Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa to asa dynamic vpn

Hi guys,

I'm trying to configure an asa to asa dynamic vpn connection, but it fails.

On the hub firewall I want to use another tunnel-group instead of the default "DefaultL2LGroup".

So I configured another tunnel-group on the hub and on the spoke firewall I used "crypto isakmp identity hostname/key-id" to define

the right tunnel-group. This configuration doesn't work. When I perfom a debug on the hub firewall, I get the following error:

" [IKEv1]Group = 10.0.1.2, IP = 10.0.1.2, Can't find a valid tunnel group, aborting...! "

Does anyone have an idea what I'm doing wrong ? Or does anyone have a good example ?

Thanx

raf

2 REPLIES
New Member

asa to asa dynamic vpn

Ok, I've created a little visio file + added the 2 configs of both ASA's. I hope this will make it clear.

site a:

---------

ASA Version 8.4(2)

!

hostname site-a

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!            

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.1.1 255.255.255.0

!

ftp mode passive

access-list inside_in extended permit ip any any

access-list outside_in extended permit ip any any

access-list acl_vpn extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list test extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group inside_in in interface inside

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.1.2 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no sysopt connection permit-vpn

crypto ipsec ikev1 transform-set esp-3des-sha esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 match address acl_vpn

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set esp-3des-sha

crypto map vpn_map 1 ipsec-isakmp dynamic outside_dyn_map

crypto map vpn_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy test internal

group-policy test attributes

vpn-filter value test

vpn-tunnel-protocol ikev1

tunnel-group site-b type ipsec-l2l

tunnel-group site-b general-attributes

default-group-policy test

tunnel-group site-b ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group site-b.test type ipsec-l2l

tunnel-group site-b.test ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group test type ipsec-l2l

tunnel-group test general-attributes

default-group-policy test

tunnel-group test ipsec-attributes

ikev1 pre-shared-key *****

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:9361d95ddd41d33e57cd899acaface3d

: end

site b:

---------

ASA Version 8.4(2)

!

hostname site-b

domain-name test

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown    

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.254 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 10.0.1.2 255.255.255.0

!

ftp mode passive

dns server-group DefaultDNS

domain-name test

access-list inside_in extended permit ip any any

access-list outside_in extended permit ip any any

access-list acl_vpn extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group inside_in in interface inside

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.1.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

no sysopt connection permit-vpn

crypto ipsec ikev1 transform-set esp-3des-sha esp-3des esp-sha-hmac

crypto map vpn_map 1 match address acl_vpn

crypto map vpn_map 1 set pfs

crypto map vpn_map 1 set peer 10.0.1.1

crypto map vpn_map 1 set ikev1 transform-set esp-3des-sha

crypto map vpn_map interface outside

crypto isakmp identity hostname

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tunnel-group 10.0.1.1 type ipsec-l2l

tunnel-group 10.0.1.1 ipsec-attributes

ikev1 pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:3a4eef2b634bd02968a47829cacf068e

: end

New Member

Re: asa to asa dynamic vpn

and this is the debug when I try to get de vpn up and running:

site-a# Nov 21 04:25:53 [IKEv1]IP = 10.0.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) +8

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing SA payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Oakley proposal is acceptable

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Received NAT-Traversal ver 02 VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Received NAT-Traversal ver 03 VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Received NAT-Traversal RFC VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Received Fragmentation VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing IKE SA payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing ISAKMP SA payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing NAT-Traversal VID ver 02 payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing Fragmentation VID + extended capabilities payload

Nov 21 04:25:53 [IKEv1]IP = 10.0.1.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length 8

Nov 21 04:25:53 [IKEv1]IP = 10.0.1.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (4

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing ke payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing ISA_KE payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing nonce payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Received Cisco Unity client VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Received xauth V6 VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing NAT-Discovery payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, computing NAT Discovery hash

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, processing NAT-Discovery payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, computing NAT Discovery hash

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing ke payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing nonce payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing Cisco Unity VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing xauth V6 VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Send IOS VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing VID payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing NAT-Discovery payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, computing NAT Discovery hash

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, constructing NAT-Discovery payload

Nov 21 04:25:53 [IKEv1 DEBUG]IP = 10.0.1.2, computing NAT Discovery hash

Nov 21 04:25:53 [IKEv1]Group = 10.0.1.2, IP = 10.0.1.2, Can't find a valid tunnel group, aborting...!

Nov 21 04:25:53 [IKEv1 DEBUG]Group = 10.0.1.2, IP = 10.0.1.2, IKE MM Responder FSM error history (struct &0xcafb7d50)  , :  MM_DONE, EV_ERROR-Y

Nov 21 04:25:53 [IKEv1 DEBUG]Group = 10.0.1.2, IP = 10.0.1.2, IKE SA MM:718189f1 terminating:  flags 0x0100c002, refcnt 0, tuncnt 0

Nov 21 04:25:53 [IKEv1 DEBUG]Group = 10.0.1.2, IP = 10.0.1.2, sending delete/delete with reason message

Nov 21 04:26:01 [IKEv1]IP = 10.0.1.2, Header invalid, missing SA payload! (next payload = 4)

688
Views
0
Helpful
2
Replies
CreatePlease login to create content