Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Configuring Site-to-Site VPN on two ASA5505

I have two ASA5505 ver 8.4(6) and ver 9.0(2) configured for a site-to-site vpn lab, but with no success.  I could ping any outside address from both ASA's, but couldn't ping the LAN on the other end of the ASA.  Below is the error message when trying to verify if the VPN tunnel is established. For reference, the configurations are provided below.  Any help is much appreciated.

ASA1# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

ASA1# show crypto ipsec sa

There are no ipsec sas

ASA1:

crypto isakmp enable outside

object network net-local

subnet 192.168.1.0 255.255.255.0

object network net-remote

subnet 192.168.2.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 200.200.200.1 type ipsec-l2l

tunnel-group 200.200.200.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.200.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA2:

crypto isakmp enable outside

object network net-local

subnet 192.168.2.0 255.255.255.0

object network net-remote

subnet 192.168.1.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 100.100.100.1 type ipsec-l2l

tunnel-group 100.100.100.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 100.100.100.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA1# sh run int

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ASA1#

ASA1# ping 192.168.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA1# ping google.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.194.46.71, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

ASA1#

ASA2# sh run int

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.2.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

ASA2# ping 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

!

ASA2# ping google.com

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 173.194.46.64, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/14/20 ms

ASA2#

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: Configuring Site-to-Site VPN on two ASA5505

If you are not seeing any debugs from the ASA, then there are no cryptographic negoiations of any kind. 

The issue may be that you need to generate some interesting traffic to match the ACL.  I'm not sure if you on a physical lab or on GNS3.  If you are using a physical lab, attach a laptop to the inside interface and configure an IP in that subnet.  You may need to do that to the other ASA.  Then iniatiate a ping to the other network. 

17 REPLIES
New Member

Configuring Site-to-Site VPN on two ASA5505

If you ping the internal interface of the other ASA and you get nothing, check the SAs.

show crypto isa sa

If you see it as MM_Active, then the ipsec tunnel is up.

Try to ping something beyond the LAN interface.  This would prove that the tunnel is up.

As for why you don't get a response, I believe that's a default action of the ASAs to not respond to pings from outside to an internal ASA interface.  You can enable it I believe, however I don't recall the command for it.

New Member

Configuring Site-to-Site VPN on two ASA5505

sh crypto isa sa returned with the following message.  Also, I cannot ping the switch on the other end of the ASA either. Any thoughts?

ASA1# sh crypto isa sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Hall of Fame Super Silver

Re: Configuring Site-to-Site VPN on two ASA5505

Both your ASAs' outside interfaces are set to get their addresses via DHCP. Your configurations above show the peer addresses as 100.100.100.1 and 200.200.200.1.

You need to use the actual address the remote end has on its outside interface in order to even attempt to establish a security association (SA).

New Member

Configuring Site-to-Site VPN on two ASA5505

Hi Marvin,

Thank you for your reply.  For security purposes, the outside addresses have been replaced with

100.100.100.1 and 200.200.200.1 but on my ASAs the real ip addresses are used.

Many thanks

New Member

Configuring Site-to-Site VPN on two ASA5505

You're missing the object name in this line:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

It should read:

crypto ipsec transform-set outside_map ESP-3DES-SHA esp-3des esp-sha-hma

Also can you ping the outside interfaces of your appliances from each other?  Are they behind any other firewalls or NAT devices?

New Member

Configuring Site-to-Site VPN on two ASA5505

Hi Simon,

Thank you for your reply.  The crypto ipsec transform-set statement you provided is invalid. See error msg below.  And yes I can ping the outside interfaces from the ASAs, results below. There are no other firewall before the ASAs. The  ASA's are sitting just behind the ISP router.

ASA1(config)# crypto ipsec transform-set outside_map ESP-3DES-SHA esp-3des esp$

crypto ipsec transform-set outside_map ESP-3DES-SHA esp-3des esp-sha-hma

                                               ^

ERROR: % Invalid input detected at '^' marker.

ASA1(config)#

ASA1# ping 200.200.200.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 200.200.200.1, timeout is 2 seconds:

!!!!!

ASA2# ping 100.100.100.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

New Member

Configuring Site-to-Site VPN on two ASA5505

Ignore me, I'm talimg rubbish.  I don't normally set my transform-set like that so it through me.

Let's go back to the beginning.  Are the ASAs even trying to talk?

Run the debug commands:

debug crypto isakmp 7

debug crypto ipsec 7

Hall of Fame Super Silver

Configuring Site-to-Site VPN on two ASA5505

I'm with Simon on this - your configs (to the extent you've shared them) appear to match up and should result in an IPsec VPN establishing and passing traffic.

Turn on the suggested debugs and then introduce interesting traffic. Analyze and share the resulting log output.

Bronze

Configuring Site-to-Site VPN on two ASA5505

Hi,

just one note. When you are abel to ping remote asa so it does not necessarily mean thate there is not other device blocking IPSec traffic.

Regarding debug you can go this way, but you should at least see Phase1 in your logs on local or remote asa. Also you can see some reason why tunnel is not formed all without debug. I you don't see phase1 so probably crypto map does not match network what you are trying contact.

So question is:

when you try ping remote site, can you see that ASA is trying negotiate phase1 or phase2 in your logs?

