Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer

Hi Shraddha,

Are you still having issues?

Something you might want to check is if you have SQL inspection enabled on your ASA. I’ve had issues with this before with Oracle database servers. This is something you could see in ASDM packet tracer. In my case I noticed some unusual TCP sessions that were resetted immediately.

Rene

Hi Rene
Thank you for update. I missed this question you posted. sorry for delay in reply.
Issue got resolved.

Thank you
Shraddha

Hi Rene,

I am using GNS3 ASAv for above lab. configuration is perfectly fine however vpn would not come up. There is a warning message I see on GNS3 as below. Not sure if that is reason or something else. Can you assiste?

Warning: ASAv platform license state is Unlicensed.
Install ASAv platform license for full functionality.

Hi Shraddha,

You can ignore this message, it shows up all the time on my ASAv devices that I run in Cisco VIRL.

Have you tried packet-tracer yet to see if it gives you any information why the VPN is not working?

Hi Rene
Is this topology is the peering IP of IPsec must be in the same network ?

Hello Heng

No, the peering addresses don’t have to be the same. The only prerequisite is that the outside IP addresses of the Internet facing interfaces should be able to have network connectivity between them.

I hope this has been helpful!

Laz

After adding: crypto map Outside_map 1 set ikev1 phase1-mode aggressive
My tunnel dropped and stopped working.

Version:

HomeASA(config)# show version
Cisco Adaptive Security Appliance Software Version 9.1(7)16
Device Manager Version 7.7(1)150
Compiled on Thu 30-Mar-17 17:39 by builders
System image file is "disk0:/asa917-16-k8.bin"
Config file at boot was "startup-config"
HomeASA up 2 hours 10 mins
Hardware: ASA5520-K8, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash AT49LW080 @ 0xfff00000, 1024KB
Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNlite-MC-SSLm-PLUS-2.08
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Number of accelerators: 1

Object-group:

HomeASA(config)# show run object-group network
object-group network FLL_DC_Networks
network-object 10.158.0.0 255.255.252.0
network-object 172.16.20.0 255.255.252.0
network-object 192.168.16.0 255.255.255.0
object-group network HomeNetworks
description Home LAN and WLAN
network-object 10.10.250.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0

Access-list:

HomeASA(config)# show run access-list
access-list Outside_cryptomap extended permit ip object-group HomeNetworks object-group FLL_DC_Networks
access-list Outside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 192.168.3.0 255.255.255.0 object REMOTE_2
access-list Outside_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 object REMOTE_3
access-list Outside_cryptomap_1 extended permit ip 10.10.250.0 255.255.255.0 object REMOTE_3

Crypto map:


HomeASA(config)# show run crypto map
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 199.227.242.218
crypto map Outside_map 1 set ikev1 phase1-mode aggressive
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map interface Outside

Hi Adrian,

What do you use to identify your ASA with the dynamic IP to the remote ASA with static IP? Take a look at this example:

I use this on my dynamic peer:

crypto isakmp identity key-id ASA1_ASA2

Which matches the tunnel-group on the static IP peer:

tunnel-group ASA1_ASA2 type ipsec-l2l
tunnel-group ASA1_ASA2 ipsec-attributes
ikev1 pre-shared-key ASA1_ASA2_KEY

Hope this helps!

Rene

Hello,
I am trying to do lab, but I have on ASA2 and ASA3 from debug

[IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Mar 06 12:44:34 [IKEv1]There is no valid IKE proposal available, check IPSec SA configuration!
Mar 06 12:44:34 [IKEv1]Warning: Ignoring IKE SA (dst) without VM bit set


IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.2.2, sport=64343, daddr=192.168.1.1, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map LTS_CRYPTO 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=6, saddr=192.168.2.2, sport=64343, daddr=192.168.1.1, dport=5888
IPSEC(crypto_map_check)-3: Checking crypto map LTS_CRYPTO 10: matched.

I see that phase 1 init,
using vASA v 9.9.(2) on GNS,
Config is the SAME as in LAB, also IPs,
Please help…
Regards,
Maciek

Hello Maciej

If you are getting the “There is no valid IKE proposal available, check IPSec SA configuration!” message then this means that there is a mismatch in the configuration of the peers. Verify that your config does indeed match on both ends.

I hope this has been helpful!

Laz

Hello,
That’s all I know, the configuration is like in the task, and the error remains…
Maybe I will have chance to do it on real devices, on vASA that is the one that not work in my excises :smile:
Regards,
Maciek

Hello Maciej

Hmm, that’s strange. There’s always the chance that GNS3 is to blame, as it does occasionally cause errors where there should be none :stuck_out_tongue:. I hope you get the chance to try it out on real devices at some point.

Laz

Hello,

There are two errors in the configuration:
One of them is access-list, as it is shown below:

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

ASA2(config)# access-list **LAN1_LAN2** extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

ASA2 access-list name should be LAN2_LAN1.

