Site to Site VPN Connectivity Problem

ChristianPaz · ‎01-09-2012

Hi everybody,

I am trying to stablish a VPN site to site between 2 branches without results. The VPN tunnel is not working, i introduce the following commands and this is the result:

bcicperu-asa5510# show crypto ipsec sa

There are no ipsec sas

bcicperu-asa5510# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

My inside network is called bcic and the network address is: aa.aa.aa.aa 255.255.255.128

The remote network is called Infomedia and the address is: dd.dd.dd.dd 255.255.255.0

In both sites we use:

Authentication: Pre-share

DH: group 2

Encryption: aes-256

Hash: sha

Sa lifetime: 86400

Here is my running config:

ASA Version 8.4(2)

!

hostname bcicperu-asa5510

enable password TkoOhnZMamrN7o4G encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address aa.aa.aa.20 255.255.255.128

!

interface Ethernet0/1

shutdown

nameif future_dmz

security-level 50

no ip address

!

interface Ethernet0/2

nameif outside

security-level 0

ip address cc.cc.cc.cc 255.255.255.224

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address xx.xx.xx.61 255.255.255.128

management-only

!

ftp mode passive

object network Infomedia_net

subnet bb.bb.bb.bb 255.255.255.0

object network bcic_net

subnet aa.aa.aa.aa 255.255.255.128

access-list l2l_list extended permit ip object bcic_net object Infomedia_net

access-list inside_access_in extended permit ip any any

access-list management_access_in extended permit ip any any

access-list outside_access_in extended permit ip any any

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu future_dmz 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static bcic_net bcic_net destination static Infomedia_net Infomedia_net

route outside 0.0.0.0 0.0.0.0 cc.cc.cc.33 1

route inside aa.aa.aa.aa 255.255.255.0 aa.aa.aa.1 1

route management zz.zz.zz.128 255.255.255.128 xx.xx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http xx.xx.xx.xx 255.255.255.128 management

http zz.zz.zz.zz 255.255.255.0 management

http zz.zz.zz.zz 255.255.255.128 management

http aa.aa.aa.aa 255.255.255.128 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set cisco-infomedia esp-aes-256 esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal prop1

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto map l2lmap 1 match address l2l_list

crypto map l2lmap 1 set peer dd.dd.dd.dd

crypto map l2lmap 1 set ikev1 transform-set cisco-infomedia

crypto map l2lmap 1 set ikev2 ipsec-proposal prop1

crypto map l2lmap interface outside

crypto ca server

shutdown

cdp-url http://bcicperu-asa5510.bcicperu.com/+CSCOCA+/asa_ca.crl

issuer-name CN=bcicperu-asa5510.bcicperu.com

smtp from-address admin@bcicperu-asa5510.bcicperu.com

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

telnet aa.aa.aa.aa 255.255.255.128 management

telnet xx.xx.xx.xx 255.255.255.128 management

telnet zz.zz.zz.zz 255.255.255.0 management

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

webvpn

url-list value Utilitarios

username ???? password 08S9WUsiSMr3RauN encrypted privilege 0

username ???? attributes

vpn-group-policy DfltGrpPolicy

tunnel-group dd.dd.dd.dd type ipsec-l2l

tunnel-group dd.dd.dd.dd ipsec-attributes

ikev1 pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

tunnel-group bcic-portal type remote-access

tunnel-group bcic-portal webvpn-attributes

group-alias bcic enable

group-url https://cc.cc.cc.cc/bcic enable

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:59cf139ecc14afaa3117bee41723a5da

: end

thanks for your help.

Christian Paz

ajay chauhan · ‎01-09-2012

Can you also post other side configuration ?

Thanks

Ajay

ChristianPaz · ‎01-09-2012

Hi Ajay, I have no access to the other asa. They only sent me the following lines:

crypto map Outside_map 6 match address Outside_6_cryptomap

crypto map Outside_map 6 set peer xx.xx.xx.61

crypto map Outside_map 6 set transform-set ESP-AES-256-SHA access-list Outside_6_cryptomap extended permit ip bb.bb.bb.bb 255.255.255.0 aa.aa.aa.aa 255.255.255.0

6 IKE Peer: xx.xx.xx.61

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

It seems that the problem is on my site.

Thank you

Christian

Lim Victor · ‎01-09-2012

Just enquiring, is there a typo error in the crypto map? aa.aa.aa.aa seems to have different subnet mask.

Yours

---------

object network Infomedia_net

subnet bb.bb.bb.bb 255.255.255.0

object network bcic_net

subnet aa.aa.aa.aa 255.255.255.128

access-list l2l_list extended permit ip object bcic_net object Infomedia_net

remote

-----------

access-list Outside_6_cryptomap extended permit ip bb.bb.bb.bb 255.255.255.0 aa.aa.aa.aa 255.255.255.0

===============================================================================

is there a need to configure "crypto isakmp enable outside"?

Would you want to try "crypto isakmp nat-traversal"?

ajay chauhan · ‎01-09-2012

Thats correct you should verify remote end configuration.

In genral way this -MM_WAIT_MSG2 indicates remote end issue.

This message means: MM = Main Mode, WAIT = Waiting, MSG2 = Message 2

Might be remote host message is being dropped before reaching your firewall or maybe there is a firewall in the remote end blocking some TCP or UDP ports required by isakmp used by your site-to-site VPN.

As suggested by Lim ACL mask also does not match both end should use same subnet mask and isakmp should be enable.

Thanks

Ajay

ChristianPaz · ‎01-10-2012

Thanks for your comments, as Lim suggested there was an error with the mask in the acl.

The new acl is:

aa.aa.aa.aa 255.255.255.0

In the other hand how can i enable isakmp?

I create an isakmp policy and then apply it to the outside interface, but a new show run doesn't show the changes i've made.

Thanks

Christian

ajay chauhan · ‎01-10-2012

crypto ikev1 enable outside