Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Troubleshooting IPSec VPN Implementations.

 

Introduction

This document describes multiple scenarios where users are trying to troubleshoot the issues they are facing while implementing IPSec.
 

Scenario 1: Traffic forwarding in IPSec

Problem: 
  1. 1 router 1921 which is before ASA 5510. User want to configure
  2. Remote Access  on ASA firewall by forward traffic from router using UDP port 500, and UDP port 4500. 
  3. User have 1 public IP and that is already configured for NAT on router.As IPsec can't traverse NAT. So is it possible to configure VPN on ASA.

Prerequisite:

  1. Router (1921 used here)
  2. ASA (5510 used here)
  3. Public IP

Solution:

Config at ASA (ASA.txt file attached)

Mapping global-policy, use below command to map it .

(config)# service-policy global_policy global

Similarly security level is same for both inside & internal , so use below command to pass traffic between both interface .
(config)# same-security-traffic permit inter-interface

When user say , user have 1 Public IP address . Is this IP address is assigned to router interface or its unassigned separate IP address? 
If its unassigned Public IP address , user can do Static NAT with ASA outside IP address to Public IP address on router like below

{100.100.x.x}fa0/0<-(R1)->fa0/1(192.168.100.1)<-->(192.168.100.2}eth0/0(ASA)eth0/1{172.16.01}
ip nat inside source static 192.168.100.2 100.100.x.x

This way user have to complete IP to IP NAT . 

If user have got only single IP address which is assigned to router interface then user need to port nat as  said:
For VPN Gateways that run Cisco IOS Software Releases earlier than 12.2(13)T, the IPSec pass-through feature is needed on the router that performs PAT to allow Encapsulating Security 
Payload (ESP) through.

Note: This feature is known as IPSec through Network Address Translation (NAT) support in Software Advisory (registered customers only) .
In order to initiate the tunnel from the local (PATed) peer, no configuration is needed. In order to initiate the tunnel from the remote peer, these commands are needed:

ip nat inside source static esp inside_ip interface interface
ip nat inside source static udp inside_ip 500 interface interface 500

For VPN Gateways that run a Cisco IOS Software Release later than 12.2(13)T, IPSec traffic is encapsulated into User Data Protocol (UDP) port 4500 packets. This feature is known as IPSec 
NAT Transparency . In order to initiate the tunnel from the local (PATed) peer, no configuration is needed.
In order to initiate the tunnel from the remote peer, these commands are needed:
ip nat inside source static udp inside_ip 4500 interface interface 4500
ip nat inside source static udp inside_ip 500 interface interface 500
 
More information can be seen on link mentioned below:
 

Scenario 2: UC-500 and IPSec vpn clients disconnects

Problem:

User is facing issue as his vpn clients keep disconnecting.
User have a UC560 running uc500-advipservicesk9-mz.151-2.T2 at an HQ site.  Remote users, about 8 of them, are trying to connect via IPsec VPN clients (v5.0.07.0440) to HQ to access files etc. The behavior user is seeing is that only 5 users successfully connect, not 8. As soon as more users try to connect, they either:
  1. Connect successfully for a min, then drop
  2. Get a 412, Remote peer is no longer responding
  3. Connect, but kick someone else's session off.

Prerequisite:

  • UC560 running uc500-advipservicesk9-mz.151-2.T2 
  • IPsec VPN clients (v5.0.07.0440)

Solution:

Client configs for VPN clients
crypto isakmp client configuration group USER01
 key ********
 dns 192.168.0.110
 pool USER01_POOL
 acl USER01_ACL
aaa authentication login RAUTHEN local
aaa authorization network RAUTHOR local if-authenticated
crypto isakmp profile USER01_PROF
   match identity group USER01
   client authentication list RAUTHEN
   isakmp authorization list RAUTHOR
   client configuration address respond
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp policy 100
 encr aes
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp policy 1000
 encr 3des
 authentication pre-share
 group 2
 
After enabling debug and using commands:
debug crypto isakmp
debug crypto ipsec
 
Output for debug is mentioned below:
604899: Aug 21 16:41:13.333: ISAKMP:(2073): processing HASH payload. message ID = 284724149
604900: Aug 21 16:41:13.333: ISAKMP:(2073): processing NOTIFY DPD/R_U_THERE protocol 1
        spi 0, message ID = 284724149, sa = 0x8E7C6E68
604901: Aug 21 16:41:13.333: ISAKMP:(2073):deleting node 284724149 error FALSE reason "Informational (in) state 1"
604902: Aug 21 16:41:13.333: ISAKMP:(2073):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
604903: Aug 21 16:41:13.333: ISAKMP:(2073):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE 

