04-10-2008 12:47 AM - edited 03-03-2019 09:29 PM
Hi,
Wondered if I could use your knowledge.
Currently I have all my site-to-site VPN's and Cisco Client VPN's coming into a Cisco Concentrator. But now I have these ASA's I want to start moving all this over from the Concentrator.
I have managed to move the Cisco Client users over, but I am having a little trouble with a site-to-site. It only a test at the moment but I wondered if you can see what I need to add.
Here is the setup:
| |
--| |--
| +-----------+ /-^-^-^-^--\ +-----------+ |
|-----| London |=====| Internet |======| Remote |--------|
| LAN+-----------+Ext \--v-v-v-v-/ Ext+-----------+LAN |
--| 192.168.21.0 100.171.156.65 101.149.110.103 172.19.15.0 |--
| 192.168.20.0 |
The IKE Phase 1 parameters used are:
* Main mode
* AES-256
* SHA
* DH Group 5
* pre-shared secret of "123456789"
* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
The IKE Phase 2 parameters used are:
* AES-256
* SHA
* DH Group 5
* Perfect forward secrecy for rekeying
* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
Trusted networks in London are 192.168.21.0/24 and 192.168.20.0/24 (known as London_VPN_Subnets) and at the remote site are 172.19.15.0/24
The firewalls outside is 100.x.x.66 and the Internet router is 100.x.x.65
I have added the following to the config:
access-list inside_outbound_nat0_acl extended permit ip object-group London_VPN_Subnets 172.19.15.0 255.255.255.0
sysopt noproxyarp inside
service resetoutside
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-256-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 101.149.110.103
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
tunnel-group 101.149.110.103 type ipsec-l2l
tunnel-group 101.149.110.103 ipsec-attributes
pre-shared-key 123456789
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 100.171.156.65
What am I missing, it's seems I need a route to contact this remote network, plus some access lists, any ideas?
I don't want any/many ACE's as these create 2 undirectional IPSec SA's, using host-based ACE's are not recommend as these use resources.
Many thanks if you get a chance
04-10-2008 02:47 AM
try adding:-
access-list outside_1_cryptomap extended permit ip object-group London_VPN_Subnets 172.19.15.0 255.255.255.0
04-10-2008 03:05 AM
My fault I already have that.
I seem to be getting QM FSM error errors on either side too when I do debug crypto ipsec and isakmp.
Is this to do with the protected networks not matching?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: