Question

Cisco ASA 5505 to Draytek Vigor 2700 tunnel: IKE failure

Asked by: j66st

I want a permanent VPN IPsec tunnel between office and home LANs. And the regular NAT-route to the Internet for both sites.
Office: Cisco ASA 5505 (v8.0), connected to a Thomson Speedtouch DSL modem (bridged)
WAN: 82.X.X.56   LAN: 192.168.1.0/24
Home: Draytek Vigor 2700G VPN-router/DSL-modem
WAN: 82.X.X.48   LAN: 192.168.2.0/24
So far I can't get the tunnel to connect. Looks to me like IKE phase 2 times out. (Getting a QM FSM error EV_TIMEOUT - QM_WAIT_MSG2). See debug log below of an attempt to open the tunnel from the Cisco LAN side by typing the remote address 192.168.2.200 address in the browser.

The Draytek has no command to dump its configuration to a terminal. It has a single VPN LAN-LAN. Direction set to both. PFS is disabled AFAIK, not sure if the Cisco uses it. Tried several lifetime values.

Some help would be much appreciated. I'm an EE-newbie, so excuse me if I did not submit this question in a proper manner.

Aug 28 2009 15:25:31: %ASA-7-609001: Built local-host outside:192.168.2.200
Aug 28 2009 15:25:31: %ASA-7-609002: Teardown local-host outside:192.168.2.200 duration 0:00:00
Aug 28 2009 15:25:31: %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0
Aug 28 2009 15:25:31: %ASA-5-713041: IP = 82.X.X.56, IKE Initiator: New Phase 1, Intf inside, IKE Peer 82.X.X.56  local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0,  Crypto map (outside_map)
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing ISAKMP SA payload
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing Fragmentation VID + extended capabilities payload
Aug 28 2009 15:25:31: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 96
Aug 28 2009 15:25:31: %ASA-7-609001: Built local-host NP Identity Ifc:82.X.X.48
Aug 28 2009 15:25:31: %ASA-7-609001: Built local-host outside:82.X.X.56
Aug 28 2009 15:25:31: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 92
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing SA payload
Aug 28 2009 15:25:31: %ASA-7-713906: IP = 82.X.X.56, Oakley proposal is acceptable
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing VID payload
Aug 28 2009 15:25:31: %ASA-7-715049: IP = 82.X.X.56, Received DPD VID
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing ke payload
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing nonce payload
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing Cisco Unity VID payload
Aug 28 2009 15:25:31: %ASA-7-715046: IP = 82.X.X.56, constructing xauth V6 VID payload
Aug 28 2009 15:25:31: %ASA-7-710005: UDP request discarded from 192.168.1.14/137 to inside:192.168.1.255/137
Aug 28 2009 15:25:31: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing ke payload
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing ISA_KE payload
Aug 28 2009 15:25:31: %ASA-7-715047: IP = 82.X.X.56, processing nonce payload
Aug 28 2009 15:25:31: %ASA-7-713906: IP = 82.X.X.56, Connection landed on tunnel_group 82.X.X.56
Aug 28 2009 15:25:31: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, Generating keys for Initiator...
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing ID payload
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing hash payload
Aug 28 2009 15:25:31: %ASA-7-715076: Group = 82.X.X.56, IP = 82.X.X.56, Computing hash for ISAKMP
Aug 28 2009 15:25:31: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Aug 28 2009 15:25:31: %ASA-7-715047: Group = 82.X.X.56, IP = 82.X.X.56, processing ID payload
Aug 28 2009 15:25:31: %ASA-7-714011: Group = 82.X.X.56, IP = 82.X.X.56, ID_IPV4_ADDR ID received
                                                                                                    82.X.X.56
Aug 28 2009 15:25:31: %ASA-7-715047: Group = 82.X.X.56, IP = 82.X.X.56, processing hash payload
Aug 28 2009 15:25:31: %ASA-7-715076: Group = 82.X.X.56, IP = 82.X.X.56, Computing hash for ISAKMP
Aug 28 2009 15:25:31: %ASA-7-715047: Group = 82.X.X.56, IP = 82.X.X.56, processing notify payload
Aug 28 2009 15:25:31: %ASA-7-713906: IP = 82.X.X.56, Connection landed on tunnel_group 82.X.X.56