Second mistake is show below:

ASA2(config)# tunnel-group **10.10.10.2** type ipsec-l2l
ASA2(config)# tunnel-group **10.10.10.2** ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

The ip address should be 10.10.10.1, as it is shown in lesson 1 regarding ipsec VPN.

Once I fix these mistakes, my configuration started working.

Hello Sinasi,

You are correct, I just fixed these typos. Thanks for letting me know!

Rene

Hello Rene,
How are you?
I followed the steps for configuring site to site VPN between two sites having commercial routers provided by ISP and cannot seem to establish the connection.
When i generate interesting traffic the status goes to WAIT status and then the connection drops off after a while.
Below is the config:

Remote Site:

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600

crypto isakmp identity address 
crypto ikev1 enable OUTSIDE

tunnel-group xxx.xx.xx.xx type ipsec-l2l
tunnel-group xxx.xx.xx.xx ipsec-attributes
ikev1 pre-shared-key xxxxxx


crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac


access-list REMUERA_VPN extended permit ip 192.168.60.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list REMUERA_VPN extended permit ip 192.168.61.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list REMUERA_VPN extended permit ip 192.168.62.0 255.255.255.0 192.168.100.0 255.255.255.0


crypto map MY_CRYPTO_MAP 10 match address REMUERA_VPN
crypto map MY_CRYPTO_MAP 10 set peer 219.88.70.89 
crypto map MY_CRYPTO_MAP interface outside

route OUTSIDE 192.168.60.0 255.255.255.0 219.88.70.89

Main Site:

crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 3600

crypto isakmp identity address 
crypto ikev1 enable OUTSIDE

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key xxxxxx

crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

access-list Ellerslie_VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.60.0 255.255.255.0
access-list Ellerslie_VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.61.0 255.255.255.0
access-list Ellerslie_VPN extended permit ip 192.168.100.0 255.255.255.0 192.168.62.0 255.255.255.0

crypto dynamic-map MY_DYNA_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto dynamic-map MY_DYNA_MAP 10 match address Ellerslie_VPN
crypto dynamic-map MY_DYNA_MAP 10 set reverse-route

Any help here greatly appreciated.
Thank you

Hello Pavan

When implementing the configuration of this lesson on a real world application with commercial ISP routers, you have to keep a few things in mind. In the lesson, the two ASAs were on the same subnet (this subnet simulated the Internet or some other large network), but in the real world, there are various other mechanisms that exist between the two ASAs that can disrupt the formation of a tunnel.

Questions you should consider include:

  1. Is NAT running on the commercial routers at each site?
  2. Are the commercial routers running additional firewall features that may be blocking communication?
  3. Are the public IP addresses used on the commercial routers themselves or are the configured on the ASAs? If they are on the commercial routers, are the static?

My suggestion would be that you first ensure that communication between the ASAs’ outside interfaces is successful before you go on. Once that’s done, make sure no other mechanisms (NAT, firewall etc) in the commercial routers is hindering your communication.

One other alternative to test your configuration (if possible) is to bring the two ASAs together and test them by connecting them directly and see if the VPN comes up. If it does, then the problem is indeed at the commercial routers.

Hopefully this will give you some more insight and clues to help you in your troubleshooting procedures…

I hope this has been helpful!

Laz

Hi Rene,
After completing the config, will there be a connection profile created in the ASDM even if the other side is not configured yet.
thanks,

Hello Irfan

Yes, if you create a connection profile using ASDM, it is created, and you can see it, even through the other side is not yet configured.

I hope this has been helpful! Stay healthy and safe!

Laz

1 Like

What am I missing? Where do we put the public ip? The examples use private IP’s. How do the ASA’s know where the other end is with a public ip?

Hello Daniel

Whether you use private addresses such as 10.10.10.0/24 or public addresses such as 147.52.3.0/24, it will make no difference in the actual configuration. For the purposes of this lab, a private address range was chosen, but if you like, in your GNS3 lab, or in your home lab, you can use public addresses as well.

In the real world, how you would configure this depends upon the way in which you connect to the Internet. In some cases, the E0/1 interfaces of the ASAs would be assigned a static public IP address provided to you by the ISP. In others, the ISP may provide you with some termination equipment such as a modem, a router, or a switch to which you must connect your ASA. That termination equipment may have a static or a dynamic public IP address. In such a case you may still be assigned a private address on your ASA, and may have to traverse NAT or some other translation service at your network edge.

In order to make this work, however, you will require to have a static routable IP address on at least one end of the link.

How you will end up creating the link will depend upon the topology of the edge of your network. There are various ways to deal with these scenarios, but for the purpose of this lab, the idea was to understand the configuration of the ASAs for a site to site IPsec VPN.

I hope this has been helpful!

Laz

1 Like