581504: Aug 20 16:59:12.805: ISAKMP:(2147):purging node -1455244451
581505: Aug 20 16:59:12.805: ISAKMP:(2147):purging node 840814618
581506: Aug 20 16:59:13.933: ISAKMP (2147): received packet from 201.195.231.162 dport 4500 sport 37897 Global (R) QM_IDLE      
581507: Aug 20 16:59:13.933: ISAKMP: set new node 801982813 to QM_IDLE      
581508: Aug 20 16:59:13.933: ISAKMP:(2147): processing HASH payload. message ID = 801982813
581509: Aug 20 16:59:13.933: ISAKMP:received payload type 18
581510: Aug 20 16:59:13.933: ISAKMP:(2147):Processing delete with reason payload
581511: Aug 20 16:59:13.933: ISAKMP:(2147):delete doi = 0
581512: Aug 20 16:59:13.933: ISAKMP:(2147):delete protocol id = 1
581513: Aug 20 16:59:13.933: ISAKMP:(2147):delete spi_size =  16
581514: Aug 20 16:59:13.933: ISAKMP:(2147):delete num spis = 1
581515: Aug 20 16:59:13.933: ISAKMP:(2147):delete_reason = 2
581516: Aug 20 16:59:13.933: ISAKMP:(2147): processing DELETE_WITH_REASON payload, message ID = 801982813, reason: DELETE_BY_USER_COMMAND
581517: Aug 20 16:59:13.933: ISAKMP:(2147):peer does not do paranoid keepalives.
581518: Aug 20 16:59:13.933: ISAKMP:(2147):peer does not do paranoid keepalives.
581519: Aug 20 16:59:13.933: ISAKMP:(2147):deleting SA reason "BY user command" state (R) QM_IDLE       (peer 201.195.231.162)
581520: Aug 20 16:59:13.933: ISAKMP:(2147):deleting node 801982813 error FALSE reason "Informational (in) state 1"
581521: Aug 20 16:59:13.933: ISAKMP: set new node -878597687 to QM_IDLE      
581522: Aug 20 16:59:13.937: ISAKMP:(2147): sending packet to 201.xx.xx.xx my_port 4500 peer_port 37897 (R) QM_IDLE      
581523: Aug 20 16:59:13.937: ISAKMP:(2147):Sending an IKE IPv4 Packet.
581524: Aug 20 16:59:13.937: ISAKMP:(2147):purging node -878597687
581525: Aug 20 16:59:13.937: ISAKMP:(2147):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
581526: Aug 20 16:59:13.937: ISAKMP:(2147):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA 
 
From the debugs we can see that we are receiving a DELETE message from the client at 201.xx.xx.xx:
Typically, you will see this when the user terminates the connection. If this is not the case, it is most likely something with the client causing a delete to be sent in error. Unfortunately, as the 
legacy IPsec VPN client is End of Support, TAC may not be able to provide you with a permanent fix. If you could text from a different client (Cisco iOS built-in client, Mac OSX built-in client, another Cisco router acting as a client, etc;), this could help confirm if the Cisco VPN Client is what is causing the issue.
An IOS upgrade is worth a shot, although the debugs seem to indicate it is an issue with the client. If possible, I would still suggest testing with another client to see if it's unique to the Cisco VPN Client on Win7. Regarding the 20 tunnel limit, this most likely refers to the number of IPsec SAs. If you issue a "show crypto eli," this will print the number of IPSec-Sessions which are currently active.
 
Router#sh cry eli
Hardware Encryption : ACTIVE
 Number of hardware crypto engines = 1
 CryptoEngine Onboard VPN details: state = Active
 Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE
 IPSec-Session :    56 active,    60 max, 5 failed

That looks like that'll do it. Keep in mind that each IPsec "tunnel" (ie. client connection) will have an inbound and outbound SPI, each of which count as an "IPSec-Session" in this "show 
crypto eli" output. Therefore, the 60 max session equates to 30 client connections.
 