Aug 28 2009 15:25:31: %ASA-4-713903: Group = 82.X.X.56, IP = 82.X.X.56, Freeing previously allocated memory for authorization-dn-attributes
Aug 28 2009 15:25:31: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 82.X.X.56
Aug 28 2009 15:25:31: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, Oakley begin quick mode
Aug 28 2009 15:25:31: %ASA-7-714002: Group = 82.X.X.56, IP = 82.X.X.56, IKE Initiator starting QM: msg id = 7cd21e66
Aug 28 2009 15:25:31: %ASA-3-713119: Group = 82.X.X.56, IP = 82.X.X.56, PHASE 1 COMPLETED
Aug 28 2009 15:25:31: %ASA-7-713121: IP = 82.X.X.56, Keep-alive type for this connection: DPD
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xeb7f9659
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0x1dff14a6
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xb80677fa
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0x013a27ca
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xf1afd6e9
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xa77233a3
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0x13fd9936
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xf61bd0d2
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0xf4cf9c91
Aug 28 2009 15:25:31: %ASA-7-715006: Group = 82.X.X.56, IP = 82.X.X.56, IKE got SPI from key engine: SPI = 0x5e3604e1
Aug 28 2009 15:25:31: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, oakley constucting quick mode
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing blank hash payload
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing IPSec SA payload
Aug 28 2009 15:25:31: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing IPSec nonce payload
Aug 28 2009 15:25:31: %ASA-7-715001: Group = 82.X.X.56, IP = 82.X.X.56, constructing proxy ID
Aug 28 2009 15:25:31: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, Transmitting Proxy Id:
                                            Local subnet:  192.168.1.0  mask 255.255.255.0 Protocol 0  Port 0
                                            Remote subnet: 192.168.2.0  Mask 255.255.255.0 Protocol 0  Port 0
Aug 28 2009 15:25:31: %ASA-7-714007: Group = 82.X.X.56, IP = 82.X.X.56, IKE Initiator sending Initial Contact
Aug 28 2009 15:26:01: %ASA-7-715036: Group = 82.X.X.56, IP = 82.X.X.56, Sending keep-alive of type DPD R-U-THERE (seq number 0xc24fa5f)
Aug 28 2009 15:26:01: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing blank hash payload
Aug 28 2009 15:26:01: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing qm hash payload
Aug 28 2009 15:26:01: %ASA-7-713236: IP = 82.X.X.56, IKE_DECODE SENDING Message (msgid=732b2f98) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Aug 28 2009 15:26:03: %ASA-3-713902: Group = 82.X.X.56, IP = 82.X.X.56, QM FSM error (P2 struct &0xd4b00b60, mess id 0x7cd21e66)!
Aug 28 2009 15:26:03: %ASA-7-715065: Group = 82.X.X.56, IP = 82.X.X.56, IKE QM Initiator FSM error history (struct &0xd4b00b60)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Aug 28 2009 15:26:03: %ASA-7-713906: Group = 82.X.X.56, IP = 82.X.X.56, sending delete/delete with reason message
Aug 28 2009 15:26:03: %ASA-7-715046: Group = 82.X.X.56, IP = 82.X.X.56, constructing blank hash payload
Aug 28 2009 15:26:03: %ASA-1-713900: Group = 82.X.X.56, IP = 82.X.X.56, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Aug 28 2009 15:26:03: %ASA-7-715009: Group = 82.X.X.56, IP = 82.X.X.56, IKE Deleting SA: Remote Proxy 192.168.2.0, Local Proxy 192.168.1.0
Aug 28 2009 15:26:03: %ASA-7-715009: Group = 82.X.X.56, IP = 82.X.X.56, IKE Deleting SA: Remote Proxy 192.168.2.0, Local Proxy 192.168.1.0
Aug 28 2009 15:26:03: %ASA-7-715009: Group = 82.X.X.56, IP = 82.X.X.56, IKE Deleting SA: Remote Proxy 192.168.2.0, Local Proxy 192.168.1.0
Aug 28 2009 15:26:03: %ASA-7-715009: Group = 82.X.X.56, IP = 82.X.X.56, IKE Deleting SA: Remote Proxy 192.168.2.0, Local Proxy 192.168.1.0
Aug 28 2009 15:26:03: %ASA-7-715077: Pitcher: received key delete msg, spi 0x5e3604e1
Aug 28 2009 15:26:03: %ASA-7-715077: Pitcher: received key delete msg, spi 0x5e3604e1
Aug 28 2009 15:26:03: %ASA-7-715077: Pitcher: received key delete msg, spi 0x5e3604e1
 
=== packet trace for port 500 ===
11 packets captured
   1: 15:28:26.281067 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 96
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: 00 00 00 00 00 00 00 00
        Next Payload: Security Association
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (none)
        MessageID: 00000000
        Length: 96
        Payload Security Association
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 44
          DOI: IPsec
          Situation:(SIT_IDENTITY_ONLY)
          Payload Proposal
            Next Payload: None
            Reserved: 00
            Payload Length: 32
            Proposal #: 1
            Protocol-Id: PROTO_ISAKMP
            SPI Size: 0
            # of transforms: 1
            Payload Transform
              Next Payload: None
              Reserved: 00
              Payload Length: 24
              Transform #: 1
              Transform-Id: KEY_IKE
              Reserved2: 0000
              Group Description: Group 2
              Encryption Algorithm: 3DES-CBC
              Hash Algorithm: SHA1
              Authentication Method: Preshared key
        Payload Vendor ID
          Next Payload: None
          Reserved: 00
          Payload Length: 24
          Data (In Hex): ...
 
   2: 15:28:26.311064 802.1Q vlan#2 P0 82.X.X.56.500 > 82.X.X.48.500:  udp 92
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Security Association
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (none)
        MessageID: 00000000
        Length: 92
        Payload Security Association
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 44
          DOI: IPsec
          Situation:(SIT_IDENTITY_ONLY)
          Payload Proposal
            Next Payload: None
            Reserved: 00
            Payload Length: 32
            Proposal #: 1
            Protocol-Id: PROTO_ISAKMP
            SPI Size: 0
            # of transforms: 1
            Payload Transform
              Next Payload: None
              Reserved: 00
              Payload Length: 24
              Transform #: 1
              Transform-Id: KEY_IKE
              Reserved2: 0000
              Group Description: Group 2
              Encryption Algorithm: 3DES-CBC
              Hash Algorithm: SHA1
              Authentication Method: Preshared key
        Payload Vendor ID
          Next Payload: None
          Reserved: 00
          Payload Length: 20
          Data (In Hex): ...
 
   3: 15:28:26.311064 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 256
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Key Exchange
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (none)
        MessageID: 00000000
        Length: 256
        Payload Key Exchange
          Next Payload: Nonce
          Reserved: 00
          Payload Length: 132
          Data: ...
        Payload Nonce
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 24
          Data: ...
         Payload Vendor ID
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 20
          Data (In Hex): ...
         Payload Vendor ID
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 12
          Data (In Hex): ...
        Payload Vendor ID
          Next Payload: Vendor ID
          Reserved: 00
          Payload Length: 20
          Data (In Hex):
            ...
        Payload Vendor ID
          Next Payload: None
          Reserved: 00
          Payload Length: 20
          Data (In Hex):
            ...
 
   4: 15:28:26.971141 802.1Q vlan#2 P0 82.X.X.56.500 > 82.X.X.48.500:  udp 180
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Key Exchange
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (none)
        MessageID: 00000000
        Length: 180
        Payload Key Exchange
          Next Payload: Nonce
          Reserved: 00
          Payload Length: 132
          Data:
            ...
        Payload Nonce
          Next Payload: None
          Reserved: 00
          Payload Length: 20
          Data:
           ...
 
   5: 15:28:26.971141 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 84
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Identification
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (Encryption)
        MessageID: 00000000
        Length: 84
 
   6: 15:28:27.001190 802.1Q vlan#2 P0 82.X.X.56.500 > 82.X.X.48.500:  udp 92
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Identification
        Version: 1.0
        Exchange Type: Identity Protection (Main Mode)
        Flags: (Encryption)
        MessageID: 00000000
        Length: 92
 
   7: 15:28:27.022002 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 652
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Quick Mode
        Flags: (Encryption)
        MessageID: 72C4EA2C
        Length: 652
 
   8: 15:28:35.022414 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 652
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Quick Mode
        Flags: (Encryption)
        MessageID: 72C4EA2C
        Length: 652
 
   9: 15:28:43.023634 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 652
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Quick Mode
        Flags: (Encryption)
        MessageID: 72C4EA2C
        Length: 652
 
  10: 15:28:51.040479 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 652
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Quick Mode
        Flags: (Encryption)
        MessageID: 72C4EA2C
        Length: 652
 
  11: 15:28:59.041700 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 84
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Informational
        Flags: (Encryption)
        MessageID: D8B67129
        Length: 84
 
11 packets shown
 
=== running-config ===
: Saved
:
ASA Version 8.0(2)
!
hostname ciscoasa
enable password xxxxxxxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.96 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxxxx encrypted
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone GMT 0
access-list inside_nat0_outbound extended permit ip any 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool RApool1 192.168.1.80-192.168.1.89 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 192.168.2.0 255.255.255.0 82.X.X.56 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 82.X.X.56 255.255.255.255 outside
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 82.X.X.56
crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime none
no crypto isakmp nat-traversal
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 30
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.2.0 255.255.255.0 outside
ssh 82.X.X.56 255.255.255.255 outside
ssh timeout 30
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.1.97-192.168.1.128 inside
!
 
