Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Why is my L2L tunnel using RA tunnel settings?

Status
Not open for further replies.
professorguy

professorguy

MIS
Jan 17, 2007
39
US
I am trying to add another L2L tunnel to the many we already have working correctly. The settings for this tunnel are identical to the settings for all our other L2L tunnels, but I get this from a 'show isakmp sa detail' during an attempted telnet:

...
6 IKE Peer: 208.x.y.33
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime : 86400
7 IKE Peer: 208.w.z.227
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime : 0
...

The first one works, the second one with the wrong type and weird encryption/hash settings doesn't. However, looking at the running configuration, THERE ARE NO SETTING DIFFERENCES BETWEEN THESE TWO TUNNELS! Here's some highlights:

-----------
crypto map vpn_map 50 match address vpnVRC
crypto map vpn_map 50 set peer 208.x.y.33
crypto map vpn_map 50 set transform-set ESP-3DES-MD5
...
crypto map vpn_map 90 match address vpnMedHost
crypto map vpn_map 90 set peer 208.w.z.227
crypto map vpn_map 90 set transform-set ESP-3DES-MD5
-----------
access-list vpnVRC extended permit ip object-group PACS-Local object-group VRC-Remote
...
access-list vpnMedHost extended permit ip object-group MedHost-Local object-group MedHost-Remote
-----------
tunnel-group 208.x.y.33 type ipsec-l2l
tunnel-group 208.x.y.33 ipsec-attributes
pre-shared-key *
...
tunnel-group 208.w.z.227 type ipsec-l2l
tunnel-group 208.w.z.227 ipsec-attributes
pre-shared-key *
-----------
access-list acl_nonat extended permit ip object-group PACS-Local object-group VRC-Remote
...
access-list acl_nonat extended permit ip object-group MedHost-Local object-group MedHost-Remote
-----------

Anyone have any ideas as to why it is trying (and failing) to establish a USER tunnel instead of an L2L tunnel? It says type ipsec-l2l right in the tunnel-group! And why is it using the aes-256/sha settings when the crypto map specifies a transform set using 3des/md5?

Thanks in advance for any insight.
 
Sort by date Sort by votes
The tunnel is being established between our Cisco ASA 5520 and their Cisco PIX 525. In the case above it is our ASA which is trying to establish the tunnel (notice the 'initiator' in the isakmp output). It tries (and fails) to come up when I try to hit their hosts from the servers here.
 
Upvote 0 Downvote
Make sure they have it configured for no-xauth



isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-xauth
 
Upvote 0 Downvote
Here's what the cisco site says:

"If a LAN-to-LAN tunnel and a Remote Access VPN tunnel are configured on the same crypto map, the LAN-to-LAN peer is prompted for XAUTH information, and the LAN-to-LAN tunnel fails.

"Note: This issue only applies to Cisco IOS and PIX 6.x. Because it uses tunnel-groups, PIX/ASA 7.x is not affected by this issue."

Obviously I'm using tunnel-groups here (see the excerpts above) so this doesn't seem it could be the problem.
 
Upvote 0 Downvote
I just assumed because they have successful L2L tunnels to many, many client sites they have a configuration that works correctly. If they are prompting for xauth, I can't see how any L2L tunnel will work for them. If it's my side incorrectly prompting, then I need to cut that out.
 
Upvote 0 Downvote
You are correct, I didn't realize both the Pix and ASA are running 7.0 code so that xuath isnt an issue. Are you sure the access-lists for the crypto map are identical on both sides? I assume you have also tried changing the key.
 
Upvote 0 Downvote
Yes, there are. They all use the same transform-set (ESP-3DES-MD5) and each have their own ACL for match addresses. Some of these are simple (one host to one host) while some are quite complicated (many hosts to many hosts in various combinations). And the peers are specific to those tunnels.

Also, the other tunnels work fine. I'm now certain this is a configuration problem on the vendor's side. I base that on the fact that the VPN Engineer I started setting this up with is now gone from the vendor's employ. So he may have been a chimp.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
900
Rick998
Rick998
Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
318
Sameer258
Sameer258
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
102
Russtoleum
Russtoleum
steve56k
  • Locked
  • Question
Number of connections for VPN tunnel
Replies
0
Views
56
steve56k
steve56k
steve56k
  • Locked
  • Question
VPN Tunnel will not start
Replies
0
Views
61
steve56k
steve56k

Part and Inventory Search

Sponsor

Back
Top