-key *

tunnel-group-map default-group 61.95.xxx.xxx

thanks

andrew.prince · ‎01-10-2012

What troubleshooting have you performed? What debugs have you captured?

View solution in original post

andrew.prince · ‎01-10-2012

OK make sure that:-

1) You remove crypto map 40

2) that "crypto map outsideinterface_map_1 20 set peer 61.95.xxx.xxx" actually is 61.95.143.140

3) That "

tunnel-group 61.95.xxx.xxx type ipsec-l2l

tunnel-group 61.95.xxx.xxx ipsec-attributes

pre-shared-key *

tunnel-group-map default-group 61.95.xxx.xxx

actually are "61.95.143.140"

Anf confirm your PSK is the same @ both ends.

View solution in original post

andrew.prince · ‎01-10-2012

Comments:-

1) You have 2 crypto maps - the only thing they reference is a differenet transform-set, which the only diff between the transform-sets is the hash. You can configure more than 1 encryption and or hash in a transform set, I suggest you do that and remove crypto map 40.

2) You have not posted you NAT config and more importantly the no-nat

3) You have not shown the "interesting traffic" acl so we cannot confirm that it's correct against your no-nat.

HTH>

shijuuu · ‎01-10-2012

Hi,

thanks for reply,

both are mentioned above as given below.

access-list insideinterface_nat0_outbound extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0

access-list outsideinterface_cryptomap_40 extended permit ip 192.168.36.0 255.255.255.0 10.34.12.0 255.255.254.0

nat (insideinterface) 0 access-list insideinterface_nat0_outbound

andrew.prince · ‎01-10-2012

That looks fine

shijuuu · ‎01-10-2012

Thanks, Tunnel is still down not even phase one.

sh crypto isakmp sa

There are no isakmp sas

is it because of any issue with remote site they are using check point UTM is multivendor product causing any issue ?

any thoughts ?

andrew.prince · ‎01-10-2012

What troubleshooting have you performed? What debugs have you captured?

shijuuu · ‎01-10-2012

please see below out put debug crypto isakmp

Jan 10 04:00:51 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x3805ac8, mess id 0xf0dcf0a4)!

Jan 10 04:00:51 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!

Jan 10 04:00:53 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x3805ac8, mess id 0x7f48a5ec)!

Jan 10 04:00:53 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!

Jan 10 04:00:55 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x4c942d0, mess id 0x869e9e2f)!

Jan 10 04:00:55 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!

Jan 10 04:00:57 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x4921848, mess id 0x8cc099c6)!

Jan 10 04:00:57 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!

Jan 10 04:00:59 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, QM FSM error (P2 struct &0x4823700, mess id 0xae5b6bf3)!

Jan 10 04:00:59 [IKEv1]: Group = 61.95.143.140, IP = 61.95.143.140, Removing peer from correlator table failed, no match!

andrew.prince · ‎01-10-2012

OK make sure that:-

1) You remove crypto map 40

2) that "crypto map outsideinterface_map_1 20 set peer 61.95.xxx.xxx" actually is 61.95.143.140

3) That "

tunnel-group 61.95.xxx.xxx type ipsec-l2l

tunnel-group 61.95.xxx.xxx ipsec-attributes

pre-shared-key *

tunnel-group-map default-group 61.95.xxx.xxx

actually are "61.95.143.140"

Anf confirm your PSK is the same @ both ends.

shijuuu · ‎01-10-2012

thanks all is well now...

andrew.prince · ‎01-10-2012

good

Sent from Cisco Technical Support iPad App