05-21-2014 03:38 AM - edited 02-21-2020 07:39 PM
Hello,
I'm trying to configure a vpn site2site between ASA5510 and RVW110 router, my architecture is like that:
On the central office: the ASA is already connected with other sites trough an ipsec tunnels:
Local network 192.168.1.0/24
The network between the ASA and the ADSL router as: 192.168.254.0/24
On the remote site:
The RVW110 router is connected to another router since the RVW110 is not a modem:
The local network 192.168.9.0/24
The network between the RVW110 and the provider router is 192.168.100.0/24
All traffic is permitted between all routers themselves and with the ASA5510
After negotiation, I got the status on the ASA:
Responder
MM_Active
But on the RVW110: connection not established? I can’t ping any side.
Can you please e help on this?
thanks in advance
05-21-2014 06:22 AM
there is debug on the ASA side, after this negotiation the asa keep responder status and no connection on the router side
ASA-5510# May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 116
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Received DPD VID
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing IKE SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 0 acceptable Matches global IKE entry # 5
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ISAKMP SA payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Fragmentation VID + extended capabilities payload
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ke payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing ISA_KE payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, processing nonce payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing ke payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing nonce payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing Cisco Unity VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing xauth V6 VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Send IOS VID
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, constructing VID payload
May 21 03:45:21 [IKEv1 DEBUG]: IP = 1.1.1.1, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Generating keys for Responder...
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing ID payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group 1.1.1.1
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing ID payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing hash payload
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Computing hash for ISAKMP
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, constructing dpd vid payload
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
May 21 03:45:21 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
May 21 03:45:21 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
May 21 03:45:21 [IKEv1 DEBUG]: Group = 1.1.1.1, IP = 1.1.1.1, Starting P1 rekey timer: 21600 seconds.
May 21 03:45:21 [IKEv1]: Group = 1.1.1.1, IP = 1.1.1.1, Received encrypted Oakley Informational packet with invalid payloads, MessID = 1268841455
05-21-2014 07:11 AM
Hi ,
Your ASA Says Phase 1 tunnel is up , check the same on your remote router for Phase 1 tunnel .
Check with your Crypto ACL at both end .
show crypto ipsec sa { Phase 2 status }
HTH
Sandy
05-21-2014 07:34 AM
hi Sandy,
First I want to thank you your answer.
on the ASA :
show crypto isakmp
3 IKE Peer: 81.192.197.30
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
sh crypto ipsec sa
no information about the tunnel
it shows just the status of the other tunnels.
On the RV110W router :
since he have just a web based access, i cant just enbale the logs and check the connection status page, and theyt doesn't show any helping information
Thanks in advance
05-21-2014 07:45 AM
Hi ,
Check on Phase 2 Crypto access-list and transform set .
HTH
Sandy
05-21-2014 08:15 AM
I checked the access list it seems ok, please have a look :
I attached screen shoots of configuration on both sides.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map mymap 1 set transform-set ESP-3DES-MD5
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.9.0 255.255.255.0
crypto map mymap 1 match address outside_1_cryptomap
crypto map mymap 1 set peer 1.1.1.1
crypto map mymap 1 set transform-set ESP-3DES-MD5
crypto map mymap 1 set nat-t-disable
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 3600 retry 2
on the other side all traffic are permitted
Regards
05-21-2014 09:38 PM
Hi ,
Your statement says as on the other side all traffic are permitted : it should not be all it must be only remote subnet traffic .
Expand your VPN config , you need to specify only remote peer IP subnet 192.168.1.0 255.255.255.0 not every traffic . Crypto map access-list must be matching both side .
Remote Security
Group Type
Subnet
IP Address 192.168.1.0
Subnet Mask 255.255.255.0
HTH
Sandy
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: