Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

problem with vpn ipsec between ASA5510 and RVW110W router

Hello,

 

I'm trying to configure a vpn site2site between ASA5510 and RVW110 router, my architecture is like that:

On the central office: the ASA is already connected with other sites trough an ipsec tunnels:

Local network 192.168.1.0/24

The network between the ASA and the ADSL router as: 192.168.254.0/24

 

On the remote site:

The RVW110 router is connected to another router since the RVW110 is not a modem:

The local network 192.168.9.0/24

The network between the RVW110 and the provider router is 192.168.100.0/24

All traffic is permitted between all routers themselves and with the ASA5510

 

After negotiation, I got the status on the ASA:

Responder

MM_Active

 

But on the RVW110: connection not established? I can’t ping any side.

 

Can you please e help on this?

 

thanks in advance

 

 

6 REPLIES
Community Member

there is debug on the ASA

there is debug on the ASA side, after this negotiation the asa keep responder status and no connection on the router side

 

ASA-5510# May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 116
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Received DPD VID
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing IKE SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 5
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
May 21 03:45:21 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 21600 seconds.
May 21 03:45:21 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Received encrypted Oakley Informational packet with invalid payloads, MessID = 1268841455

Hi , Your ASA Says Phase 1

Hi ,

 Your ASA Says Phase 1 tunnel is up , check the same on your remote router for Phase 1 tunnel . 

Check with your Crypto ACL at both end . 

show crypto isakmp sa  { Phase 1  status}

    show crypto ipsec sa { Phase 2 status }

 

HTH

Sandy 

Community Member

hi kumar,First I want to

hi Sandy,

First I want to thank you your answer.

on the ASA :

show crypto isakmp

3   IKE Peer: 81.192.197.30
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE


sh crypto ipsec sa 

no information about the tunnel

it shows just the status of the other tunnels.

On the RV110W router :

since he have just a web based access, i cant just enbale the logs and check the connection status page, and theyt doesn't show any helping information

 

Thanks in advance

 

Hi ,Check on Phase 2 Crypto

Hi ,

Check on Phase 2 Crypto access-list and transform set . 

HTH

Sandy

Community Member

I checked the access list it

I checked the access list it seems ok, please have a look :

I attached screen shoots of configuration on both sides.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map mymap 1 set transform-set ESP-3DES-MD5

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0

crypto map mymap 1 match address outside_1_cryptomap
crypto map mymap 1 set peer 1.1.1.1
crypto map mymap 1 set transform-set ESP-3DES-MD5
crypto map mymap 1 set nat-t-disable

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 3600 retry 2

on the other side all traffic are permitted

Regards

Hi ,  Your statement says as

Hi , 

 Your statement says as on the other side all traffic are permitted : it should not be all it must be only remote subnet traffic . 

 Expand your VPN config , you need to specify only remote peer IP subnet 192.168.1.0 255.255.255.0 not every traffic . Crypto map access-list must be matching both side .

 


Remote Security 
Group Type
Subnet
IP Address 192.168.1.0
Subnet Mask 255.255.255.0 

 

HTH

Sandy

73
Views
0
Helpful
6
Replies
CreatePlease to create content