Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Setting please help

Hello,

 

I'm new to cisco and need to have these changes made to the vpn tunnel.  Can anyone help:

 

What command would one type to add these configs in.  An existing VPN config exists and I am just making some mods:

Phase 1 (Isakmp)
IKE Mode: Main (not aggressive)
Authentication: Pre-Shared
Encryption: AES-192
Hash: SHA
DH: 2
Lifetime: 43200
Pre-shared Key: *******


Phase2 (IPSec)
protocol: esp
encryption: AES-256
authentication: SHA
Lifetime: 28800
PFS: Enabled, Group 2

 

Thanks,

Derek

 

Everyone's tags (1)
18 REPLIES
Super Bronze

Hi, Phase1 configurations are

Hi,

 

Phase1 configurations are not tied to any specific VPN connection. The ISAKMP/Phase1 policy that is chosen is based on what priority the policy is configured at. So we would need to see the output of the following command from your ASA to determine what configurations are needed.

 

show run crypto

 

- Jouni

Cisco Employee

Hi Derek, Here are the

Hi Derek,

 

Here are the commands. Please use Ikev1/Isakmp according to the ASA codes.

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 43200


crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 43200

 

crypto ipsec ikev1 transform-set ESP-ASE-256-SHA esp-aes-256 esp-sha-hmac


crypto map outside_map 10 set security-association lifetime 28800
crypto map outside_map 10 set security-association transform-set ESP-ASE-256-SHA
crypto map outside_map 10 set pfs group2


tunnel-group <peer-ip> type ipsec-l2l
tunnel-group <peer-ip> ipsec-attributes
 ikev1 pre-shared-key *****

or

tunnel-group <peer-ip> type ipsec-l2l
tunnel-group <peer-ip> ipsec-attributes
 pre-shared-key *****

 

 

Regards,
Dinesh Moudgil

 

P.S. Please rate helpful posts.

New Member

ciscoasa# show run

ciscoasa# show run crypto
crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside 10 match address vpn
crypto map outside 10 set peer 216.117.40.14
crypto map outside 10 set transform-set vpn
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 43200

 

Super Bronze

Hi, Seems to me that the

Hi,

 

Seems to me that the above configurations are mostly what you are looking for.

 

You would need to add this however

 

crypto map outside 10 set pfs group2

 

To match the Phase2 settings you mentioned in the original post.

 

You can naturally also add this

 

crypto map outside 10 set security-association lifetime seconds 28800

 

- Jouni

 

 

New Member

Thanks Jouni, How can this be

Thanks Jouni,

 

How can this be tested?  I am assuming I should be able to ping that remote peer in config t mode and have that be successful?  Just curious how to test this..

 

I can't seem to ping the remote peer.. see my other post below for this:

 

Maybe the static 1:1 NAT isn't configured??  I'm thinking I should be able to ping both 10.1.12.164 and 216.117.40.14.

Remote Peer IP: 216.117.40.14
Remote Network: 192.168.50.0/24, 10.10.3.0/24
Your Local Network: n/a

Interesting Traffic = your single host is trying to talk to our side.

Will need to create a static, 1:1 policy NAT of interesting traffic to host 10.1.12.164

Will need to make an IPSec ACL from host 10.1.12.164 to 192.168.50.0/24
Will need to make an IPSec ACL from host 10.1.12.164 to 10.10.3.0/24

New Member

So if the VPN settings are

So if the VPN settings are now correct is there a reboot command or clear command to ensure the old stuff is not in memory?  or a command to show this vpn tunnel is successfully up?

Super Bronze

Hi, The remote VPN device

Hi,

 

The remote VPN device does not necesarily reply to ICMP traffic. It might block such traffic from any source IP address.

 

You can try the "packet-tracer" to initiate the VPN negotiation. You have to choose the source and destination IP address into the command that are supposed to use the L2L VPN connection

 

packet-tracer input inside tcp <internal source ip> 12345 <destination remote ip> <destination port>

 

Issue this command twice and see what the VPN Phase of the output say on the second try of issuing the above command. The first "packet-tracer" commands output will always result in a VPN Phase DROP (unless some traffic has already brought up the VPN connection) while the second time you issue the command the L2L VPN connection should already be up.

 

Notice that if you are doing NAT for your internal IP address you will still use the local/real IP address in the "packet-tracer" command as the source IP.

 

If you want to easily log off VPN connections you can always log in with the ASDM to the ASA and go to the Monitor / VPN section and list the L2L VPN connections and log off the VPN connection if its listed there.

 

- Jouni

 

New Member

Yes I had issues ever getting

Yes I had issues ever getting ASDM installed.  My remote machine is a mac and the onsite machines are windows server..  but never really got that app to function.  I'll try the packet-tracer

Super Bronze

Hi, I think the command

Hi,

 

I think the command corresponding to the ASDM log off button is the following

 

vpn-sessiondb logoff ipaddress <remote peer ip>

 

- Jouni

New Member

ciscoasa# packet-tracer input

ciscoasa# packet-tracer input inside tcp 10.1.12.164 80 216.117.40.14 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: NAT     
Subtype:      
Result: ALLOW
Config:       
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any outside any
    dynamic translation to pool 1 (99.24.60.86 [Interface PAT])
    translate_hits = 4937324, untranslate_hits = 908569
Additional Information:
Dynamic translate 10.1.12.164/80 to 99.24.60.86/42 using netmask 255.255.255.255
              
