Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

setting up site to site vpn with cisco asa 5505

I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.

IP of remote office router is 71.37.178.142

IP of the main office firewall is 209.117.141.82

Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password TMACBloMlcBsq1kp encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82

access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 209.117.141.82

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpdn username macholjohannsenl@Qwest.net password ********* store-local

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.129 inside

dhcpd enable inside

!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c

: end

ciscoasa#

Thanks!

6 REPLIES
Silver

setting up site to site vpn with cisco asa 5505

Hello Mendy,

1. As you said your tunnel endpoint on this remote office ASA is 71.37.178.142

. It should be reflected on outside interface, whereas in your config outside interface:

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute ( Dynamic ip address assigned by your ISP), seems contradictary

2. Proxy ACl

access-list outside_1_cryptomap, must define the internal subnet/host whose traffic you want to get through ipsec tunnel.

Re: setting up site to site vpn with cisco asa 5505

Hi Mandy,

By using following access list define Peer IP as source and destination

access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82

you are not defining the interesting traffic / subnets from both ends.

Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:

access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end  192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say

!...at your end  192.168.200.0

!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say

!...at other end 192.168.100.0



Please use Baisc Steps as follows:

A. Configuration in your MAIN office  having IP = 209.117.141.82  (follow step 1 to 6)

Step 1.

Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)

access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255

Step 2.

Config ISAKMP Policy with minimum 4 parameters are to be config for

crypto isakmp policy 10

authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK

encryption aes-256   --->2nd parameter of ISAKMP Policy is OK

hash sha   --->  3rd parameter of ISAKMP Policy is OK

group 5  --->  4th parameter of ISAKMP Policy is OK

lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400

Step 3.

Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123

Here in your case in step 2 Authentication is using PSK, looks you have not defines Password

Use following command:

crypto isakmp key 0 CISCO123 address 71.37.178.142

or , but not both

crypto isakmp key 6 CISCO123 address71.37.178.142

step 4.

Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.

Here is yours one:

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)

crypto ipsec transform-set TSET1 esp-des esp-sha-hmac

or

crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac

Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like

ah-sha-hmac or  ah-md5-hmac

crypto ipsec transform-set TSET1 ah-sha-hmac

or

crypto ipsec transform-set TSET1 ah-md5-hmac

Step 5.

Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:

crypto map ipsec-isakmp

1. Define peer -- called WHO to set tunnel with

2. Define or call WHICH - Transform Set

3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address

Like in your case it is but ipsec-isakmp keyword missing in the ;ast

crypto map outside_map 10 ipsec-isakmp

1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step

2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called

!..In you case it is correct

!...set transform-set ESP-AES-256-SHA (also correct)

3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel

4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)

Step 6.

Now apply this one crypto MAP to your OUTSIDE interface always

interface outside

crypto map outside_map

Configure the same but just change ACL on other end in step one  by reversing source and destination

and also set the peer IP of this router in other end.

So other side config should look as follows:

B.  Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)

Step 7.

Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)

access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

Step 8.

Config ISAKMP Policy with minimum 4 parameters are to be config for

crypto isakmp policy 10

authentication pre-share  ---> Ist parameter of setting Authentication type ISAKMP Policy is OK

encryption aes-256   --->2nd parameter of ISAKMP Policy is OK

hash sha   --->  3rd parameter of ISAKMP Policy is OK

group 5  --->  4th parameter of ISAKMP Policy is OK

lifetime 86400  ------ >  this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400

Step 9.

Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123

Here in your case in step 8 Authentication is using PSK, looks you have not defines Password

Use following command:

crypto isakmp key 0 CISCO123 address 209.117.141.82

or , but not both

crypto isakmp key 6 CISCO123 address 209.117.141.82

step 10.

Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.

Here is yours one:

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)

crypto ipsec transform-set TSET1 esp-des esp-sha-hmac

or

crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac

Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like

ah-sha-hmac or  ah-md5-hmac

crypto ipsec transform-set TSET1 ah-sha-hmac

or

crypto ipsec transform-set TSET1 ah-md5-hmac

Step 11.

Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:

crypto map    ipsec-isakmp

1. Define peer -- called WHO to set tunnel with

2. Define or call WHICH - Transform Set, only one is permissible

3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address

Like in your case it is but ipsec-isakmp keyword missing in the ;ast

crypto map outside_map 10 ipsec-isakmp

1. set peer 209.117.141.82  -----> is correct as this is your other side peer called WHO in my step

2. set transform-set TSET1  -----> is correct as this is WHICH, and only one transform set can be called

!..In you case it is correct

!...set transform-set ESP-AES-256-SHA (also correct)

3.  match address outside_1_cryptomap  ---->Name of the extended ACL define as WHAT to pass through this tunnel

4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)

Step 12.

Now apply this one crypto MAP to your OUTSIDE interface always

interface outside

crypto map outside_map

Now initite a ping

Here is for your summary:

IPSec: Site to Site - Routers

Configuration Steps

    • Phase 1
    • Step 1: Configure Mirrored ACL/Crypto ACL       for Interesting Traffic
    • Step 2: Configure ISAKMP Policy
    • Step 3: Configure ISAKMP Key
    • Phase 2
    • Step 4: Configure Transform Set
    • Step 5: Configure Crypto Map
    • Step 6: Apply Crypto Map to an Interface

To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.

Router#debug crpyto isakmp
Router#debug crpyto ipsec

Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging

Configuration



In R1:

  • (config)# access-list 101 permit ipo host 10.1.1.1 host      10.1.2.1
  • (config)# crypto isakmp policy 10
    • (config-policy)# encryption 3des
    • (config-policy)# authentication pre-share
    • (config-policy)# group 2
    • (config-policy)# hash sha1
  • (config)# crypto isakmp key 0 cisco address 2.2.2.1
  • (config)# crypto ipsec transform-set TSET esp-3des      sha-aes-hmac
  • (config)# crypto map CMAP 10 ipsec-isakmp
    • (config-crypto-map)# set peer 2.2.2.1
    • (config-crypto-map)# match address 101
    • (config-crypto-map)# set transform-set TSET
  • (config)# int f0/0
    • (config-if)# crypto map CMAP

Similarly in R2
Verification Commands

  • #show crypto isakmp SA
  • #show crypto ipsec SA

Change to Transport Mode, add the following command in Step 4:

  • (config-tranform-set)# mode transport

Even after  doing this change, the ipsec negotiation will still be done through  tunnel mode if pinged from Loopback to Loopback. To overcome this we  make changes to ACL.


Change to Aggressive Mode, replace the Step 3 command with these commands in R1:

  • (config)# crypto isakmp peer address 2.2.2.1
    • (config-peer)# set aggressive-mode password cisco
    • (config-peer)# set aggressive-mode clien-endpoint       ipv4-address 2.2.2.1

Similarly on R2.

The below process is for the negotiation using RSA-SIG (PKI) as authentication type


Debug Process:

After  we debug, we can see the negotiation between the two peers. The first  packet of the interesting traffic triggers the ISAKMP (Phase1)  negotiation. Important messages are marked in BOLD and explanation in  RED

R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2


Mar  2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) //  Router tried to find any IPSec SA matching the outgoing connection but  no valid SA has been found in Security Association Database (SADB)
Mar  2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar  2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar  2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar  2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar  2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE    
Mar  2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar  2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar  2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar  2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar  2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar  2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Mar  2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar  2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar  2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar  2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar  2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

Mar  2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar  2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar  2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar  2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar  2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar  2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar  2 16:18:42.947: ISAKMP:      encryption 3DES-CBC
Mar  2 16:18:42.947: ISAKMP:      hash SHA
Mar  2 16:18:42.947: ISAKMP:      default group 2
Mar  2 16:18:42.947: ISAKMP:      auth RSA sig
Mar  2 16:18:42.947: ISAKMP:      life type in seconds
Mar  2 16:18:42.947: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Mar  2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar  2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar  2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar  2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar  2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.

Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar  2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar  2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar  2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar  2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar  2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Mar  2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar  2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar  2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar  2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Mar  2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar  2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Mar  2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar  2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar  2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar  2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar  2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar  2 16:18:43.007:  Choosing trustpoint CA_Server as issuer
Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar  2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar  2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar  2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar  2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar  2 16:18:43.007: ISAKMP:received payload type 20
Mar  2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar  2 16:18:43.007: ISAKMP:received payload type 20
Mar  2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar  2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM4

Mar  2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar  2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar  2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar  2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar  2 16:18:43.011: ISAKMP (1008): ID payload
          next-payload : 6
          type         : 2
          FQDN name    : R2
          protocol     : 17
          port         : 500
          length       : 10
Mar  2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar  2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar  2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar  2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar  2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar  2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4  New State = IKE_I_MM5

Mar  2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH

// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar  2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar  2 16:18:43.047: ISAKMP (1008): ID payload
          next-payload : 6
          type         : 2
          FQDN name    : ASA1
          protocol     : 0
          port         : 0
          length       : 12
Mar  2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar  2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar  2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar  2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar  2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar  2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar  2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar  2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar  2 16:18:43.067: ISAKMP:received payload type 17
Mar  2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar  2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar  2 16:18:43.067: ISAKMP:(1008):SA authentication status:
          authenticated

Mar  2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar  2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/,  and inserted successfully 46519678. // SA inserted into SADB
Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5  New State = IKE_I_MM6

Mar  2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar  2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_I_MM6

Mar  2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar  2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Mar  2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar  2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar  2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
Mar  2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar  2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Mar  2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar  2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Mar  2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar  2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar  2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar  2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar  2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar  2 16:18:43.079: ISAKMP:   attributes in transform:
Mar  2 16:18:43.079: ISAKMP:      SA life type in seconds
Mar  2 16:18:43.079: ISAKMP:      SA life duration (basic) of 3600
Mar  2 16:18:43.079: ISAKMP:      SA life type in kilobytes
Mar  2 16:18:43.079: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Mar  2 16:18:43.079: ISAKMP:      encaps is 1 (Tunnel)
Mar  2 16:18:43.079: ISAKMP:      authenticator is HMAC-SHA
Mar  2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar  2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar  2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar  2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar  2 16:18:43.083:         inbound SA from 20.1.1.10 to 40.1.1.1 (f/i)  0/ 0
          (proxy 1.1.1.1 to 2.2.2.2)
Mar  2 16:18:43.083:         has spi 0xA9A66D46 and conn_id 0
Mar  2 16:18:43.083:         lifetime of 3600 seconds
Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
Mar  2 16:18:43.083:         outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
          (proxy 2.2.2.2 to 1.1.1.1)
Mar  2 16:18:43.083:         has spi  0x2B367FB4 and conn_id 0
Mar  2 16:18:43.083:         lifetime of 3600 seconds
Mar  2 16:18:43.083:         lifetime of 4608000 kilobytes
Mar  2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE    
Mar  2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar  2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar  2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar  2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!



Verification Commands

  • #show crypto isakmp SA
  • #show crypto ipsec SA

Kindly rate if you find the explanation useful !!

Best Regards

Sachin Garg

New Member

setting up site to site vpn with cisco asa 5505

Ok I am going to reset the asa and start the wizard over. I am not so good with the cli on this.

New Member

setting up site to site vpn with cisco asa 5505

The office that will have the ASA at has one PC with an IP address of 10.1.1.58. Is that the "inside address" I use or the IP address of the ASA? (which is a 192 IP) Or do I give the ASA a 10.1.1 Ip address? I am unsure of the inside IP address to use on both sides.

Thanks,

Silver

setting up site to site vpn with cisco asa 5505

Hello Mandy,

Please first specify what traffic you want to go through your tunnel..as per your configuration 192.168.1.1 is the inside interface ip address of your ASA. If you want the traffic from your PC to go via tunnel to other end then you have to define PROXY ACL like this :

access-list outside_1_cryptomap extended permit ip host 10.1.1.58 otherside host/subnet

or if you want your inside subnet to go via tunnel then:

access-list outside_1_cryptomap extended permit 192.168.1.0 255.255.255.0 otherside host/subnet

New Member

setting up site to site vpn with cisco asa 5505

Ok can you help me confirm setup with the vpn on the other side now?

Its a Cisco ASA5500 and the site to site vpn asks for:

Protected networks:

local network

remote network

Protected from what? I am unsure what networks to enter.

Also it has Encryption Algorithms:

IKE proposal

IPsec proposal

Then lists all of the options but doesnt let me choose jsut the one that is set up on the other end. Do I just leave all of them?

Thanks for your help.

5500VPN.JPG

633
Views
0
Helpful
6
Replies
CreatePlease login to create content