• We've upgraded our forums. Please post any issues/requests in this thread.

vpn site-to-site issues with a cisco asa

Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#1
This is a bit of a tougher question, but i thought id try asking anyway.

I've got a test setup on my desk.

It goes:


Code:
Ubuntu host(vm)-------------Openswan on ubuntu (vm)----- vmware gateway------ xp host-------------------- cisco asa ------ xp host

192.168.2.2                192.168.92.128                   192.168.92.2       200.200.200.2         200.200.200.1     192.168.1.5
                                               ========================tunnel=========================

Now i had it working before, worked on some other things, came back to it and it wasnt working, so im not sure what or where i changed something. I could easily start over but id rather find out whats wrong with it. So when i ping 192.168.1.5 from 192.168.2.2, there are no replies. However i did a capture on the inside interface of the ASA and there was replies shown there, they wouldnt come back past that. I've also tried using netcat to send a file over on port 1234. On wireshark on the openswan vm, i can see a few ESP packets destined for 200.200.200.1, but 192.168.1.5 doesnt receive them.



Here's my show run output:


Code:
!
hostname ciscoasa                
enable password 8Ry2YjIyt7RRXU24 encrypted                                         
passwd 2KFQnbNIdI.2KYOU encrypted                                
names    
!
interface Vlan1              
nameif inside             
security-level 100                  
ip address 192.168.1.1 255.255.255.0                                    
!
interface Vlan2              
nameif outside              
security-level 0                
ip address 200.200.200.1 255.255.255.0                                      
!
interface Ethernet0/0                    
switchport access vlan 2                        
!
interface Ethernet0/1                    
!
interface Ethernet0/2                    
!
interface Ethernet0/3                    
!
interface Ethernet0/4                    
!
interface Ethernet0/5                    
!
interface Ethernet0/6                    
!
interface Ethernet0/7                    
!
ftp mode passive               
access-list inbound extended permit ip any any                                             
access-list inbound extended permit udp any any eq isakmp                                                        
access-list inbound extended permit udp any any eq 4500                                                      
access-list inbound extended permit esp any any                                              
access-list inbound extended deny ip any any                                           
access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.2                                                                               
55.255.0       
access-list outbound_tunnel extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 25                                                                               
5.255.255.0          
access-list outbound_tunnel extended permit ip host 200.200.200.1 host 200.200.200.2                                                                            
pager lines 24             
logging enable             
logging timestamp                
logging buffered debugging                         
logging asdm informational                         
mtu inside 1500              
mtu outside 1500               
ip local pool name 192.168.1.40-192.168.1.60                                           
icmp unreachable rate-limit 1 burst-size 1                                         
no asdm history enable                     
arp timeout 14400                
global (outside) 1 interface                           
nat (inside) 0 access-list NONAT                               
nat (inside) 1 0.0.0.0 0.0.0.0                             
access-group inbound in interface outside                                        
route outside 0.0.0.0 0.0.0.0 200.200.200.0                                         
timeout xlate 3:00:00                    
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02                                                                
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00                                                                             
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00                                                                              
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute                                                           
timeout tcp-proxy-reassembly 0:01:00                                   
dynamic-access-policy-record DfltAccessPolicy                                            
http server enable                 
http 192.168.1.0 255.255.255.0 inside                                    
no snmp-server location                      
no snmp-server contact                     
snmp-server enable traps snmp authentication linkup linkdown coldstart                                                                     
crypto ipsec transform-set ts2 esp-3des esp-md5-hmac                                                   
crypto ipsec security-association lifetime seconds 28800                                                       
crypto ipsec security-association lifetime kilobytes 4608000                                                           
crypto dynamic-map dmap 20 set transform-set ts2                                               
crypto map emap 10 match address outbound_tunnel                                        
crypto map emap 10 set peer 192.168.92.128                                         
crypto map emap 10 set transform-set ts2                                       
crypto map emap 60000 ipsec-isakmp dynamic dmap                                              
crypto map emap interface outside                                
crypto isakmp enab                
crypto isakmp policy 10                      
authentication pre-share                        
encryption 3des               
hash md5        
group 2       
lifetime 86400              
telnet timeout 5               
ssh timeout 5            
console timeout 0                
management-access inside                       
dhcpd auto_config outside                        
!
dhcpd address 192.168.1.5-192.168.1.36 inside                                            
dhcpd enable inside                  
!