Phase: 5      
Type: NAT     
Subtype: host-limits
Result: ALLOW
Config:       
nat (inside) 1 0.0.0.0 0.0.0.0
  match ip inside any inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
Additional Information:
              
Phase: 6      
Type: HOST-LIMIT
Subtype:      
Result: ALLOW
Config:       
Additional Information:
              
Phase: 7      
Type: IP-OPTIONS
Subtype:      
Result: ALLOW
Config:       
Additional Information:
              
Phase: 8      
Type: FLOW-CREATION
Subtype:      
Result: ALLOW
Config:       
Additional Information:
New flow created with id 6868761, packet dispatched to next module
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Super Bronze

Hi, You are using the wrong

Hi,

 

You are using the wrong IP addresses. You should use the actual host IP addresses that fit into the ACL used for the L2L VPN. And as I said you will use the real/local IP address as the source.

 

So it would be something like this for example

 

packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80

 

I think the above source IP was listed in some of your other posts. The destination IP address and port are just some that fit the remote network in the L2L VPN configuration.

 

Remember to issue the "packet-tracer" command twice.

 

- Jouni

New Member

Forgot that.  Here is the

Forgot that.  Here is the output issued back to back:

 

 

ciscoasa# packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: NAT     
Subtype:      
Result: ALLOW
Config:       
static (inside,outside) 10.1.12.164  access-list nat
  match ip inside host 192.168.1.2 outside 192.168.50.0 255.255.255.0
    static translation to 10.1.12.164
    translate_hits = 1, untranslate_hits = 0
Additional Information:
Static translate 192.168.1.2/0 to 10.1.12.164/0 using netmask 255.255.255.255
              
Phase: 5      
Type: NAT     
Subtype: host-limits
Result: ALLOW
Config:       
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
  match tcp inside host 192.168.1.2 eq 3389 outside any
    static translation to 99.24.60.86/3389
    translate_hits = 214, untranslate_hits = 216877
Additional Information:
              
Phase: 6      
Type: HOST-LIMIT
Subtype:      
Result: ALLOW
Config:       
Additional Information:
              
Phase: 7      
Type: VPN     
Subtype: encrypt
Result: DROP  
Config:       
Additional Information:
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop  
Drop-reason: (acl-drop) Flow is denied by configured rule
              
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa#
ciscoasa# packet-tracer input inside tcp 192.168.1.2 12345 192.168.50.100 80

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4      
Type: NAT     
Subtype:      
Result: ALLOW
Config:       
static (inside,outside) 10.1.12.164  access-list nat
  match ip inside host 192.168.1.2 outside 192.168.50.0 255.255.255.0
    static translation to 10.1.12.164
    translate_hits = 2, untranslate_hits = 0
Additional Information:
Static translate 192.168.1.2/0 to 10.1.12.164/0 using netmask 255.255.255.255
              
Phase: 5      
Type: NAT     
Subtype: host-limits
Result: ALLOW
Config:       
static (inside,outside) tcp interface 3389 192.168.1.2 3389 netmask 255.255.255.255
  match tcp inside host 192.168.1.2 eq 3389 outside any
    static translation to 99.24.60.86/3389
    translate_hits = 214, untranslate_hits = 216877
Additional Information:
              
Phase: 6      
Type: HOST-LIMIT
Subtype:      
Result: ALLOW
Config:       
Additional Information:
              
Phase: 7      
Type: VPN     
Subtype: encrypt
Result: DROP  
Config:       
Additional Information:
              
Result:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop  
Drop-reason: (acl-drop) Flow is denied by configured rule

 

Super Bronze

Hi, Seems to me that the

Hi,

 

Seems to me that the "packet-tracer" test matches the correct Static Policy NAT rule.

 

It would seem to suggest that the VPN configurations dont match between this site and the remote site. Or perhaps the remote site has not configured their side yet.

 

If you issue the same "packet-tracer" command once or twice then issue the command "show crypto isakmp sa" it should show us if the Phase1 goes throuhg. You should see the remote VPN device IP address in the output and if the Phase1 goes through you should be seeing "MM_ACTIVE" listed.

 

If you can see that then the problem is probably in the Phase2 configurations in the Crypto Map that you can list with "show run crypto map"

 

- Jouni

 

 

New Member

ciscoasa# show crypto isakmp

ciscoasa# show crypto isakmp sa

There are no isakmp sas
ciscoasa#

 

Super Bronze

Hi, The above "packet-tracer"

Hi,

 

The above "packet-tracer" does match the L2L VPN configurations so you should be seeing something.

 

You might have to keep issuing the "packet-tracer" command and then quickly issuing the "show crypto isakmp sa" command after that. You should be seeing something atleast.

 

- Jouni

New Member

still nothing..  Any other

still nothing..  Any other ideas?  want to ssh in? 

 

 

New Member

Any other ideas?  Kind of

Any other ideas?  Kind of stuck.  Happy to pay you if you can assist in getting this configured.

 

Derek

 

New Member

I now see this: ciscoasa

I now see this:

 

ciscoasa(config)# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 216.117.40.14
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ciscoasa(config)#

 

128
Views
0
Helpful
18
Replies
CreatePlease login to create content