What do the following two commands mean for IKE phase-1 and IKE Phase-2 :
IKE phase-1:
ASA1(config-ikev1-policy)# lifetime 4800
IKE Phase-2:
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000
I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.
Somehow, your ASAs have to be able to identify each other so that you use the correct tunnel-group. This command makes sure that the IP address is used for identification.
Lets say already there is a cryptomap called MY_CRYPTO_MAP and we want to create a site to site vpn to another site .
Is it ok If I create MY_CRYPTO_MAP_2 same as MY_CRYPTO_MAP
Typically, there should be no NAT performed on the VPN traffic. In order to exempt that traffic, you must create an identity NAT rule. The identity NAT rule simply translates an address to the same address.
@Sims You can only apply one crypto-map to your interface. You should create one crypto-map with different statement numbers for each peer. Something like this:
ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP 20 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set peer 10.10.10.3
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set security-association lifetime seconds 3600
@Ryan if you use NAT then yes, you will need to exempt your site-to-site or remote VPN traffic or it will be translated. Hereās an example:
Basically it means that whenever traffic from the INSIDE destined to VPN_POOL goes from INSIDE > OUTSIDE that it will be translated to its own address. In other words, no NAT.
We have firewall 5505 where I have created site to site VPN. First time I have created crypto policy with group 2 and then changed to below.
Phase 1 failure: Mismatched attribute types for class Group Description: Rcvād: Group 5 Cfgād: Group 2Group
192.168.1.1, IP = 192.168.1.1, Received non-routine Notify message: No proposal chosen (14)
I can ping to remote end peer as well from firewall and from host. It seems like cypto first checks for group2 and then it goes to group 5. I can ping to 192.168.1.1 successfully from firewall and server. What is this error message and how can I get it off?
The device on the other end starts the proposal with group 5 while on your end, itās configured for group 2. The most simple solution is probably to change your local policyā¦change it to group 5 and get rid of group 2.
Good explanation. I was wondering what the configuration of the crypto maps would be if you were using dynamic crypto maps instead of static. I imagine the ACL would not be needed. Do you have a code snippet for this example of what the dynamic crypto map configuration would look like?
I tried to setup similar tunnel config in my VIRL LAB. However couldnāt able to bring my tunnel up. I am attaching my virl LAB. Would appreciate if you can check what am missing in my setup.
I modified the network in your example with a few more nodes on each site. The network diagram is attached.
The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.
However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the ping request.