 

threat-detection basic-threat                            
threat-detection statistics access-list                                      
no threat-detection statistics tcp-intercept                                           
webvpn     
username ryan password .MqBmFV5KQ86DWrJ encrypted                                                
tunnel-group 200.200.200.2 type ipsec-l2l                                        
tunnel-group 200.200.200.2 ipsec-att                                  
pre-shared-key *                
tunnel-group ryan type remote-access                                   
tunnel-group ryan general-attributes                                   
address-pool name                 
tunnel-group ryan ipsec-attributes                                 
pre-shared-key *                
!
class-map inspection_default                           
match default-inspection-traffic                                
!
!
policy-map type inspect dns preset_dns_map                                     
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:26b17c4d709bc72a3d76158f2c9997bd
: end

help is appreciated, thanks
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#2
Well for some unknown reason, clearing out the ACLs and nat commands, then re entering them made it work. I just dont understand computers sometimes.
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#3
For some reason this happens after i reload the ASA or power cycle it. It requires me to reenter the ACLs
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#4
it may also help if you explain why in the world you are doing it that way.
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#5
On which part specifically?
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#6
all of it :laugh:
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#7
haha. ok here goes.

So im trying to get the opensource VPN to talk with a Cisco ASA for a site-to-site VPN solution. I have an endpoint ubuntu machine using a localhost adapter, the other ubuntu has openswan installed and is a virutal machine as well on the same windows xp host. this openswan has two virtual NICs, one is localhost to talk with the other ubuntu. The second NIC is NAT to connect to the the windows machine, and the ASA beyond that. On the otherside of the asa is a laptop running XP.

Openswan and the ASA are setup to start an ipsec vpn and talk to one another. I can then send a file through the vpn with netcat. I sniff the traffic along the way, and everything is encrypted with ESP.

So everything is fine up to this point. However should I need to execute a reload or, the ASA gets power cycled, for whatever reason, the packets that are sent from the ubuntu host, get stopped after the outside interface of the ASA. If i clear the ACLs, reenter them, and configure a couple other lines that referenced the ACLs, everything is fine again.

If there's anything else I need to clarify let me know
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#8
So everything is fine up to this point. However should I need to execute a reload or, the ASA gets power cycled, for whatever reason, the packets that are sent from the ubuntu host, get stopped after the outside interface of the ASA. If i clear the ACLs, reenter them, and configure a couple other lines that referenced the ACLs, everything is fine again.

If there's anything else I need to clarify let me know
isn't that supposed to happen?
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#9
Well the configuration is saved, when it reloads it should be fine. I shouldnt have to manually clear them and reenter them.
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#10
Well the configuration is saved, when it reloads it should be fine. I shouldnt have to manually clear them and reenter them.
file permissions issue then.
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#11
file permissions issue then.
:confused:

It's just network traffic, file permissions shouldnt be a problem, and they dont exist on Cisco equipment to my knowlege.

Any event i rebooted the ubuntu virtual machines in question and left the asa on. Its having the same issue. So redoing the ACLs on the ASA fixes the problem, but its not the root of it either.
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#12
:confused:

It's just network traffic, file permissions shouldnt be a problem, and they dont exist on Cisco equipment to my knowlege.

Any event i rebooted the ubuntu virtual machines in question and left the asa on. Its having the same issue. So redoing the ACLs on the ASA fixes the problem, but its not the root of it either.
that cisco ASA has some sort of software on it that allows you to save a configuration file right?
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#13
that cisco ASA has some sort of software on it that allows you to save a configuration file right?
you can back it up, im not sure if you can save a copy to the nvram or not.
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#14
you can back it up, im not sure if you can save a copy to the nvram or not.
hrm. well i would have to be in front of it to really see what is going on. if you save the configuration to the ASA, it resets and it no longer uses that configuration then it beats me.
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#15
hrm. well i would have to be in front of it to really see what is going on. if you save the configuration to the ASA, it resets and it no longer uses that configuration then it beats me.
well everything else is there, it just behaves differently untill i redo the ACLs. But because the issue occured as well when I rebooted the openswan vm, i think it could be just that and not the router reload that causes it. I'll have to test some more tomorrow
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#16
Alright so whether ubuntu reboots or the Cisco ASA does, it doesnt work. An error i found on the ASA states: ike initiator unable to find policy. Which from some googling has something to do with the crypto map and the ACL. But it looks fine according to a bunch of configs and guides ive looked at. so it could be a mix of things or something
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#17
right, so as soon as they stop talking to one another the configuration file or 'policy' youve setup no longer works and has to be manually re-added. honestly, that sounds more like it is supposed to happen. like a security feature.
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#18
ight, so as soon as they stop talking to one another the configuration file or 'policy' youve setup no longer works and has to be manually re-added. honestly, that sounds more like it is supposed to happen. like a security feature.
It kinda does, but I can't see that being the issue. I found this error when doing some debugging on the ASA:

ike initiator unable to find policy

With some googling, it has to do with the crypto map of the access list for what traffic to encrypt; in my case the outbound_tunnel access list. Unfortunately the few fixes ive seen have not worked for me. I do see a lot of configs using just static maps. I've tried removing: "crypto dynamic-map dmap 20 set transform-set ts2 " but then the vpn wont fully establish.
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#19
any chance you could switch out the cisco with something else?
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#20
any chance you could switch out the cisco with something else?
Nah, its a required component in this. I'm more or less testing other software and how it interacts with it.

