VPN Problem

I configured two vpns site to sites last Monday and It was working fine, we lost power and now one of the sites does not work, I tired everything that I can, so please give me an Idea, this is the configuration that I applied (I am connecting one site to two sites)

Main Site configuration (ASA 5510 Ver 7.2)

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 group 2
isakmp policy 10 hash md5
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address
isakmp key abc123 address 20.20.20.1 netmask 255.255.255.255
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
isakmp key abc123 address 20.20.30.1netmask 255.255.255.255
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 900

crypto map mysites 10 ipsec-isakmp
crypto map mysites 10 match address 101
crypto map mysites 10 set transform-set strong
crypto map mysites 10 set peer 20.20.30.1 (THIS SITE IS WORKING)
crypto map mysites 11 ipsec-isakmp
crypto map mysites 11 match address 101
crypto map mysites 11 set transform-set strong
crypto map mysites 11 set peer 20.20.20.1 (THIS SITE IS NOT WORKING)
crypto map mysites interface outside
sysopt connection permit-ipsec

Site 1. Working

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 group 2
isakmp policy 10 hash md5
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address
isakmp key abc123 address 70.70.70.1 netmask 255.255.255.255
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 900
crypto map irvington 10 ipsec-isakmp
crypto map irvington 10 match address 101
crypto map irvington 10 set transform-set strong
crypto map irvington 10 set peer 70.70.70.1
crypto map irvington interface outside
sysopt connection permit-ipsec

Site. 2 NOT WORKING

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 group 2
isakmp policy 10 hash md5
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address
isakmp key abc123 address 70.70.70.1 netmask 255.255.255.255
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 900
crypto map rilco 10 ipsec-isakmp
crypto map rilco 10 match address 101
crypto map rilco 10 set transform-set strong
crypto map rilco 10 set peer 70.70.70.1
crypto map rilco interface outside
sysopt connection permit-ipsec

There is not debug for the site that is not working, I re-applied the configuration, clear crypto, etc.

Any sugestion please.

Thanks.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

networker050184

Do the sites have connectivity? Can you ping between the endpoints?

impelse

Yes, the sites have connectivity, I can connect using ssh and also If I create a static configuration to go to the server inside of the network worked perfect.

networker050184

I'd debug to see where the failure is if you can on either the main or remote site. I'm not a VPN expert but the config looks right to me.

impelse

When I applied the debug crypto isakmp and debug crypto ipsec to the fail remote site there is not nothing to show.

When I applied debug in the Main Office I have information only for the working site.

APA

Don't you need a isakmp policy to match your crypto maps on your ASA???

Eg.. You have isakmp policy 10 for crypto map 10
so you should also have isakmp policy 11 for crypto map 11

and change your crpyto maps and isakmp policies on the router to match whats on your ASA..........

I've only configured a few VPN's mainly router to router but I have done some PIX 515e to router VPN's and I've always created isakmp policies for each crypto map???

impelse

Yes, I created the Policy 11 for the crypto map mysties 11 but the ASA told me that the Policy 10 will take place for policy 11 because they are identical.

I fixed the problem:

In the policy 10, I changed the default Lifetime from 24 hours to 500 seconds, this release the SA keys I tried to clear the policy by commands and restart but never worked ( I never got any debug in the fail link, like if there is not configuration for VPN)

The fail link came up but there was not any data trasfer with this link.

2. I had some errors with the ACL

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

I applied the access-list to cryto like:

crypto map mysites 10 match address 101
crypto map mysites 11 match address 101

And the working link some times had Timeout for this access-list

Also I had:

Nat (inside) 0 access-list 101

So I changed with:

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto map mysites 10 match address 101

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
crypto map mysites 11 match address 101

I created another access-list 103 and did with this NAT 0

access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
nat (inside) 0 access-list 103

So at the end the real problem was the key, when I changed the lifetime the fail link tried to connected itself. And from the beginning the access-list gave me some errors for some seconds.

Some of you told me that the configuration was right for that reason I begin to concentrate and the keys..

Thanks

Aquabat [banned]

Nat (inside) 0 access-list 101

does this mean that access-list 101 would not be nat'ed?

because it's pool 0?

<----nub

dtlokee

Aquabat wrote:

Nat (inside) 0 access-list 101

does this mean that access-list 101 would not be nat'ed?

because it's pool 0?

<----nub

Yes, when sending traffic over the VPN to a remote site you don't want the addresses to be translated.