Jan

Bronze

Configuring Site-to-Site VPN on two ASA5505

I tried to reproduce your problem and found that in your config is missing this:

crypto ikev1 enable outside

You must enable IKE on the interface that terminates the VPN tunnel. Typically this is the outside, or public interface. To enable IKEv1 or IKEv2, use the crypto ikev1 | ikev2 enable command from global configuration mode:

crypto ikev1 | ikev2 enable interface-name

For example:

hostname(config)# crypto ikev1 enable outside


Best regards,

Jan

Please rate if you consider that this post is helpful
New Member

Re: Configuring Site-to-Site VPN on two ASA5505

Thanks for all the suggestions.  I wiped the ASAs and started from factory default again just to avoid any misconfigurations. I also tested the outside and inside interfaces of each of the ASA by connecting a workstation to the inside interface of the ASAs and was able to surf the web just fine.

I then applied the site-to-site VPN configuration and sadly ended up with the same result as before, even after applying the command #crypto ikev1 enable outside.  I'm not sure what else could be the issue here as Remote Access VPN was working just fine on one of my previous labs.  Could it be the difference in IOS version?  I have ASA1 running v8.4(6) and ASA2 running v9.0(2).

I also ran the debug commands as suggested by a poster above with no results returned. Perhaps the ASAs aren't even talking. Any other suggestions is much appreciated. Also if there are other site-to-site vpn configurations out there that I should try, please post it here.  Many thanks for everyone's suggestions on this issue so far.

ASA1# sh crypto ipsec sa

There are no ipsec sas

ASA1# sh isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

Hall of Fame Super Silver

Re: Configuring Site-to-Site VPN on two ASA5505

It occurs to me the examples you show above are testing from the ASAs themselves. Interesting traffic has to come into the ASA for a tunnel to form - not be sourced from it.

          

Try tracing a packet with the packet tracer. Use IP addresses not on either ASA for your source and destination. e.g.:

packet-tracer input inside icmp 192.168.1.2 0 0 192.168.2.2 detailed

Please post the results.

Bronze

Re: Configuring Site-to-Site VPN on two ASA5505

Marvin is right. Probably you are initiating or trying to ping remote end form your ASA.

Try it from your PC.

Also you should see at least some messages in your log. Have you logging enabled?

logging enable

logging buffered informational

and then you should see some logs.

New Member

Re: Configuring Site-to-Site VPN on two ASA5505

If you are not seeing any debugs from the ASA, then there are no cryptographic negoiations of any kind. 

The issue may be that you need to generate some interesting traffic to match the ACL.  I'm not sure if you on a physical lab or on GNS3.  If you are using a physical lab, attach a laptop to the inside interface and configure an IP in that subnet.  You may need to do that to the other ASA.  Then iniatiate a ping to the other network. 

New Member

Re:Configuring Site-to-Site VPN on two ASA5505

The tunnel is up now. I will post the detail and the complete config later, but just want to post my status and thank everyone for all the help everyone has contributed.

Many thanks again


Sent from Cisco Technical Support Android App

New Member

Configuring Site-to-Site VPN on two ASA5505

Again, I really appreciate everyone's contribution to this Site-to-Site VPN lab issue that I've been struggling with for the last couple of days. Because of everyone's help, I now have a running Site-to-Site VPN tunnel. Provided below is a minor revision to the original config from my first post. Basically what is added to the revised config below is the command "crypto ikev1 enable outside". The rest of the config has been not changed. Althought I'm not certain if the command "crypto ikev1 enable outside" did the trick, maybe someone can confirm this.

Anyhow, after the ASAs were put to its factory-default config (#configure factory-default), I connected a workstation to the Inside Interface of each of the ASA to verify internet access. And that was confirmed prior to applying the configs below.

And here is my mistake. I failed to realize that in order for the VPN tunnel to establish a connection, I must first issue a ping command from a host on the local LAN to a host on the remote LAN (Interesting Traffic).  Instead, I kept on issuing pings from the ASA to a host on the remote LAN, unlike routers. Yep, the ICMP deny any outside statement was removed for testing purposes. 

And finally I have an active message.

ASA1# sh crypto isakmp sa

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 200.200.200.1

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

Here is the complete Site-to-Site VPN configurations:

ASA1:

crypto ikev1 enable outside

crypto isakmp enable outside

object network net-local

subnet 192.168.1.0 255.255.255.0

object network net-remote

subnet 192.168.2.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 200.200.200.1 type ipsec-l2l

tunnel-group 200.200.200.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 200.200.200.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

ASA2:

crypto ikev1 enable outside

crypto isakmp enable outside

object network net-local

subnet 192.168.2.0 255.255.255.0

object network net-remote

subnet 192.168.1.0 255.255.255.0

!

access-list outside_1_cryptomap permit ip object net-local object net-remote

tunnel-group 100.100.100.1 type ipsec-l2l

tunnel-group 100.100.100.1 ipsec-attributes

pre-shared-key pass1234

isakmp keepalive threshold 10 retry 2

!

crypto isakmp policy 10 authentication pre-share

crypto isakmp policy 10 encrypt 3des

crypto isakmp policy 10 hash sha

crypto isakmp policy 10 group 2

crypto isakmp policy 10 lifetime 86400

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 100.100.100.1

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

!

nat (inside,outside) 1 source static net-local net-local destination static net-remote net-remote

exit

Verification:

#show crypto isakmp sa

#show crypto ipsec sa

Hall of Fame Super Silver

Configuring Site-to-Site VPN on two ASA5505

Thanks for the update.

Bottom line - add one command and realize the ASA doesn't count self-generated traffic as interesting since it will just send it out sourced from its outside interface (based on its routing table) and never atempt to establish a VPN for that traffic.

Happy studies.

2608
Views
20
Helpful
17
Replies