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
ntp server 213.10.47.241 source outside prefer
webvpn
 enable outside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 192.168.1.7
 vpn-tunnel-protocol l2tp-ipsec
 default-domain value hq.example.org
group-policy DfltGrpPolicy attributes
 webvpn
  url-list value bookmark1
username vpncl1 password xxxxxxxxx encrypted privilege 0
username vpncl1 attributes
 vpn-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 30 retry 2
tunnel-group DefaultRAGroup general-attributes
 address-pool RApool1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group muhq type remote-access
tunnel-group 82.X.X.56 type ipsec-l2l
tunnel-group 82.X.X.56 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 30 retry 2
prompt hostname context
Cryptochecksum:4219a112d25dbbe9ebd1789ff29ce459
: end

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250:
251:
252:
253:
254:
255:
256:
257:
258:
259:
260:
261:
262:
263:
264:
265:
266:
267:
268:
269:
270:
271:
272:
273:
274:
275:
276:
277:
278:
279:
280:
281:
282:
283:
284:
285:
286:
287:
288:
289:
290:
291:
292:
293:
294:
295:
296:
297:
298:
299:
300:
301:
302:
303:
304:
305:
306:
307:
308:
309:
310:
311:
312:
313:
314:
315:
316:
317:
318:
319:
320:
321:
322:
323:
324:
325:
326:
327:
328:
329:
330:
331:
332:
333:
334:
335:
336:
337:
338:
339:
340:
341:
342:
343:
344:
345:
346:
347:
348:
349:
350:
351:
352:
353:
354:
355:
356:
357:
358:
359:
360:
361:
362:
363:
364:
365:
366:
367:
368:
369:
370:
371:
372:
373:
374:
375:
376:
377:
378:
379:
380:
381:
382:
383:
384:
385:
386:
387:
388:
389:
390:
391:
392:
393:
394:
395:
396:
397:
398:
399:
400:
401:
402:
403:
404:
405:
406:
407:
408:
409:
410:
411:
412:
413:
414:
415:
416:
417:
418:
419:
420:
421:
422:
423:
424:
425:
426:
427:
428:
429:
430:
431:
432:
433:
434:
435:
436:
437:
438:
439:
440:
441:
442:
443:
444:
445:
446:
447:
448:
449:
450:
451:
452:
453:
454:
455:
456:
457:
458:
459:
460:
461:
462:
463:
464:
465:
466:
467:
468:
469:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-28 at 16:31:43ID24691398
Tags

Cisco ASA Draytek VPN tunnel

Topics

Virtual Private Networking (VPN)

,

IPSec Security Protocol

,

Cisco PIX Firewall

Participating Experts
2
Points
400
Comments
19

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. IPSEC, GRE TUNNEL, VPN
    I have a question regarding the difference, overall benefit of VPN, IPSEC, and/or GRE TUNNEL. While watching our senior network engineer try and build a GRE TUNNEL to another router via cable access, he decided to try IPSEC instead. The GRE TUNNEL was not "working"...
  2. ASA to 1812 IPSEC Tunnel
    I am trying to set up an IPSEC tunnel between a site with an ASA 5510 and another site that has a Cisco 1812. The configs are attached. what am I missing to make this work? I need traffic to flow unobstructed from the 192.168.75.x subnet to the 50.x subnet and vis versa. T...
  3. ASA VPN Tunnels
    here is my situation. I have a static lan to lan tunnel between my corporate office in Ohio and an office in Chicago. My corporate office is using an ASA 5520 and the remote side is using a 5505. I also have a dynamic lan to lan tunnel between my corporate office and another ...
  4. VPN Tunnels
    I have 3 sites that are connected by site to site vpn's using cisco appliances (asa or pix). One of the sites has had an IP change from the ISP. I need to ensure tunnels come back up. Should I only have to change the peer address on the other two pix's? Nothing else has c...
  5. ASA  5510 Dynamic IPSec VPN - No traffic over the tun…
    Hi. I have a Cisco ASA 5510 that I am trying to set up an IPSEC client VPN on. The tunnel comes up, user is authenticated, the client PC gets an address via dhcp, but I can't access the server behind the ASA, it's like the return traffic is getting lost. I've set up any n...
  6. Cisco ASA IPSec tunnel to tunnel routing.
    We've got two site to site IPSec tunnels setup to connect to our ASA 5520 Site1 and Site2 Site2 needs access to network resources on site1. Is this possible? Because I haven't been able to make it work. I can access both sites from the 5520 they're tunneled into but I ca...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: mutahirPosted on 2009-08-28 at 17:19:21ID: 25212517

