VPN Problem

impelseimpelse Posts: 1,227Member ■■■■□□□□□□
I configured two vpns site to sites last Monday and It was working fine, we lost power and now one of the sites does not work, I tired everything that I can, so please give me an Idea, this is the configuration that I applied (I am connecting one site to two sites)

Main Site configuration (ASA 5510 Ver 7.2)

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 group 2
isakmp policy 10 hash md5
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address
isakmp key abc123 address 20.20.20.1 netmask 255.255.255.255
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
isakmp key abc123 address 20.20.30.1netmask 255.255.255.255
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 900

crypto map mysites 10 ipsec-isakmp
crypto map mysites 10 match address 101
crypto map mysites 10 set transform-set strong
crypto map mysites 10 set peer 20.20.30.1 (THIS SITE IS WORKING)
crypto map mysites 11 ipsec-isakmp
crypto map mysites 11 match address 101
crypto map mysites 11 set transform-set strong
crypto map mysites 11 set peer 20.20.20.1 (THIS SITE IS NOT WORKING)
crypto map mysites interface outside
sysopt connection permit-ipsec


Site 1. Working

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 group 2
isakmp policy 10 hash md5
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address
isakmp key abc123 address 70.70.70.1 netmask 255.255.255.255
access-list 101 permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 900
crypto map irvington 10 ipsec-isakmp
crypto map irvington 10 match address 101
crypto map irvington 10 set transform-set strong
crypto map irvington 10 set peer 70.70.70.1
crypto map irvington interface outside
sysopt connection permit-ipsec

Site. 2 NOT WORKING

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 group 2
isakmp policy 10 hash md5
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp identity address
isakmp key abc123 address 70.70.70.1 netmask 255.255.255.255
access-list 101 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 900
crypto map rilco 10 ipsec-isakmp
crypto map rilco 10 match address 101
crypto map rilco 10 set transform-set strong
crypto map rilco 10 set peer 70.70.70.1
crypto map rilco interface outside
sysopt connection permit-ipsec

There is not debug for the site that is not working, I re-applied the configuration, clear crypto, etc.

Any sugestion please.

Thanks.
Blog: learn-security.net

Computer Support Houston Area: thehost1.com

Comments

  • networker050184networker050184 Posts: 11,962Mod Mod
    Do the sites have connectivity? Can you ping between the endpoints?
    An expert is a man who has made all the mistakes which can be made.
  • impelseimpelse Posts: 1,227Member ■■■■□□□□□□
    Yes, the sites have connectivity, I can connect using ssh and also If I create a static configuration to go to the server inside of the network worked perfect.
    Blog: learn-security.net

    Computer Support Houston Area: thehost1.com
  • networker050184networker050184 Posts: 11,962Mod Mod
    I'd debug to see where the failure is if you can on either the main or remote site. I'm not a VPN expert but the config looks right to me.
    An expert is a man who has made all the mistakes which can be made.
  • impelseimpelse Posts: 1,227Member ■■■■□□□□□□
    When I applied the debug crypto isakmp and debug crypto ipsec to the fail remote site there is not nothing to show.

    When I applied debug in the Main Office I have information only for the working site.
    Blog: learn-security.net

    Computer Support Houston Area: thehost1.com
  • APAAPA Posts: 959Member
    Don't you need a isakmp policy to match your crypto maps on your ASA???

    Eg.. You have isakmp policy 10 for crypto map 10
    so you should also have isakmp policy 11 for crypto map 11

    and change your crpyto maps and isakmp policies on the router to match whats on your ASA..........

    I've only configured a few VPN's mainly router to router but I have done some PIX 515e to router VPN's and I've always created isakmp policies for each crypto map???

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
  • impelseimpelse Posts: 1,227Member ■■■■□□□□□□
    Yes, I created the Policy 11 for the crypto map mysties 11 but the ASA told me that the Policy 10 will take place for policy 11 because they are identical.

    I fixed the problem:

    In the policy 10, I changed the default Lifetime from 24 hours to 500 seconds, this release the SA keys I tried to clear the policy by commands and restart but never worked ( I never got any debug in the fail link, like if there is not configuration for VPN)

    The fail link came up but there was not any data trasfer with this link.

    2. I had some errors with the ACL

    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

    I applied the access-list to cryto like:

    crypto map mysites 10 match address 101
    crypto map mysites 11 match address 101

    And the working link some times had Timeout for this access-list

    Also I had:

    Nat (inside) 0 access-list 101

    So I changed with:

    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    crypto map mysites 10 match address 101

    access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    crypto map mysites 11 match address 101

    I created another access-list 103 and did with this NAT 0

    access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list 103 permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0
    nat (inside) 0 access-list 103

    So at the end the real problem was the key, when I changed the lifetime the fail link tried to connected itself. And from the beginning the access-list gave me some errors for some seconds.

    Some of you told me that the configuration was right for that reason I begin to concentrate and the keys..


    Thanks
    Blog: learn-security.net

    Computer Support Houston Area: thehost1.com
  • Aquabat [banned]Aquabat [banned] Posts: 299Inactive Imported Users
    Nat (inside) 0 access-list 101

    does this mean that access-list 101 would not be nat'ed?

    because it's pool 0?

    <----nub
    i herd u leik mudkips lol
  • dtlokeedtlokee Posts: 2,381Member
    Aquabat wrote:
    Nat (inside) 0 access-list 101

    does this mean that access-list 101 would not be nat'ed?

    because it's pool 0?

    <----nub

    Yes, when sending traffic over the VPN to a remote site you don't want the addresses to be translated.
    The only easy day was yesterday!
Sign In or Register to comment.