Scenario 3:IPSec site to site problem on asa using ver 9.1 vs ios

Problem:

User is trying to set up site-to-site vpn between ASA and IOS router, but unsuccessful,
logs received are :
  • This end is not behind a nat device
  • Received encrypted packet with no matching SA

the networks are:
172.25.0.0 (inside of ASA) A.A.A.A (outside of ASA) is needed to connect to IOS Router B.B.B.B address with 192.168.1.0 inside network

Configuration:

ASA Version 9.0(1)
!
hostname ASA-5505
domain-name 1.kz
names
ip local pool vpn_pool_ASA-5505 192.168.172.2-192.168.172.100 mask 255.255.255.0
ip local pool SAME_NET_ALA 172.25.66.200-172.25.66.210 mask 255.255.255.0
!
interface Ethernet0/0
 switchport access vlan 2
 speed 10
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.25.66.15 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address A.A.A.A 255.255.255.252
!
ftp mode passive
clock timezone ALMST 6
clock summer-time ALMDT recurring last Sun Mar 0:00 last Sun Oct 0:00
dns server-group DefaultDNS
 domain-name 1.kz
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_172.25.66.0_24
 subnet 172.25.66.0 255.255.255.0
object network NETWORK_OBJ_192.168.172.0_25
 subnet 192.168.172.0 255.255.255.128
object network NETWORK_OBJ_172.25.66.192_27
 subnet 172.25.66.192 255.255.255.224
object network ALA_office
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_172.25.0.0_16
 subnet 172.25.0.0 255.255.0.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 172.25.66.0 255.255.255.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0
access-list SAME_NET_ALA_splitTunnelAcl standard permit 172.0.0.0 255.0.0.0
access-list VPN-OUT-INS extended permit ip 192.168.172.0 255.255.255.0 any log
access-list VPN-IN-INS extended permit ip any any log
access-list VPN-OUT-OUT extended permit ip any 192.168.172.0 255.255.255.0 log
access-list VPN-OUT-ALL standard permit any4
access-list net172 standard permit 172.25.0.0 255.255.0.0
access-list net10 standard permit 10.0.0.0 255.0.0.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 destination static NETWORK_OBJ_192.168.172.0_25 
NETWORK_OBJ_192.168.172.0_25 no-proxy-arp route-lookup
nat (inside,outside) source static obj_any obj_any destination static NETWORK_OBJ_172.25.66.192_27 NETWORK_OBJ_172.25.66.192_27 no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_172.25.66.0_24 NETWORK_OBJ_172.25.66.0_24 destination static ALA_office ALA_office no-proxy-arp route-lookup
!
object network obj_any
 nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
access-group VPN-IN-INS in interface inside
access-group VPN-IN-INS out interface inside
route outside 0.0.0.0 0.0.0.0 88.204.136.165 1
route inside 10.0.0.0 255.0.0.0 172.25.66.1 2
route inside 172.0.0.0 255.0.0.0 172.25.66.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 172.25.66.16 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set Alma-set esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-
SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer B.B.B.B
crypto map outside_map 1 set ikev1 transform-set Alma-set
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
 enable outside
 no anyconnect-essentials
group-policy web_access internal
group-policy web_access attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list value PRTG
group-policy SAME_NET_ALA internal
group-policy SAME_NET_ALA attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev1
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SAME_NET_ALA_splitTunnelAcl
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_to_ALA internal
tunnel-group SAME_NET_ALA type remote-access
tunnel-group SAME_NET_ALA general-attributes
 address-pool SAME_NET_ALA
 default-group-policy SAME_NET_ALA
tunnel-group SAME_NET_ALA ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group web_access type remote-access
tunnel-group web_access general-attributes
 default-group-policy web_access
tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B general-attributes
 default-group-policy GroupPolicy1
tunnel-group B.B.B.B ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
  inspect http
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:932099620805dc22d9e48a5e04314887
 
