05-28-2008 05:45 AM
Hi there
I have ASA 5510 in the Headoffice with static IP and ASA 5505 in the remote site behind ADSL router , trying to establish VPN but its failing in phase 1
Config of Head Office
interface Ethernet0/0
description Link to LeaseLine Router
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description Link to Internal LAN
nameif inside
security-level 100
ip address 172.17.1.15 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list vpn_to_remote extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list VPN extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map cisco 1 match address VPN
crypto dynamic-map cisco 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 match address vpn_to_remote
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set esp-aes-256-md5
crypto map outside_map 10 set reverse-route
crypto map outside_map 30 ipsec-isakmp dynamic cisco
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *
tunnel-group parkplace type ipsec-l2l
tunnel-group parkplace ipsec-attributes
pre-shared-key *
Config of Remote Site
interface Vlan1
nameif inside
security-level 100
ip address 172.20.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
access-list ICMP extended permit icmp any any
access-list NONAT extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0
access-list VPN extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 outside
access-group ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 83.111.252.242
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group fairmount type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *
Regards/Asfar
Solved! Go to Solution.
05-28-2008 06:32 AM
Hi,
Did you try replacing 'tunnel-group' entry names with Ip address on both ends..?
thank you
MS
05-28-2008 06:47 AM
On the end with the static ip, assign the pre-shared key to the DefaultL2L group.
05-28-2008 05:50 AM
I am getting this debug error can anybody please check and help regarding the issue
May 28 06:03:03 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed
May 28 06:03:11 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed
May 28 06:03:18 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!
May 28 06:03:18 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
May 28 06:03:27 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed
05-28-2008 06:32 AM
Hi,
Did you try replacing 'tunnel-group' entry names with Ip address on both ends..?
thank you
MS
05-28-2008 06:34 AM
ok I will try that but on the headoffice site i can not configure tunnel name with IP address as remote branch is behind ADSL and coming from dynamic ip
05-28-2008 06:40 AM
I have change the tunnel-group to the ip address now the debug at headoffice are
LM-ASA-5510# May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Can't find a valid tunnel group, aborting...!
May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Removing peer from peer table failed, no match!
May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Error: Unable to remove PeerTblEntry
May 28 05:28:58 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)
May 28 05:29:06 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)
05-28-2008 06:42 AM
I have change the remote site tunnel-group from name to ip address now the debugs at headoffice firewall are
LM-ASA-5510# May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Can't find a valid tunnel group, aborting...!
May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Removing peer from peer table failed, no match!
May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Error: Unable to remove PeerTblEntry
May 28 05:28:58 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)
May 28 05:29:06 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)
05-28-2008 06:47 AM
On the end with the static ip, assign the pre-shared key to the DefaultL2L group.
05-29-2008 03:41 PM
Thanks Guys
09-27-2017 11:40 AM
I have same problem and I remove and add (crypto map, tunnel-group and clear crypto isakmp) and it works.
Thank you very much.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: