Since I am actively studying for the lab now I decided to start building my rack. I set up an ASA 5510 and a 7401 ASR (IP/FW/IDS 3DES). Had quite a bit of trouble getting everything working. Nothing major, just the simple stuff like password recovery, set up some local users, password recovery again (I forgot the passwords I setup for the user accounts within about a 10 min time frame ). Once everything was accessible from my workstation I decided to start jamming. I figured I would configure a site to site VPN tunnel first from memory.

I have been quite busy in the ASA so it was a breeze getting everything setup. The router was pretty simple also. I have a freebsd host behind the ASA but I didnt have any hosts connected to the router so I decided I would configure a loopback interface to source my pings from to test the tunnel. I started pinging and there was my first no go. Nothing across the tunnel. I went back in and ran through my config. I verified the following matched on both devices:

ISAKMP: Hash: MD5
ISAKMP: Encryption: 3DES
ISAKMP: Authentication: Pre-Share

Crypto Map: Match Address
Crypto Map: Peer set
Crypto Map: Transform Set

After looking a bit more at the ASA config I realized I had the wrong map applied to the interface. Another map existed that I had used before. Instead of changing the map to the correct interface I decided to rename the interface to match what I had applied the crypto map to. This didnt work too well either. After I renamed the interface it appeared the ASA dynamically changed the old map that was applied to the old interface name to the new interface name. I ended up having to just go in and change the crypto map statement.

So after all that I was pleased that I was able to get it all done without having to crack a config example. One thing to note. The isakmp lifetime values didnt match either. The ASA was at 1000 and the router was at 86400. The default for both is 86400. Somehow old config lines must have remained in the ASA which was weird because I created new isakmp policies. Either way it didn’t make a difference which I thought was strange. I was always under the impression that these values had to match or pahe 1 would not pass. I tested a few times to verify. The values were mismatched and the tunnel still established.

ciscoasa(config)# sh cry isa sa detail
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 192.168.0.65
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : MD5
Auth : preshared Lifetime: 1000
Lifetime Remaining: 292


Router:

RTR7401A#sh cry isakmp policy
Global IKE policy
Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
RTR7401A#sh cry isa sa
dst src state conn-id slot status
192.168.0.5 192.168.0.65 QM_IDLE 1 0 ACTIVE
RTR7401A#sh cry isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1 192.168.0.65 192.168.0.5 ACTIVE 3des md5 psk 2 00:05:42
Connection-id:Engine-id = 1:1(software)

Looks like the router just agreed to go with the ASAs lifetime regardless of what was configured.