04-14-2016 02:27 PM - edited 02-21-2020 08:46 PM
Hi
I had an ipsec tunnel between an old Cisco router to a remote site. I am migrating the 887 config to an ASA. The remote site is unable to establish the tunnel. This is the only site having issues. There are a number of other remote sites connecting back without issue.
The setup is
192.168.1.x (main site inside) - ASA - 86.x.x.x (outside) - Internet - 159.x.x.x (remote side outside) - Firewall - 10.10.10.x
The remote site will not accept the 192.168.1.x range so I am NATing to 192.168.50.x which is what they want to see
The config I have is
object network NAT_TO_Remote1
subnet 192.168.50.0 255.255.255.0
object network Remote1
subnet 10.10.10.0 255.255.252.0
nat (inside,outside) source static 192.168.1.0 NAT_TO_Remote1 destination static Remote1 Remote1
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec ikev1 transform-set 3DES-SHA1 esp-3des esp-sha-hmac
crypto map Outside_map 10 match address Qualcom_VPN
crypto map Outside_map 10 set peer 159.x.x.x
crypto map Outside_map 10 set ikev1 transform-set 3DES-SHA1
crypto map Outside_map 10 set pfs group1
crypto map Outside_map interface outside
access-list RemoteSite_VPN extended permit ip host 192.168.50.20 10.10.10.0 255.255.252.0
access-list RemoteSite_VPN extended permit ip host 192.168.50.30 10.10.10.0 255.255.252.0
access-list RemoteSite_VPN extended permit ip host 192.168.50.40 10.10.10.0 255.255.252.0
tunnel-group 159.x.x.x type ipsec-l2l
tunnel-group 159.x.x.x general-attributes
default-group-policy RemoteSites
tunnel-group 159.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
Just wondering if I am missing something obvious here.
Solved! Go to Solution.
04-15-2016 07:43 AM
Hi,
You need to check the IPSEC transform set and see if they have enabled PFS group or not ?
crypto map Outside_map 10 set
Try using group2 or disable it.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
04-14-2016 04:40 PM
Hi,
Please share the output of debug cry
Try generating some VPN traffic and then check if we see any debugs on the ASA.
Turn off the debugs using
Not sure you
crypto ikev1 enable outside.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
04-14-2016 05:10 PM
Hi Aditya
thanks for the reply. Yeah I have the "crypto ikev1 enable outside" command in. I'll put on the debugs and get an output.
04-14-2016 09:20 PM
Also make sure remote side crypto ACL (interesting traffic) is exact mirror image of "access-list RemoteSite_VPN" i.e., source and destination are swapped on remote side with exact matching entries.
HTH
Abaji.
04-15-2016 07:33 AM
Looks like we are seeing a phase 2 issue
Apr 15 12:07:54 [IKEv1 DEBUG]Group = 159.x.x.x, IP = 159.x.x.x processing IPSec SA payload
Apr 15 12:07:54 [IKEv1]Group = 159.x.x.x, IP = 159.x.x.x, All IPSec SA proposals found unacceptable!
I'll have to check the other end.
04-15-2016 07:43 AM
Hi,
You need to check the IPSEC transform set and see if they have enabled PFS group or not ?
crypto map Outside_map 10 set
Try using group2 or disable it.
Regards,
Aditya
Please rate helpful posts and mark correct answers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide