Hey Everyone,
I'm having some trouble. I'm unable to get past phase2 in the ike authentication. It seems to me that these 2801's are a pita to get working with VPNs. I've double checked everything I could think of to get it working and I'm still having trouble.. I have posted the configs below. Thanks for the help!!
ASA Version 8.2(2)
!
hostname asa5505-3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.100.0.0 Mgmt
name 172.16.1.0 CEO-subnet
name 10.10.0.0 HR
name 192.168.4.0 routerlink
!
interface Vlan1
nameif inside
security-level 100
ip address 10.41.1.254 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 100.1.3.1 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in_1 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.41.0.0 255.255.0.0 CEO-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.41.0.0 255.255.0.0 CEO-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.41.0.0 255.255.0.0 HR 255.255.0.0
access-list outside_2_cryptomap extended permit ip 10.41.0.0 255.255.0.0 routerlink 255.255.255.252
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router ospf 1
network 10.41.0.0 255.255.0.0 area 0
area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 100.1.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http Mgmt 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 100.1.2.1
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 100.1.4.1
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 100.1.2.1 type ipsec-l2l
tunnel-group 100.1.2.1 ipsec-attributes
pre-shared-key *****
tunnel-group 100.1.4.1 type ipsec-l2l
tunnel-group 100.1.4.1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect tftp
!
service-policy global_policy global
prompt hostname context
**********ROUTER CONFIG*********
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key lolvpnlol address 100.1.3.1
!
!
crypto ipsec transform-set sha-aes-128 esp-aes esp-sha-hmac
!
crypto map sitetosite 1 ipsec-isakmp
set peer 100.1.3.1
set transform-set sha-aes-128
match address vpn-acl
!
crypto map vpn-policy 1 ipsec-isakmp
set peer 100.1.3.1
set transform-set sha-aes-128
match address vpn-acl
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 100.1.4.1 255.255.0.0
duplex auto
speed auto
crypto map vpn-policy
!
interface FastEthernet0/1
ip address 192.168.4.1 255.255.255.252
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 192.168.4.0 0.0.0.3 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 100.1.1.254 permanent
!
!
ip http server
no ip http secure-server
!
ip access-list extended vpn-acl
permit ip 192.168.4.0 0.0.0.3 10.41.0.0 0.0.255.255
!
!
!
!
!
!
!
control-plane
I'm having some trouble. I'm unable to get past phase2 in the ike authentication. It seems to me that these 2801's are a pita to get working with VPNs. I've double checked everything I could think of to get it working and I'm still having trouble.. I have posted the configs below. Thanks for the help!!
ASA Version 8.2(2)
!
hostname asa5505-3
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 10.100.0.0 Mgmt
name 172.16.1.0 CEO-subnet
name 10.10.0.0 HR
name 192.168.4.0 routerlink
!
interface Vlan1
nameif inside
security-level 100
ip address 10.41.1.254 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
ip address 100.1.3.1 255.255.0.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list inside_access_in_1 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.41.0.0 255.255.0.0 CEO-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.41.0.0 255.255.0.0 CEO-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.41.0.0 255.255.0.0 HR 255.255.0.0
access-list outside_2_cryptomap extended permit ip 10.41.0.0 255.255.0.0 routerlink 255.255.255.252
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in_1 in interface inside control-plane
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
router ospf 1
network 10.41.0.0 255.255.0.0 area 0
area 0
log-adj-changes
!
route outside 0.0.0.0 0.0.0.0 100.1.1.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
http Mgmt 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 100.1.2.1
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group5
crypto map outside_map 2 set peer 100.1.4.1
crypto map outside_map 2 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 100.1.2.1 type ipsec-l2l
tunnel-group 100.1.2.1 ipsec-attributes
pre-shared-key *****
tunnel-group 100.1.4.1 type ipsec-l2l
tunnel-group 100.1.4.1 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect tftp
!
service-policy global_policy global
prompt hostname context
**********ROUTER CONFIG*********
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 5
crypto isakmp key lolvpnlol address 100.1.3.1
!
!
crypto ipsec transform-set sha-aes-128 esp-aes esp-sha-hmac
!
crypto map sitetosite 1 ipsec-isakmp
set peer 100.1.3.1
set transform-set sha-aes-128
match address vpn-acl
!
crypto map vpn-policy 1 ipsec-isakmp
set peer 100.1.3.1
set transform-set sha-aes-128
match address vpn-acl
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 100.1.4.1 255.255.0.0
duplex auto
speed auto
crypto map vpn-policy
!
interface FastEthernet0/1
ip address 192.168.4.1 255.255.255.252
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 192.168.4.0 0.0.0.3 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 100.1.1.254 permanent
!
!
ip http server
no ip http secure-server
!
ip access-list extended vpn-acl
permit ip 192.168.4.0 0.0.0.3 10.41.0.0 0.0.255.255
!
!
!
!
!
!
!
control-plane