whats the firmware version on your draytek ?

2700 is a dialout only ; it should initiate the connection (i am sure you would already knew that but just in-case)

check your country specific draytek website for the latest firmware upgrade.

have you got a slow link at your home ? some times IKE timeouts relate to that as well

you can run draytek syslog utility found in router tools and capture the vpn transaction on draytek side as well.

 

by: geergonPosted on 2009-08-28 at 18:33:15ID: 25212676

Hello Sir!

According to the configuration I assume that this side has a dynamic IP, and it means that you are implementing a dynamic to static connection, right? In this topology only the ASA side could trigger the traffic for the tunnel negotiation. And the Draytek Vigor 2700 should support this kind of tunnels....

1. Which is the IP address of the OUTSIDE IP of the ASA?
2. It is passing through a NAT?

I noticed a couples of details in the LOGS information.

Aug 28 2009 15:25:31: %ASA-3-713119: Group = 82.X.X.56, IP = 82.X.X.56, PHASE 1 COMPLETED
--> ISAKMP/IKE pahse is OK

Aug 28 2009 15:26:03: %ASA-1-713900: Group = 82.X.X.56, IP = 82.X.X.56, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
--> VPn traffic is not matching


Anyway the problems seems to be related to phase 2, please double check that all the parameters are matching.

-Usage of PFS
-Vpn traffic (interesting traffic)
- Same encryption and hash for phase 2.

 

by: mutahirPosted on 2009-08-29 at 00:48:04ID: 25213283

As geergon have pointed out about the dynamic ip address at vigor 2700 side, you can use dyndns to map a hostname to your dynamic ip ; vigor allows that to do ; if you look around in your vigor settings there shud be an option to use dyndns or some other dynamic dns services ; it should be under Applications on your vigor management page.

www.dyndns.com

 

by: j66stPosted on 2009-08-29 at 01:37:01ID: 25213356

@ mutahir:
Thanks for your comment!
The Draytek is a model 2700V (Annex B), module 2S1L
(NOTa 2700G as I said in the question, sorry)
Firmware Version  : 2.6.2_131812
Build Date/Time  : Jun 14 2006 14:34:33

2.6.2 is the latest version according to their website. Although the build date doesn't match with the relnotes on the site. Not quite clear, there are several 2700 models with different hardware. At least it has got some firmware revisions. A little risky to flash other firmware if the version nr is the same.

The ADSL link is fast enough (1.5Mbps down, 256kbps up), at the office it's 2M/512k.
I did capture the Draytek syslog on a Linux server at home. See the code snippet below with the syslog of Local3 category.  It's suspect that it gives the PAP Login OK (PPPoA) with the timestamp reset to Jan 1. Looks as if it resets itself! The PAP Login must be the DSL reconnect, right? Or is it a bug that they don't put the right timestamp in the PAP message.

Don't know whether it is possible to get detailed logging of the IKE protocol from the Draytek.

I don't believe the 2700V is dial-out only. In the LAN-to-LAN profile it lets me choose beween Dial in, Dial out or Both. I chose Both. No keepalive set. No Always On flag set.
I would like each end to be able to reestablish the tunnel if it gets disconnected.

I will post the Draytek screenshots of the VPN settings later.






