There's an error I spot on

JonCommins · ‎03-20-2014

I'm trying to set up a site-to-site VPN tunnel between an ASA 5505 (which gets it's WAN IP via DHCP), and a Cisco 1921 (which has a static WAN IP).

So since the ASA gets its IP dynamically, I'm trying to create a dynamic tunnel.

ASA 5505 config: http://pastebin.com/raw.php?i=2kf2MMQZ
Cisco 1921 config: http://pastebin.com/raw.php?i=NL4Ddcpy

Cisco 1921 Inside Subnet: 10.70.0.0/16
ASA 5505 Inside Subnet: 10.75.0.0/16

I added the following to the Cisco 1921:

crypto dynamic-map KAM_TUNNEL_DYN_MAP 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map SDM_CMAP_1 9 ipsec-isakmp dynamic KAM_TUNNEL_DYN_MAP

I added the following to the ASA 5505:

access-list 100 extended permit ip 10.75.0.0 255.255.0.0 10.70.0.0 255.255.0.0
access-list NONAT extended permit ip 10.75.0.0 255.255.0.0 10.70.0.0 255.255.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map PG_TUNNEL_MAP 10 match address 100
crypto map PG_TUNNEL_MAP 10 set peer <ip_3eb62ab9db>
crypto map PG_TUNNEL_MAP 10 set transform-set ESP-3DES-SHA
crypto map PG_TUNNEL_MAP interface outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

I try to bring up the tunnel from the ASA by generating interesting traffic with the command packet-tracer input inside tcp 10.75.1.1 80 10.70.1.1 80, which according to this, is a valid way to bring up a tunnel.

However, the tunnel does not come up; It does not appear in the show crypto isakmp sa output.

With debug crypto isakmp 127 and debug crypto ipsec 127 both active, the following output surrounds the above packet-tracer command: http://pastebin.com/raw.php?i=Bu71L6wh

As you can see, no phase 1 or 2, nor even anything VPN related comes up.

Why is this tunnel not establishing, or even trying to?

Rudy Sanjoko · ‎03-21-2014

There's an error I spot on your output that might be causing the issue.

%ASA-2-106016: Deny IP spoof from (10.75.1.1) to 10.70.1.1 on interface inside

Here is the explanation from Cisco about that error message:

This message is generated when a packet arrives at the security appliance interface that has a destination IP address of 0.0.0.0 and a destination MAC address of the security appliance interface. In addition, this message is generated when the security appliance discarded a packet with an invalid source address, which can include one of the following or some other invalid address:

Loopback network (127.0.0.0)
Broadcast (limited, net-directed, subnet-directed, and all-subnets-directed)
The destination host (land.c)

In order to further enhance spoof packet detection, use the icmp command to configure the security appliance to discard packets with source addresses belonging to the internal network. This is because the access-list command has been deprecated and is no longer guaranteed to work correctly.

Recommended Action: Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

I didn't check your configs but looking at the output from the packet-tracer it seems that the packet is being dropped by ACL. This is why your tunnel is not going up, because the trafic doesn't even reach the remote end. Try rechecking your ACLs including crypto ACL.

JonCommins · ‎03-21-2014

Have checked the ACLs and they seem pretty straight forward. I see nothing wrong, do you?

! ASA 5505:
access-list 100 extended permit ip 10.75.0.0 255.255.0.0 10.70.0.0 255.255.0.0
access-list NONAT extended permit ip 10.75.0.0 255.255.0.0 10.70.0.0 255.255.0.0

JonCommins · ‎03-21-2014

There was a few things I forgot. Here's the fix, added to the Cisco 1921:

! Key needed
crypto isakmp key <my_key> address 0.0.0.0 0.0.0.0 no-xauth

! So that traffic knows how to get to remote site
ip route 10.75.0.0 255.255.0.0 <ip_of_next_hop_outside>

! NAT Exemption...made sure to add it adbove the bottom 'permit' entry.
access-list 130 deny ip 10.70.0.0 0.0.255.255 10.75.0.0 0.0.255.255

Issue is resolved.

Trouble establishing dynamic tunnel from ASA 5505 to Cisco 1921