05-28-2008 05:45 AM
Hi there
I have ASA 5510 in the Headoffice with static IP and ASA 5505 in the remote site behind ADSL router , trying to establish VPN but its failing in phase 1
Config of Head Office
interface Ethernet0/0
description Link to LeaseLine Router
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
interface Ethernet0/1
description Link to Internal LAN
nameif inside
security-level 100
ip address 172.17.1.15 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list vpn_to_remote extended permit ip 172.17.1.0 255.255.255.0 172.19.1.0 255.255.255.0
access-list VPN extended permit ip 172.17.1.0 255.255.255.0 172.20.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
crypto ipsec transform-set esp-aes-256-md5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map cisco 1 match address VPN
crypto dynamic-map cisco 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 10 match address vpn_to_remote
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer y.y.y.y
crypto map outside_map 10 set transform-set esp-aes-256-md5
crypto map outside_map 10 set reverse-route
crypto map outside_map 30 ipsec-isakmp dynamic cisco
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key *
tunnel-group parkplace type ipsec-l2l
tunnel-group parkplace ipsec-attributes
pre-shared-key *
Config of Remote Site
interface Vlan1
nameif inside
security-level 100
ip address 172.20.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
access-list ICMP extended permit icmp any any
access-list NONAT extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0
access-list VPN extended permit ip 172.20.1.0 255.255.255.0 172.17.1.0 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0 outside
access-group ICMP in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address VPN
crypto map outside_map 1 set peer 83.111.252.242
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
tunnel-group fairmount type ipsec-l2l
tunnel-group fairmount ipsec-attributes
pre-shared-key *
Regards/Asfar
Solved! Go to Solution.
05-28-2008 06:32 AM
Hi,
Did you try replacing 'tunnel-group' entry names with Ip address on both ends..?
thank you
MS
05-28-2008 06:47 AM
On the end with the static ip, assign the pre-shared key to the DefaultL2L group.
05-28-2008 05:50 AM
I am getting this debug error can anybody please check and help regarding the issue
May 28 06:03:03 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed
May 28 06:03:11 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed
May 28 06:03:18 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!
May 28 06:03:18 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
May 28 06:03:27 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed
05-28-2008 06:32 AM
Hi,
Did you try replacing 'tunnel-group' entry names with Ip address on both ends..?
thank you
MS
05-28-2008 06:34 AM
ok I will try that but on the headoffice site i can not configure tunnel name with IP address as remote branch is behind ADSL and coming from dynamic ip
05-28-2008 06:40 AM
I have change the tunnel-group to the ip address now the debug at headoffice are
LM-ASA-5510# May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Can't find a valid tunnel group, aborting...!
May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Removing peer from peer table failed, no match!
May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Error: Unable to remove PeerTblEntry
May 28 05:28:58 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)
May 28 05:29:06 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)
05-28-2008 06:42 AM
I have change the remote site tunnel-group from name to ip address now the debugs at headoffice firewall are
LM-ASA-5510# May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Can't find a valid tunnel group, aborting...!
May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Removing peer from peer table failed, no match!
May 28 05:28:50 [IKEv1]: Group = 217.165.160.53, IP = 217.165.160.53, Error: Unable to remove PeerTblEntry
May 28 05:28:58 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)
May 28 05:29:06 [IKEv1]: IP = 217.165.160.53, Header invalid, missing SA payload! (next payload = 4)
05-28-2008 06:47 AM
On the end with the static ip, assign the pre-shared key to the DefaultL2L group.
05-29-2008 03:41 PM
Thanks Guys
09-27-2017 11:40 AM
I have same problem and I remove and add (crypto map, tunnel-group and clear crypto isakmp) and it works.
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide