VPN from ASA5505 (static IP) and router with dyn IP.
I have to establish a VPN tunnel between an ASA5505 with static IP and a Zyxel router with dynamic IP. I think I've tried almost everything but the VPN channel don't want to come up.
My ASA conf follows, I hope someone of you can find the error:
ASA Version 7.2(4) ! hostname ASA-DYN-VPN domain-name bbb.com enable password **************** encrypted passwd **************** encrypted names name 10.1.0.0 Cas name 10.254.254.0 sh_5555 ! interface Vlan1 nameif outside security-level 0 ip address xxx.xxx.xxx.xxx 255.255.255.224 ! interface Vlan2 nameif inside security-level 100 ip address 10.1.7.5 255.255.248.0 ! interface Ethernet0/0 ! interface Ethernet0/1 switchport access vlan 2 shutdown ! interface Ethernet0/2 switchport access vlan 2 shutdown ! interface Ethernet0/3 switchport access vlan 2 ! interface Ethernet0/4 switchport access vlan 2 shutdown ! interface Ethernet0/5 switchport access vlan 2 shutdown ! interface Ethernet0/6 switchport access vlan 2 shutdown ! interface Ethernet0/7 switchport access vlan 2 shutdown ! ftp mode passive dns server-group DefaultDNS domain-name bbb.com access-list outside_access_in extended permit icmp any any access-list outside_access_in extended deny ip any any access-list inside_access_in extended permit icmp any any access-list inside_access_in extended permit ip Cas 255.255.248.0 sh_5555 255.255.255.0 access-list inside_access_in extended deny ip any any access-list 100 extended permit ip Cas 255.255.248.0 sh_5555 255.255.255.0 pager lines 24 mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 100 access-group outside_access_in in interface outside access-group inside_access_in in interface inside route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxy 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set bnet esp-3des esp-md5-hmac crypto dynamic-map bdyn 1 set transform-set bnet crypto map bmap 10 ipsec-isakmp dynamic bdyn crypto map bmap interface outside crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 3600 telnet Cas 255.255.248.0 inside telnet timeout 5 console timeout 0
group-policy groupb internal group-policy groupb attributes vpn-tunnel-protocol IPSec default-domain value bbb.local tunnel-group DefaultL2LGroup general-attributes default-group-policy groupb tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key ***************** ! ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 message-length maximum client auto policy-map global_policy ! service-policy global_policy global prompt hostname context Cryptochecksum:dcf4a2ce4afbed32ba38591448a8f8ee : end
From the Zyxel logs I cannot see the phase 1 starting. So I tried to remove the VPN from the Zyxel and to connect in cascade to it a Netgear FVS338 NATting the public IP address to this last; then I've setup the VPN from the Netgear. The netgear is giving me some more interesting logs: it says that the hash payload is missing so the phase1 goes in timeout. (but actually I don't know what it means!!!)
Giving a show isa sa on the ASA I can't see anything happening.
Re: VPN from ASA5505 (static IP) and router with dyn IP.
In this case the ASA is going to be the Responder for the tunnel negotiations. If interesting traffic on the remote router is triggering the ISAKMP exchange, you will want to verify that these UDP500 packets are being received inbound on the ASA's outside interface. Make sure that the ASA is configured with the "sysopt connection permit-vpn" command or add the necessary permit rules on your inbound ACL for UDP500, UDP4500, and ESP. You can enable an IP packet capture for the peer IPs in question on the ASA's outside interface to review the packet flow on the wire. You could also rely on ACL hit counters. If you enable ISAKMP and IPSec debugs on the ASA, do you see any output?
Re: VPN from ASA5505 (static IP) and router with dyn IP.
first of all thanks for your suggestions.
I've put the "access-list outside_access_in extended permit ip any any" and the "sysopt connection permit-vpn" too, but nothing changed.
Enabling the debug and packet capture can be a problem because I cannot easily access to the ASA console port, the ASA is in a near branch office, but I cannot go there anytime. Anyway I've launched a "show crypto isakmp stats" and the result follows:
Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 35204
In Packets: 142
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 11328
Out Packets: 118
Out Drop Packets: 0
Out Notifys: 118
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 118
System Capacity Fails: 0
Auth Fails: 118
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
Is there a way to try something else before phisically go in place to see the debug messages and packet capture? Any idea?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...