P2P VPN Tunnel Giving Me Nightmares

darkerz

We have 50 of these, boiler plate configs. On this ASA, I have the tunnel UP and RUNNING.

Phase 1 good, Phase 2 good.

Traffic will not cross once the tunnel is up for internet connectivity nor VPN/LAN connectivity.

See configs below;


//////////


Asa 5505 config:


crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400


crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac




access-list encrypt_acl extended permit ip 10.250.37.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 10.250.37.0 255.255.255.0 any
access-list inside_access_in extended permit ip any any




global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list inside_nat0_outbound
access-group inside_access_in in interface inside






tunnel-group xxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxx ipsec-attributes
pre-shared-key xxxxxxx



crypto map IPSec_map 10 match address encrypt_acl
crypto map IPSec_map 10 set peer xxxx
crypto map IPSec_map 10 set transform-set myset
crypto map IPSec_map interface outside
crypto isakmp enable outside



crypto isakmp enable outside




VPN Gate relevant configuration:


VPN Gate ( 50 + working connections just like this one )

name 10.250.37.0 xxxxx
object-group network xxxx
description xxxx
network-object 10.250.37.0 255.255.255.0

access-list Outside_cryptomap_82 extended permit ip any 10.250.37.0 255.255.255.0
route Outside 10.250.37.0 255.255.255.0 x.x.x.x 1

crypto map Outside_map0 82 match address Outside_cryptomap_82
crypto map Outside_map0 82 set pfs
crypto map Outside_map0 82 set peer x.x.x.x
crypto map Outside_map0 82 set transform-set xxxxx
crypto map Outside_map0 82 set phase1-mode aggressive

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *

Since the tunnel is up I'm positive I'm destroying an ACL or NAT setting somewhere, but for the life of me I can't find it. The only thing I can think of is replacing the any statements on the ACL's and NAT to match to specific objects and object groups on both sites.

Help?

darkerz

Here is the VPN Gate ( far end ) show commands:



VPN GATE


28 IKE Peer: 777777
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 86400



VPNgate3# sh isakmp sa detail


Active SA: 29
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 29


VPNgate3# sh ipsec sa peer 777777
peer address: 777777
Crypto map tag: Outside_map0, seq num: 8, local addr: 66666666


access-list Outside_cryptomap_3 extended permit ip any 10.250.37.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.250.37.0/255.255.255.0/0/0)
current_peer: 777777


#pkts encaps: 226, #pkts encrypt: 226, #pkts digest: 226
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 226, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0


local crypto endpt.: 66666666, remote crypto endpt.: 777777


path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 9071E74C
current inbound spi : F5863D5C


inbound esp sas:
spi: 0xF5863D5C (4119215452)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 200077312, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (3915000/28419)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x9071E74C (2423383884)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 200077312, crypto-map: Outside_map0
sa timing: remaining key lifetime (kB/sec): (3914986/28419)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001




Here is the ASA5505 show commands

ASA 5505


sdfsdfsdfsdf# show isakmp sa


Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1


1 IKE Peer: 66666666
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
gsdgsdfsdfsdf# sh ipsec sa peer 66666666
peer address: 66666666
Crypto map tag: IPSec_map, seq num: 10, local addr: 777777


access-list encrypt_acl extended permit ip 10.250.37.0 255.255.255.0 any
local ident (addr/mask/prot/port): (10.250.37.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 66666666


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 126, #pkts decrypt: 126, #pkts verify: 126
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0


local crypto endpt.: 777777, remote crypto endpt.: 66666666


path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: F5863D5C
current inbound spi : 9071E74C


inbound esp sas:
spi: 0x9071E74C (2423383884)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: IPSec_map
sa timing: remaining key lifetime (kB/sec): (4373992/28582)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF5863D5C (4119215452)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: IPSec_map
sa timing: remaining key lifetime (kB/sec): (4374000/28582)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001