Thanks for your help so far rhino.
 

Easy Rhino

Linux Advocate
Joined
Nov 13, 2006
Messages
14,405 (3.56/day)
Likes
4,256
System Name VHOST01 | Desktop
Processor i7 980x | i5 7500 Kaby Lake
Motherboard Gigabyte x58 Extreme | AsRock MicroATX Z170M Exteme4
Cooling Prolimatech Megahelams | Stock
Memory 6x4 GB @ 1333 | 2x 8G Gskill Aegis DDR4 2400
Video Card(s) Nvidia GT 210 | Nvidia GTX 970 FTW+
Storage 4x2 TB Enterprise RAID5 |Corsair mForce nvme 250G
Display(s) N/A | Dell 27" 1440p 8bit GSYNC
Case Lian Li ATX Mid Tower | Corsair Carbide 400C
Audio Device(s) NA | On Board
Power Supply SeaSonic 500W Gold | Seasonic SSR-650GD Flagship Prime Series 650W Gold
Mouse N/A | Logitech G900 Chaos Spectrum
Keyboard N/A | Posiden Z RGB Cherry MX Brown
Software Centos 7 | Windows 10
#21
Nah, its a required component in this. I'm more or less testing other software and how it interacts with it.

Thanks for your help so far rhino.
well at least for testing you could switch it out to see if the problem persists. maybe it is this specific ASA. who knows.
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#22
Well ive got the latest IOS on it that my company will use, and its a newly purchased device. But a possibility nonetheless.
 
Joined
Sep 1, 2009
Messages
860 (0.28/day)
Likes
117
Location
Manteca, Ca
System Name Rebirth
Processor Intel i5 2500k @4.5Ghz
Motherboard Asus P8P67 Pro
Cooling Megahalem 120x25 x2 GT AP-15 Push/Pull
Memory 2x4Gb Corsair Vengeance
Video Card(s) Sapphire HD7950 Vapor-X + MSI HD7950 TF3
Storage Samsung 840 Pro 120 SSD + Seagate 7200.12 1TB + 500gig WD + 3TB Hitachi
Display(s) X-Star Glossy DP2710
Case Antec 1200
Audio Device(s) Asus Xonar STX
Power Supply Antec CP-850
Software Microsoft Windows 8 Pro x64
#23
im not sure it will work crypto maps are cisco device to cisco device i think its giving you an error because it cant talk to unbuntu.
 
Joined
Mar 31, 2007
Messages
1,895 (0.48/day)
Likes
162
Location
ontario canada
System Name home brew
Processor Intel Corei7 3770K OC @ 4.5Ghz
Motherboard ASUS P8Z77-V
Cooling Corsair H100
Memory 16GB DDR3 1600 GSKILL
Video Card(s) Powercolor Radeon 7970, MSI Radeon 7970
Storage Mushkin Chronos Deluxe 240gb. 2 TB Hdd.
Display(s) 3x24inch Dell Ultra IPS
Case CM storm trooper
Power Supply Antec Quattro OC ed. 1200w
Software Windows 7 Business x64
Benchmark Scores vantage: P43089
#24
im not sure it will work crypto maps are cisco device to cisco device i think its giving you an error because it cant talk to unbuntu.
I dont doubt its not as clean as cisco to cisco. But there are others who have tried such a thing and have it working. Why its just me with this I dunno. With the dynamic map setting in there it will establish and a dynamic map is put into allow any connection to get in. A static map is more specific, now people have been more successful with static maps.

When i just have the static ones in there and the dynamic removed, im getting an error: Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.10.10.0/255.255.255.0/0/0 local proxy 192.168.1.0/255.255.255.0/0/0 on interface outside.

Well my crypto map does match the ACL for those networks. so i dunno :headbang:
 
Joined
Sep 1, 2009
Messages
860 (0.28/day)
Likes
117
Location
Manteca, Ca
System Name Rebirth
Processor Intel i5 2500k @4.5Ghz
Motherboard Asus P8P67 Pro
Cooling Megahalem 120x25 x2 GT AP-15 Push/Pull
Memory 2x4Gb Corsair Vengeance
Video Card(s) Sapphire HD7950 Vapor-X + MSI HD7950 TF3
Storage Samsung 840 Pro 120 SSD + Seagate 7200.12 1TB + 500gig WD + 3TB Hitachi
Display(s) X-Star Glossy DP2710
Case Antec 1200
Audio Device(s) Asus Xonar STX
Power Supply Antec CP-850
Software Microsoft Windows 8 Pro x64
#25
It might be getting confused by the extended ACL you are using for the crypto map try using a regular ACL and apply that ACL to the outbound VLAN.