IOS Router:
Last configuration change at 12:22:45 UTC Fri Aug 29 2014 by yerzhan
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1921_center
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
ip cef
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-260502430
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-260502430
 revocation-check none
 rsakeypair TP-self-signed-260502430
!
!
crypto pki certificate chain TP-self-signed-260502430
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363035 30323433 30301E17 0D313331 31323630 35343131
  355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3236 30353032
  34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C178A16C 26637A32 E2FE6EB2 DE63FC5D 2F4096D2 1A223CAF 52A122A1 F152F0E0
  D2305008 FA312D36 E055D09C 730111B6 487A01D5 629F8DE4 42FF0444 4B3B107A
  F6439BA2 970EFE71 C9127F72 F93603E0 11B3F622 73DB1D7C 1889D57C 88C3B141
  ED39B0EA 377CE1F7 610F9C76 FC9C843F A81AEFFE 07917A4B 2946032B 207160B9
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 1680146B B9F671FA BDD822DF 76802EEA 161D18D6 9B8C4030 1D060355
  1D0E0416 04146BB9 F671FABD D822DF76 802EEA16 1D18D69B 8C40300D 06092A86
  4886F70D 01010505 00038181 00B0C56F F1F4F85C 5FE7BF24 27D1DF41 7E9BB9CE
  0447910A 07209827 E780FA0D 3A969CD0 12929830 14AAA496 0D17F684 7F841261
  56365D9C AA15019C ABC74D0A 3CD4E002 F63AA181 B3CC4461 4E56E58D C8237899
  29F48CFA 67C4B84B 95D456C3 F0CF858D 43C758C3 C285FEF1 C002E2C5 DCFB9A8A
  6A1DF7E3 EE675EAF 7A608FB7 88
        quit
license udi pid CISCO1921/K9 sn FCZ1748C14U
!
redundancy
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key PSK-KEY address A.A.A.A
crypto isakmp key 6 PSK-KEY address 0.0.0.0
!
crypto isakmp client configuration group ALA-EMP-VPN
 key *.*.*.*
 dns 8.8.8.8
 domain cisco.com
 pool ippool
 acl 101
 netmask 255.255.255.0
!
!
crypto ipsec transform-set dmvpn_alad esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set myset esp-3des esp-md5-hmac
 mode tunnel
crypto ipsec transform-set TRIPSECMAX esp-3des esp-md5-hmac
 mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile MAXPROFILE
 set transform-set TRIPSECMAX
!
!
crypto ipsec profile dmvpn_profile
 set transform-set dmvpn_alad
!
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 20 ipsec-isakmp
 set peer A.A.A.A
 set transform-set AES-SHA
 match address VPN_ASA_PAV
!
interface Loopback1
 ip address 10.10.10.10 255.255.255.255
!
interface Tunnel2
 ip address 192.168.101.1 255.255.255.240
 no ip redirects
 ip nhrp authentication NHRPMAX
 ip nhrp map multicast dynamic
 ip nhrp network-id 4679
 ip ospf network broadcast
 ip ospf hello-interval 30
 ip ospf priority 10
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel key 4679
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description to_LAN
 ip address 192.168.1.253 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description to_ISP
 ip address B.B.B.B 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map clientmap
!
router ospf 100
 auto-cost reference-bandwidth 1000
 area 0 authentication message-digest
 area 192.168.1.0 authentication message-digest
 redistribute static subnets
 passive-interface default
 no passive-interface Tunnel1
 network 10.10.10.10 0.0.0.0 area 192.168.1.0
 network 192.168.1.0 0.0.0.255 area 192.168.1.0
 network 192.168.222.0 0.0.0.15 area 0
!
router ospf 1
 router-id 1.1.1.1
 redistribute static subnets
 passive-interface default
 no passive-interface Tunnel2
 network 10.10.10.10 0.0.0.0 area 192.168.1.0
 network 192.168.1.0 0.0.0.255 area 192.168.1.0
 network 192.168.101.0 0.0.0.15 area 0
!
ip local pool ippool 192.168.33.1 192.168.33.20
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 111 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.11 22 B.B.B.B 8022 extendable
ip route 0.0.0.0 0.0.0.0 B.B.B.C
!
ip access-list extended ACL-NAT
 deny   ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
 permit ip any any
ip access-list extended ACL-VPN
 permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
ip access-list extended VPN_ASA_PAV
 permit ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 111 permit ip any any
!
control-plane
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 transport input telnet ssh
line vty 5 15
 exec-timeout 0 0
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000

 

Prerequisite

ASA v(9.1)
Router ios v(15) 
 
Solution
The problem is the mismatch in access lists for the VPN.
The ASA says this
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office
The router says this
permit ip 192.168.1.0 0.0.0.255 172.25.0.0 0.0.255.255
 
They should be mirror matches from both sides.
ASA:
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_172.25.66.0_24 object ALA_office
object network NETWORK_OBJ_172.25.66.0_24
 subnet 172.25.66.0 255.255.255.0
object network ALA_office
 subnet 192.168.1.0 255.255.255.0
IOS:
ip access-list extended VPN_ASA_PAV
 permit ip 192.168.1.0 0.0.0.255 172.25.66.0 0.0.0.255
 
Source Discussion
2243
Views
10
Helpful
0
Comments