Cisco Support Community
Community Member

issues with communications through the asa vpn (site-to-site)

I've got a test setup on my desk.

It goes:

Ubuntu host(vm)-------------Openswan on ubuntu (vm)----- vmware gateway------ xp host-------------------- cisco asa ------ xp host                      


Now i had it working before, worked on some other things, came back to it and it wasnt working, so im not sure what or where i changed something. I could easily start over but id rather find out whats wrong with it. So when i ping from, there are no replies. However i did  a capture on the inside interface of the ASA and there was replies shown there, they wouldnt come back past that. I've also tried using netcat to send a file over on port 1234. On wireshark on the openswan vm, i can see a few ESP packets destined for, but doesnt receive them.

Here's my show run output:

hostname ciscoasa                
enable password 8Ry2YjIyt7RRXU24 encrypted                                         
passwd 2KFQnbNIdI.2KYOU encrypted                                
interface Vlan1              
nameif inside             
security-level 100                  
ip address                                    
interface Vlan2              
nameif outside              
security-level 0                
ip address                                      
interface Ethernet0/0                    
switchport access vlan 2                        
interface Ethernet0/1                    
interface Ethernet0/2                    
interface Ethernet0/3                    
interface Ethernet0/4                    
interface Ethernet0/5                    
interface Ethernet0/6                    
interface Ethernet0/7                    
ftp mode passive               
access-list inbound extended permit ip any any                                             
access-list inbound extended permit udp any any eq isakmp                                                        
access-list inbound extended permit udp any any eq 4500                                                      
access-list inbound extended permit esp any any                                              
access-list inbound extended deny ip any any                                           
access-list NONAT extended permit ip 255.2                                                                               
access-list inbound2 extended permit ip 25                                                                                
access-list inbound2 extended permit ip host host                                                                            
pager lines 24             
logging enable             
logging timestamp                
logging buffered debugging                         
logging asdm informational                         
mtu inside 1500              
mtu outside 1500               
ip local pool name                                           
icmp unreachable rate-limit 1 burst-size 1                                         
no asdm history enable                     
arp timeout 14400                
global (outside) 1 interface                           
nat (inside) 0 access-list NONAT                               
nat (inside) 1                             
access-group inbound in interface outside                                        
route outside                                         
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           
timeout tcp-proxy-reassembly 0:01:00                                   
dynamic-access-policy-record DfltAccessPolicy                                            
http server enable                 
http inside                                    
no snmp-server location                      
no snmp-server contact                     
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac                                                   
crypto ipsec security-association lifetime seconds 28800                                                       
crypto ipsec security-association lifetime kilobytes 4608000                                                           
crypto dynamic-map dmap 20 set transform-set ts2                                               
crypto map emap 10 match address inbound2                                        
crypto map emap 10 set peer                                         
crypto map emap 10 set transform-set ts2                                       
crypto map emap 60000 ipsec-isakmp dynamic dmap                                              
crypto map emap interface outside                                
crypto isakmp enab                
crypto isakmp policy 10                      
authentication pre-share                        
encryption 3des               
hash md5        
group 2       
lifetime 86400              
telnet timeout 5               
ssh timeout 5            
console timeout 0                
management-access inside                       
dhcpd auto_config outside                        
dhcpd address inside                                            
dhcpd enable inside                  

threat-detection basic-threat                            
threat-detection statistics access-list                                      
no threat-detection statistics tcp-intercept                                           
username ryan password .MqBmFV5KQ86DWrJ encrypted                                                
tunnel-group type ipsec-l2l                                        
tunnel-group ipsec-att                                  
pre-shared-key *                
tunnel-group ryan type remote-access                                   
tunnel-group ryan general-attributes                                   
address-pool name                 
tunnel-group ryan ipsec-attributes                                 
pre-shared-key *                
class-map inspection_default                           
match default-inspection-traffic                                
policy-map type inspect dns preset_dns_map                                     
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
service-policy global_policy global
prompt hostname context
: end

help is appreciated, thanks

Community Member

Re: issues with communications through the asa vpn (site-to-site

Well for some unknown reason, clearing out the ACLs and nat commands, then re entering them made it work. I just dont understand computers sometimes.

Community Member

Re: issues with communications through the asa vpn (site-to-site

Whenever I execute a reload, or power cycle the asa, the ACLs have to be cleared and re entered. Anyone know why this may be?

Community Member

Re: issues with communications through the asa vpn (site-to-site

Some more information:

So im trying to get the opensource VPN to talk with a Cisco ASA for a  site-to-site VPN solution. I have an endpoint ubuntu machine using a  localhost adapter, the other ubuntu has openswan installed and is a  virutal machine as well on the same windows xp host. this openswan has  two virtual NICs, one is localhost to talk with the other ubuntu. The  second NIC is NAT to connect to the the windows machine, and the ASA  beyond that. On the otherside of the asa is a laptop running XP.

Openswan and the ASA are setup to start an ipsec vpn and talk to one  another. I can then send a file through the vpn with netcat. I sniff the  traffic along the way, and everything is encrypted with ESP.

So everything is fine up to this point. However should I need to execute  a reload or, the ASA gets power cycled, for whatever reason, the  packets that are sent from the ubuntu host, get stopped after the  outside interface of the ASA. If i clear the ACLs, reenter them, and  configure a couple other lines that referenced the ACLs, everything is  fine again. This also needs to occur if the openswan machine is rebooted.

Community Member

Re: issues with communications through the asa vpn (site-to-site

"ike initiator unable to find policy"

Is what im getting in buffered warning messages on the ASA.

Community Member

Re: issues with communications through the asa vpn (site-to-site

Some more progress in trying to fix, hope this can help point in the right direction. I removed the crypto dynamic-map line and the crypto map emap 60000 line referencing it. Now I get an error: no matching crypto map entry for remote proxy local proxy  on interface outside.

Now i've been reading that for site-to-site ASAs you need mirrored ACLs for the crypto maps. So maybe someone can look at my iptables and see something?

$IPTABLES -A INPUT -p udp  --dport 500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp  --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p udp  --dport 4500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp  --dport 4500 -j ACCEPT

$IPTABLES -A OUTPUT -p udp  --sport 4500 -j ACCEPT

$IPTABLES -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
$IPTABLES -A FORWARD -i eth0 -m mark --mark 1 -s -d -j ACCEPT
CreatePlease to create content