Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Another ASA to Juniper site-to-site tunnel issue, lease help

Hi Guys,

Some background:

- trying to establish site-to-site IPsec tunnel between ASA and Juniper (I have no access to Juniper).

- in a week of trial and error we got the tunnel established, however no trafffic is flowing, through.

- main issue prior was to get  phase 2 going. After changing proxy-id on Juniper to public IPs, instead of local IP's, phase 2 succeded.

Please have a look at running config (irrelevant outut ommited):

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 4

!

interface Ethernet0/4

switchport access vlan 5

!

interface Ethernet0/5

switchport access vlan 5

!

interface Ethernet0/6

switchport access vlan 5

!

interface Ethernet0/7

switchport access vlan 5

!

interface Vlan1

nameif inside

security-level 100

ip address q.q.q.q 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 Solon_192_Net 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.15.0 255.255.255.0 172.16.160.0 255.255.255.0

access-list split-tunnel standard permit 192.168.15.0 255.255.255.0

access-list Default_splitTunnelAcl standard permit 192.168.15.0 255.255.255.0

access-list outside_3_cryptomap extended permit ip 192.168.15.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

pager lines 24

logging enable

logging buffer-size 50000

logging buffered debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 172.16.160.0 255.255.255.0 x.x.x.x

route outside Solon_192_Net 255.255.255.0 x.x.x.x

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record SslVPN

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set connection-type originate-only

crypto map outside_map 3 set peer y.y.y.y

crypto map outside_map 3 set transform-set ESP-AES-128-SHA

crypto map outside_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

vpn-idle-timeout none

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

group-policy solonVPN internal

group-policy solonVPN attributes

vpn-filter value outside_3_cryptomap

vpn-tunnel-protocol IPSec l2tp-ipsec

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

tunnel-group y.y.y.y type ipsec-l2l

tunnel-group y.y.y.y general-attributes

default-group-policy solonVPN

tunnel-group y.y.y.y ipsec-attributes

pre-shared-key *****

Also output of: show ipsec  sa peer  y.y.y.y

peer address: y.y.y.y

    Crypto map tag: outside_map, seq num: 3, local addr: x.x.x.x

      access-list OO_temp_outside_map3 extended permit ip host x.x.x.x host                                                                                                                                                               y.y.y.y

      local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (y.y.y.y/255.255.255.255/0/0)

      current_peer: y.y.y.y

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

      path mtu 1492, ipsec overhead 74, media mtu 1500

      current outbound spi: 2457BF99

      current inbound spi : 09A6FF7A

    inbound esp sas:

      spi: 0x09A6FF7A (161939322)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 24576, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 3494

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x2457BF99 (609730457)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 24576, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 3494

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Any help much appreciated....

Everyone's tags (6)
7 REPLIES
Hall of Fame Super Silver

Another ASA to Juniper site-to-site tunnel issue, lease help

No encaps (or decaps) in your "show ipsec sa peer ___" output makes me wonder how the tunnel even came up in the first place. One would expect to see interesting traffic - at least in the encap entry.

You don't typically need route entries for the remote networks as you get to them via the lan to lan ipsec tunnel which sends encapsulated traffic to the peer via the default gateway.

Bronze

Another ASA to Juniper site-to-site tunnel issue, lease help

mart.lubo wrote:

[... ...]

Also output of: show ipsec  sa peer  y.y.y.y

peer address: y.y.y.y

    Crypto map tag: outside_map, seq num: 3, local addr: x.x.x.x

      access-list OO_temp_outside_map3 extended permit ip host x.x.x.x host y.y.y.y

      local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (y.y.y.y/255.255.255.255/0/0)

      current_peer: y.y.y.y

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y

      path mtu 1492, ipsec overhead 74, media mtu 1500

      current outbound spi: 2457BF99

      current inbound spi : 09A6FF7A

    inbound esp sas:

      spi: 0x09A6FF7A (161939322)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 24576, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 3494

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x2457BF99 (609730457)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 24576, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 3494

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Any help much appreciated....

Unfortunately you omitted some relevant parts of the config...

From what I see in the show output:

local/remote ident are the same as local/remote crypto endpoint. This will never work if you want to encrypt a traditional site-to-site VPN. local/remote ident must be the LANs on both sides. If the phase 2 negotiation between ASA and Juniper doesn't succeed post a detailed debug here.

Rgds, MiKa

New Member

Another ASA to Juniper site-to-site tunnel issue, lease help

Hi MiKa,

Thanks for the tip,

excuse my ignorance, I'm fairly new to ASA world, how do I change the local/remote identities, while keeping the endpoints intact?

Thanks

Martin

Bronze

Re: Another ASA to Juniper site-to-site tunnel issue, lease help

Hi Martin,

the tunnel endpoints are defined by the tunnel group, respectively the outside IP address.

Local/remote idents are the "tunnel passengers". On the ASA these are defined by your crypto access-list, in your case "outside_3_cryptomap". The source is the local ident (your local LAN), the destination is the remote ident (the LAN behind your remote endpoint).

New Member

Another ASA to Juniper site-to-site tunnel issue, lease help

Hi MiKa,

my local/remote identities:

#show access-list | include outside_3

access-list outside_3_cryptomap; 2 elements; name hash: 0xb9f54e73

access-list outside_3_cryptomap line 1 extended permit ip 192.168.15.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 0xedc33f46

  access-list outside_3_cryptomap line 1 extended permit ip 192.168.15.0 255.255.255.0 172.16.160.0 255.255.255.0 (hitcnt=0) 0x5ae4895a

  access-list outside_3_cryptomap line 1 extended permit ip 192.168.15.0 255.255.255.0 Solon_192_Net 255.255.255.0 (hitcnt=0) 0x9030c786

My tunnel endpoint for that VPN:

# show running-config  | include tunnel-group 206

tunnel-group 206.x.x.x. type ipsec-l2l

tunnel-group 206.x.x.x general-attributes

tunnel-group 206.x.x.x ipsec-attributes

New Member

Another ASA to Juniper site-to-site tunnel issue, lease help

also if i may add, initial ike phase 2 negotiation, has been failing, until  (proxy id) local and remote address has been set to public ip addresses.

Bronze

Another ASA to Juniper site-to-site tunnel issue, lease help

Hi,

in that case the juniper is misconfigured. You need to include the juniper side in the debugging process.

There is no usable case, where the local/remote ident are identical to the tunnel end points.

1293
Views
0
Helpful
7
Replies