Site-to-Site VPN Tunnel

RS_MCP

Hi All,

I am trying to configure a Site-to-Site VPN tunnel from a Cisco Router > ASA.

I have configured the Router as the following and also replicated on the ASA but still can not seem to establish the VPN Tunnel, any ideas or troubleshooting steps/help?

!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key ****** address ***.***.***.***
crypto isakmp identity hostname
!
!
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
!
!
crypto map MAP 100 ipsec-isakmp
set peer ***.***.***.***
set transform-set TEST
set pfs group2
match address 101
!
!
Extended IP access list 101
10 permit ip 172.16.161.0 0.0.0.255 172.16.196.0 0.0.0.255 (10 matches)
Extended IP access list 110
10 deny ip 172.16.161.0 0.0.0.255 172.16.196.0 0.0.0.255 (10 matches)
20 permit ip 172.16.161.0 0.0.0.255 any
!
!
interface Ethernet0/0
description ***Outside Interface***
ip address ***.***.***.*** 255.255.255.0
ip nat outside
full-duplex
crypto map MAP
!
!

Your help is much appreciated.

pitviper

First, do a “show crypto isakmp sa” and see if the tunnel status is ACTIVE.

Looks like you are NATing on the router as well. If so, you’ll need to prevent the local subnet from being NATted across the tunnel. This can be done by adding a route-map to the NAT statement – the route-map will basically point to an access-list that denies ROUTER SUBNET -> ASA SUBNET, and allows everything else from the ROUTER SUBNET -> any.

pitviper

Example of the router side config - you can see the NAT statement and route-map syntax here:

Configuring IPSec Router-to-Router with NAT Overload and Cisco Secure VPN Client - Cisco Systems

ConstantlyLearning

I'm going to lab this up tomorrow between an ASA 5505 (8.2) and a 2611XM (12.4).

I'll post up the configs.

RS_MCP

ConstantlyLearning wrote: »

I'm going to lab this up tomorrow between an ASA 5505 (8.2) and a 2611XM (12.4).

I'll post up the configs.

Sounds good, look forward to it...

chrisone

we really need both configs on here to match up both sides, but for kicks try this:

remove the pfs group , thats probably whats messing things up. Just an idea

crypto map MAP 100 ipsec-isakmp
set peer ***.***.***.***
set transform-set TEST
set pfs group2
match address 101

wastedtime

Other then comparing your configs and verifying IP addresses. I would check to make sure it knows how to route through the vpn on both sides.

ConstantlyLearning

Here are the relevent sections of config from an ASA 5505 (8.2) and a 2611XM (12.4) with a working site to site VPN.

Notes:
"sysopt connection permit-vpn" is configured on the ASA so I don't need to create an ACL to allow the VPN traffic from the remote network.
I didn't configure any lifetimes, left at default.
PFS not configured.
Had to do a bit of research for the Router config but was mostly the same as the ASA which I'm more used to. NAT exemption on the Router is a bit differant.

ASA
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
!
access-list VPN extended permit ip host 10.10.10.2 host 192.168.1.35
!
global (outside) 1 interface
nat (inside) 0 access-list VPN
nat (inside) 1 10.10.10.0 255.255.255.0
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
!
crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map StoS 1 match address VPN
crypto map StoS 1 set peer 2.2.2.2
crypto map StoS 1 set transform-set TRANS
crypto map StoS interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *



Router
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key * address 1.1.1.2
!
crypto isakmp peer address 1.1.1.2
!
crypto ipsec transform-set TRANS-R esp-3des esp-sha-hmac
!
crypto map SITE-R 1 ipsec-isakmp
set peer 1.1.1.2
set transform-set TRANS-R
match address VPN-R
!
interface FastEthernet0/0
ip address 2.2.2.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SITE-R
!
interface FastEthernet0/1
ip address 192.168.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
deny ip host 192.168.1.35 host 10.10.10.2
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-R
permit ip host 192.168.1.35 host 10.10.10.2
!
route-map nonat permit 10
match ip address NAT

RS_MCP

I still cannot seem to establish the Tunnel between the Router and ASA. Please see configurations below:

Router:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key *** address ***
!
crypto isakmp peer address ***
!
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
!
crypto map MAP 100 ipsec-isakmp
set peer ***
set transform-set TEST
set pfs group2
match address 101
!
interface Ethernet0/0
description ***Outside Interface***
ip address *** 255.255.255.0
ip nat outside
full-duplex
crypto map MAP
!
interface Ethernet0/1
description ***Inside Interface***
ip address 172.16.161.1 255.255.255.0
ip nat inside
full-duplex
!
ip nat inside source list 110 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 100
!
access-list 101 permit ip 172.16.161.0 0.0.0.255 172.16.196.0 0.0.0.255
access-list 110 deny ip 172.16.161.0 0.0.0.255 172.16.196.0 0.0.0.255
access-list 110 permit ip 172.16.161.0 0.0.0.255 any
!




ASA:

!
interface Ethernet0/0
nameif Outside
security-level 0
ip address *** 255.255.255.248
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 172.16.196.1 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer ***
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group *** type ipsec-l2l
tunnel-group *** ipsec-attributes
pre-shared-key *****
!
object network NETWORK_OBJ_172.16.196.0_24
subnet 172.16.196.0 255.255.255.0
access-list Outside_1_cryptomap extended permit ip 172.16.196.0 255.255.255.0 172.16.161.0 255.255.255.0

Netstudent

Assuming you can route between peers, did you create a NAT exemption on the ASA for the interesting traffic?

Also IOS and ASA default to different timers. Try hardcoding timer values for isakmp and ipsec on the router in the isakmp policy and the crypto map to match the ASA's 86400 phase 1 and 28800 phase2..

May also want to hardcode sha on the router's isakmp policy.

RS_MCP

I have my NAT Exemption in place on the ASA.

As for the timers, this should not stop the Tunnel establishing.

I still can not get to work, any debugging tips?

wastedtime

Not saying this is everything, but a quick look at it shows you are using pfs group 2 on the router and group 1 on the ASA.

tdox

What version of asa are you using. 8.3 handles nat a little different than older versions. https://cisco-support.hosted.jivesoftware.com/docs/DOC-11639?decorator=print

RS_MCP

wastedtime wrote: »

Not saying this is everything, but a quick look at it shows you are using pfs group 2 on the router and group 1 on the ASA.

The ASA is using pfs group 2, however this is never shown in the CLI.

ConstantlyLearning

Do you have the below in your router config?

route-map nonat permit 10
match ip address 110


Use the debug commands for isakmp and ipsec. Should help you out.