Solved: Also make sure remote side

mlong0000 · ‎04-14-2016

Hi

I had an ipsec tunnel between an old Cisco router to a remote site. I am migrating the 887 config to an ASA. The remote site is unable to establish the tunnel. This is the only site having issues. There are a number of other remote sites connecting back without issue.

The setup is

192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (remote side outside) - Firewall - 10.10.10.x

The remote site will not accept the 192.168.1.x range so I am NATing to 192.168.50.x which is what they want to see

The config I have is

object network NAT_TO_Remote1
subnet 192.168.50.0 255.255.255.0
object network Remote1
subnet 10.10.10.0 255.255.252.0

nat (inside,outside) source static 192.168.1.0 NAT_TO_Remote1 destination static Remote1 Remote1

crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ipsec ikev1 transform-set 3DES-SHA1 esp-3des esp-sha-hmac

crypto map Outside_map 10 match address Qualcom_VPN
crypto map Outside_map 10 set peer 159.x.x.x
crypto map Outside_map 10 set ikev1 transform-set 3DES-SHA1
crypto map Outside_map 10 set pfs group1
crypto map Outside_map interface outside

access-list RemoteSite_VPN extended permit ip host 192.168.50.20 10.10.10.0 255.255.252.0
access-list RemoteSite_VPN extended permit ip host 192.168.50.30 10.10.10.0 255.255.252.0
access-list RemoteSite_VPN extended permit ip host 192.168.50.40 10.10.10.0 255.255.252.0

tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x general-attributes
default-group-policy RemoteSites
tunnel-group 159.x.x.x ipsec-attributes
ikev1 pre-shared-key *****

Just wondering if I am missing something obvious here.

Aditya Ganjoo · ‎04-15-2016

Hi,

You need to check the IPSEC transform set and see if they have enabled PFS group or not ?

crypto map Outside_map 10 set pfs group1

Try using group2 or disable it.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

Aditya Ganjoo · ‎04-14-2016

Hi,

Please share the output of debug cry isa 200 and debug cry ipsec 200 on the ASA.

Try generating some VPN traffic and then check if we see any debugs on the ASA.

Turn off the debugs using undebug all.

Not sure you pasted the entire config but I do not see the following command:

crypto ikev1 enable outside.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

mlong0000 · ‎04-14-2016

Hi Aditya

thanks for the reply. Yeah I have the "crypto ikev1 enable outside" command in. I'll put on the debugs and get an output.

Abaji Rawool · ‎04-14-2016

Also make sure remote side crypto ACL (interesting traffic) is exact mirror image of "access-list RemoteSite_VPN" i.e., source and destination are swapped on remote side with exact matching entries.

HTH

Abaji.

mlong0000 · ‎04-15-2016

Looks like we are seeing a phase 2 issue

Apr 15 12:07:54 [IKEv1 DEBUG]Group = 159.x.x.x, IP = 159.x.x.x processing IPSec SA payload
Apr 15 12:07:54 [IKEv1]Group = 159.x.x.x, IP = 159.x.x.x, All IPSec SA proposals found unacceptable!

I'll have to check the other end.

Aditya Ganjoo · ‎04-15-2016

Hi,

You need to check the IPSEC transform set and see if they have enabled PFS group or not ?

crypto map Outside_map 10 set pfs group1

Try using group2 or disable it.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Problem with IPSEC tunnel with NAT