Site 2 Site VPN (Dynamic IP on one end)

[maynarja]

I cannot get the site to come up. I do believe that I should be using a dynamic map but I also tried and it fails as well. It looks like it fails within phase 1.

Remote A - internal net - 172.16.0.0/20 and 10.0.3.0/24
Remote B - internal net - 192.168.12.0/24

I also have set both sides to aggressive mode.

Can someone show me a proper config with the informations below?

##########
Remote A
##########

isakmp enable outside
isakmp identity auto
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0

crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20
crypto map StaticMap 20 set peer 0.0.0.0 [Not sure as I do not see this in the config after I enter it]
crypto map StaticMap 20 set transform-set Site2Site
isakmp key presharekey 0.0.0.0 netmask 0.0.0.0 no-xauth

crypto map StaticMap interface outside

access-list nonat extended permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list nonat

#########
REMOTE B
#########

isakmp enable outside
isakmp identity auto
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0


crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20
crypto map StaticMap 20 set peer XXX.XXX.XXX.XXX
crypto map StaticMap 20 set transform-set Site2Site
isakmp key presharekey address XXX.XXX.XXX.XXX netmask 255.255.255.255 no-xauth


crypto map StaticMap interface outside

access-list nonat extended permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0
nat (inside) 0 access-list nonat

 

[NetworkGhost]

Make sure the following lines reference the IP addresses of the opposite site. Dont need Dynamic maps for site to site.

REMOTE A:

crypto map StaticMap 20 set peer REMOTE-B-OUTISDEINTIP
crypto map StaticMap 20 set transform-set Site2Site
isakmp key presharekey address REMOTE-B-OUTISDEINTIP netmask 255.255.255.255 no-xauth


REMOTEB:

crypto map StaticMap 20 set peer REMOTE-A-OUTISDEINTIP
crypto map StaticMap 20 set transform-set Site2Site
isakmp key presharekey address REMOTE-A-OUTISDEINTIP netmask 255.255.255.255 no-xauth

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[maynarja]

Sorry --

Remote A = Static External IP

Remote B = Dynamic External IP

 

[NetworkGhost]

Ok Sorry about that. Try this Link.

http://www.cisco.com/en/US/products...s_configuration_example09186a0080094680.shtml

Free Firewall/Network/Systems Support-

http://firewalls.ath.cx

 

[maynarja]

I have tried that site as well.

It have even tried setting both as static for a bit and still cannot get past Phase 1.

Here are the configs

#########
REMOTE A
#########
isakmp enable outside
isakmp identity auto
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0


crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20
crypto map StaticMap 20 set peer REMOTEIP
crypto map StaticMap 20 set transform-set Site2Site
crypto map StaticMap 20 set pfs group2 [Tried with and without]

tunnel-group REMOTEIP type ipsec-l2l
tunnel-group REMOTEIP ipsec-attributes
pre-shared-key PRESHARE


crypto map StaticMap interface outside

access-list nonat extended permit ip 192.168.12.0 255.255.255.0 10.0.3.0 255.255.255.0
access-list nonat extended permit ip 192.168.12.0 255.255.255.0 172.16.0.0 255.255.240.0
nat (inside) 0 access-list nonat

#########
REMOTE B
#########
isakmp enable outside
isakmp identity auto
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

access-list outside_cryptomap_20 permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0


crypto ipsec transform-set Site2Site esp-3des esp-sha-hmac

crypto map StaticMap 20 match address outside_cryptomap_20
crypto map StaticMap 20 set peer REMOTEIP
crypto map StaticMap 20 set transform-set Site2Site
crypto map StaticMap 20 set pfs group2 [Tried with and without]

tunnel-group REMOTEIP type ipsec-l2l
tunnel-group 99.REMOTEIP ipsec-attributes
pre-shared-key PRESHARE


crypto map StaticMap interface outside

access-list nonat extended permit ip 10.0.3.0 255.255.255.0 192.168.12.0 255.255.255.0
access-list nonat extended permit ip 172.16.0.0 255.255.240.0 192.168.12.0 255.255.255.0
nat (inside) 0 access-list nonat

#####################################
Here is a part of the debug: REMOTE B
#####################################
Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351ecd8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:1383969c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Aug 18 07:18:25 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message
Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!
Aug 18 07:18:25 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry
Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE MM Responder FSM error history (struct &0x351f478) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG3, NullEvent
Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, IKE SA MM:c8b7e093 terminating: flags 0x01000002, refcnt 0, tuncnt 0
Aug 18 07:18:26 [IKEv1 DEBUG]: IP = REMOTEIP, sending delete/delete with reason message
Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Removing peer from peer table failed, no match!
Aug 18 07:18:26 [IKEv1]: IP = REMOTEIP, Error: Unable to remove PeerTblEntry

I am starting to think it has to do woth trying XAUTH but ASA does not use isa key .......... noxauth

Double check the config, second eyes is always helpfull?

 

[maynarja]

Resolved.

I missed putting in the outside default route!

I also had to use dynamic maps as one end was a dynamic IP.