Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L VPN

I Want to configure the ASA IOS Version 8.0 to connect to Juniper Netscreen with the below configuration using L2L VPN.

Peer IP address 78.93.0.7

Host IP address 213.184.187.200

Pre-shared key: ciscoVPN

Phase 1: preg2-3des-md5

phase 2: nopfs-esp-3des-md5

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: L2L VPN

Add "crypto isakmp identity address"

And double check with the remote end on the phase 1 settings & psk

31 REPLIES
New Member

Re: L2L VPN

I tried this example but the problem is that the other party says no connection is hits is coming and i cannot monitor the ASA to check the connection is up or not.

Re: L2L VPN

Which end do you have access to?

New Member

Re: L2L VPN

ASA end

Re: L2L VPN

1) Check your "interesting traffic" acl's for hits.

2) Make sure you have the loacal to remote ip subnets in your "no-nat" acl/

issue the below commands

term mon

Debug crypto isakmp 20

Debug crypto ispec 20

Then try to initiate the VPN connection from your side and see what the debug tells you.

HTH>

New Member

Re: L2L VPN

that was the output.

Sep 02 14:03:39 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Sep 02 14:03:39 [IKEv1]: IP = 78.93.0.6, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RESENDING Message (msgid=0)with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 64

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 64

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Sep 02 14:03:42 [IKEv1]: IP = 78.93.0.6, Information Exchange processing failed

Sep 02 14:03:45 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Sep 02 14:03:45 [IKEv1]: IP = 78.93.0.6, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Re: L2L VPN

OK - you need to check your phase 1 IKE config with the remote end, you are not negotiating phase 1

Phase 1: preg2-3des-md5:-

1) Authentication - PreSharedKey

2) Encryption - 3DES

3) Hash - MD5

Make sure this this is same at both ends?

HTH>

New Member

Re: L2L VPN

this are my configuration the other side is accepting connections from other parties so i think it something in my configuration.

may be i am missing something.

access-list nonat permit ip 172.19.134.9 255.255.255.255 213.184.187.178 255.255.255.255

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

isakmp enable outside

Phase I.

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp key knowledge address 78.93.0.6 netmask 255.255.255.255

isakmp policy 10 lifetime 14400

Phase II.

crypto ipsec transform-set jnet_trans esp-3des esp-md5-hmac

crypto map jnet_map 10 set peer 78.93.0.6

crypto map jnet_map 10 set transform-set jnet_trans

crypto map jnet_map 10 match address nonat

crypto map jnet_map 10 ipsec-isakmp

crypto map jnet_map interface outside

Re: L2L VPN

Add "crypto isakmp identity address"

And double check with the remote end on the phase 1 settings & psk

New Member

Re: L2L VPN

Just add "Crypto isakmp identity auto"

New Member

Re: L2L VPN

Thanks Andrew i really appreciate it.

Re: L2L VPN

np - glad to help.

New Member

Re: L2L VPN

Andrew,

I am facing another problem in the VPN. how can i make the other side ping my host? or access service on a certain port?

Re: L2L VPN

Make the other side ping your host?? You tell them to ping your host?

You can apply an access-list that applies to the source traffic from the remote end to your local side and apply it to the inside interface on the "outbound" flow, you can base this on src ip - dest ip - src tcp/udp port - dst tcp/udp port.

HTH>

New Member

Re: L2L VPN

:) yes i told them to ping but no reply.

also can you give me an example of the access-list and how to apply it on the inside interface on the "outbound" flow?

many thanks

Re: L2L VPN

When they ping - does the VPN tunnel come up? If the tunnel is already up can you see packets being decrypted on the IPSE SA?

If I wanted to allow say telent and smtp to 2 sepearate servers from a remote ip subnet of 172.16.1.0/24 to my internal ip subnet of 192.168.254.0/24 I would write:-

access-list filter-out-to-the-LAN extended permit tcp 172.16.1.0 255.255.255.0 192.168.254.1 255.255.255.0 eq 25

access-list filter-out-to-the-LAN extended permit tcp 172.16.1.0 255.255.255.0 192.168.254.2 255.255.255.0 eq 23

access-list filter-out-to-the-LAN extended deny ip 172.16.1.0 255.255.255.0 192.168.254.0 255.255.255.0

access-list filter-out-to-the-LAN extended permit ip any any

access-group filter-out-to-the-LAN out interface inside

HTH>

New Member

Re: L2L VPN

when i add the these configuration all the clients cannot access the webserver and the mail server stops recieving mails.

I will attach the configuration so you can tell me what is missing to be able the other VPN side to ping and access my server on port 9816.

thanks.

Re: L2L VPN

Firtly - you have not answered the original question "When they ping - does the VPN tunnel come up? If the tunnel is already up can you see packets being decrypted on the IPSE SA? " ?

And what access do you want to allow to the server 192.168.124.9 from 213.184.187.178 ??

New Member

Re: L2L VPN

yes the tunnel is up.

an i can see. packets decryption

#pkts encaps: 1123, #pkts encrypt: 1123, #pkts digest: 1123

#pkts decaps: 1268, #pkts decrypt: 1268, #pkts verify: 1268

yes allow to the server 192.168.124.9 from 213.184.187.178.

Re: L2L VPN

Did you initiate the VPN or did the remote end initiate it?

Again you did not answer the question "And what access do you want to allow to the server 192.168.124.9 from 213.184.187.178 "

What type of access?? ICMP or IP or specific TCP/UDP ports?

New Member

Re: L2L VPN

I initiate the VPN.

ICMP and TCP port 9816.

Re: L2L VPN

You need to clear down the tunnel down and get them to try and initiate from there side.

Try the below:-

access-list filter-out-to-the-LAN extended permit tcp host 213.184.187.178 host 192.168.124.9 eq 9816

access-list filter-out-to-the-LAN extended permit icmp host 213.184.187.178 host 192.168.124.9 echo

access-list filter-out-to-the-LAN extended deny ip host 213.184.187.178 host 192.168.124.9

access-list filter-out-to-the-LAN extended permit tcp any any

access-list filter-out-to-the-LAN extended permit udp any any

access-list filter-out-to-the-LAN extended permit icmp any any

access-group filter-out-to-the-LAN out interface inside

HTH

New Member

Re: L2L VPN

sorry they left the office i will have to wait till tommorrow to test. anyways i would like to offer you a job in Dubai are you interested?

Re: L2L VPN

OK - let me know how the testing goes. That is interesting - not for the forums though, it's against the rules!!

New Member

Re: L2L VPN

it did not work they are not able to ping or telnet on the host using port 9816. they also cannot make the connection up.

Re: L2L VPN

Have you debugged the ipsec session when they are trying to connect?

Does the applied access-list applied to the inside interface have any hits?

What debugges are available from the remote end?

What errors are the remote end seeing?

They need to confirm that the source and destination IP addresses & ICMP/TCP ports are configured correctly in the bidirectional VPN policy.

The fact you can intiate to them - but they cannot initiate to you, indicates an issue at their end.

HTH>

New Member

Re: L2L VPN

thanks andrew i just want to make sure that they have a problem from there side.

Re: L2L VPN

np - glad to help.

New Member

Re: L2L VPN

I initiate the VPN.

ICMP and TCP port 9816.

422
Views
0
Helpful
31
Replies