Answer the question
In order to leave comments, you need to log in
A
A
Anton Antonov2016-09-27 15:28:07
Anton Antonov, 2016-09-27 15:28:07
The ipsec tunnel does not rise, what could be the problem?
Hello! I configure ipsec tunnel between two asa. The tunnel does not rise and does not even try. Ports 500 and 4500 are available
Tunnel between IPs 150.97 and 78.54
Here is the config:
asa 1:
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp
!
subnet 192.168.2.0 255.255.255.0
object network CC-Local
subnet 192.168.3.0 255.255.255.0
object network K2-Lan subnet 192.168.10.0
255.255.255.0
object network loop
subnet 0.0.0.0
0.0.0.00
255.255.255.0
object network ML
host 94.141.183.3
object network obj_0.0.0.0
subnet 0.0.0.0 0.0.0.0
object network ASA-NAUKA
host 84.47.183.210
object network ASA-Starlink
host 81.17.150.98
object network ContactCenter
host 62.141.65.170
object network Internal_IP
host 192.168.10.1
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object udp
service-object tcp
service-object icmp echo
service-object tcp destination eq echo
object-group service DM_INLINE_SERVICE_2
service-object ip
service-object udp
service-object tcp
service-object udp destination eq isakmp
service-object icmp
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object ASA-NAUKA
network-object object ML
network-object object Google-DNS
network-object object ContactCenter
network-object 192.168.10.0 255.255 .255.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_3
service-object ip
service-object udp
service-object tcp
service-object icmp alternate-address
service-object icmp echo
service-object icmp echo-reply
service-object icmp information-reply
service-object icmp information-request
service-object icmp traceroute
service-object udp destination eq isakmp
object-group service DM_INLINE_UDP_1 udp
port-object eq 4500
port-object eq isakmp
port -object eq sip
object-group service DM_INLINE_UDP_2 udp
port-object eq 4500
port-object eq isakmp
object-group network external_ip
network-object object ext_ip
access-list outside_access_in_1 extended permit udp any any eq isakmp
access-list outside_access_in_1 extended permit object-group DM_INLINE_SERVICE_1 any any
access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list outside_access_in_1 extended permit udp any object-group DM_INLINE_UDP_1 any
access-list outside_cryptomap_1 extended permit ip 192.168.10.0 255.255.255.0 object CC-Local
access-list inside_access_in extended permit object- group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 any
access-list outside_cryptomap_2 extended permit ip 10.10.10.0 255.255.255.0 object K1-local
access-list outside_cryptomap extended permit ip object K2-Lan object K74-local
access-list global_access_1 extended permit udp any any eq isakmp
access-list global_access_1 extended permit object-group DM_INLINE_SERVICE_3 any any
access-list global_access_1 extended permit udp any object-group DM_INLINE_UDP_2 any
access-list Dostup_izvne standard permit any4
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) source static any interface destination static OG OG
!
object network obj_0.0.0.0
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
access-group global_access_1 global
route outside 0.0.0.0 0.0.0.0 10.202.92.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
t
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform -set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform -set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5- TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform- set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP- AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp- sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP -3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA- TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform- set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec -proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association lifetime kilobytes 3600
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 81.17.150.97
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES AES192 AES256
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes -256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
!
group-policy GroupPolicy_81.17.150.97 internal group
-policy GroupPolicy_81.17.150.97 attributes vpn
-tunnel-protocol ikev1 ikev2 -l2l tunnel-group 81.17.150.97 general-attributes
default-group-policy GroupPolicy_81.17.150.97
tunnel-group 81.17.150.97 ipsec-attributes
ikev1 pre-shared-key #key#
ikev2 remote-authentication pre-shared-key #key#
ikev2 local-authentication pre-shared-key # key#
Similar questions
N
R
K
E
C
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question