Jan  1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Aug 28 15:20:46 my.router Vigor: Responding to Main Mode from 82.X.X.48
Aug 28 15:20:46 my.router Vigor: sent MR3, ISAKMP SA established with 82.X.X.48
Jan  1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Aug 28 15:25:31 my.router Vigor: Responding to Main Mode from 82.X.X.48
Aug 28 15:25:31 my.router Vigor: sent MR3, ISAKMP SA established with 82.X.X.48
Jan  1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Aug 28 15:28:25 my.router Vigor: Responding to Main Mode from 82.X.X.48
Aug 28 15:28:25 my.router Vigor: sent MR3, ISAKMP SA established with 82.161.98.48
Jan  1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Aug 28 15:39:53 my.router Vigor: Responding to Main Mode from 82.X.X.48
Aug 28 15:39:53 my.router Vigor: sent MR3, ISAKMP SA established with 82.161.98.48
Jan  1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Jan  1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
Jan  1 00:00:48 my.router Vigor: PAP Login OK (PPPoA)
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:

Select allOpen in new window

 

by: j66stPosted on 2009-08-29 at 02:02:01ID: 25213414

The screenshots with the Draytek config

 

by: j66stPosted on 2009-08-29 at 02:07:03ID: 25213427

The ISP guarantees a fixed public IP addresses at both sites. It's just that I left the Cisco at the default setting getting it's outside IP from the ISP's DHCP. It's an *Adaptive* Security Appliance, you know! :-)

OK I will fix the outside address, but that's not the problem here.

 

by: mutahirPosted on 2009-08-29 at 02:12:24ID: 25213439


in draytek config 2 screen shot : Under My WAN IP you need to specify your wan public static ip address at the 2700 side!

under remote gateway specify the public static from where the request is coming

Set the Always ON value to 0 seconds in draytek config 1 screenshot

then run SYSLOG from draytek router tools utility and enable syslog on your router and initiate the vpn transaction

 

by: j66stPosted on 2009-08-29 at 02:17:01ID: 25213447

@geergon:
Thanks for replying.
The outside address of the Cisco is 82.X.X.56 as said in the original post. There is no NAT or other router  in between; the ASA is connected to the modem, which is in bridged mode, with a permanent DSL connection. The ASA gets its outside IP and gateway from the ISP's DHCP service.

IKE Phase 1 completes OK, Phase 2 does not!
The Quick Mode negotiation fails IMO. See the FSM error. It looks like a timeout. I'm not familiar with the ASA details. I thought that PFS might be the problem. I turned it off in the Draytek. And I thought it is also off in the Cisco (can you check this please in the config listing, I'm not that familiar with the layering and the defaults of the Cisco settings).

 

by: j66stPosted on 2009-08-29 at 02:29:32ID: 25213470

In the packet capture the following packet is sent by the Cisco to the Draytek.

   7: 15:28:27.022002 802.1Q vlan#2 P0 82.X.X.48.500 > 82.X.X.56.500:  udp 652
      ISAKMP Header
        Initiator COOKIE: 94 64 f1 46 ed c3 d7 ae
        Responder COOKIE: ff ac 06 b5 6e c4 89 23
        Next Payload: Hash
        Version: 1.0
        Exchange Type: Quick Mode
        Flags: (Encryption)
        MessageID: 72C4EA2C
        Length: 652

It apparently gets no response. After repeating the message 3 times with 8-second intervals, the Cisco finally gives up. Thats how I see it.
Some expert with thorough knowledge of the protocol might be able to indicate whats wrong.

Also it would be interesting if someone else with the same equipment has an IPsec/ESP tunnel working reliably and could post me the settings.

 

by: mutahirPosted on 2009-08-29 at 02:38:50ID: 25213494

in draytek config 2 screen shot : Under My WAN IP you need to specify your wan public static ip address at the 2700 side!
under remote gateway specify the public static from where the request is coming
Set the Always ON value to 0 seconds in draytek config 1 screenshot
then run SYSLOG from draytek router tools utility and enable syslog on your router and initiate the vpn transaction

have you checked / changed the above settings ?

 

by: j66stPosted on 2009-08-29 at 02:56:45ID: 25213538

@mutahir:
>> in draytek config 2 screen shot : Under My WAN IP you need to specify your wan public static ip address at the 2700 side! <<
>> under remote gateway specify the public static from where the request is coming <<

No, these fields are only for PPTP and L2TP links. Explanation from the Vigor manual:

My WAN IP:  This field is only applicable when you select PPTP or L2TP
with or without IPSec policy above. The default value is 0.0.0.0,
which means the Vigor router will get a PPP IP address from
the remote router during the IPCP negotiation phase. If the PPP
IP address is fixed by remote side, specify the fixed IP address
here.
Remote Gateway IP: This field is only applicable when you select PPTP or L2TP
with or without IPSec policy above. The default value is 0.0.0.0,
which means the Vigor router will get a remote Gateway PPP
IP address from the remote router during the IPCP negotiation
phase. If the PPP IP address is fixed by remote side, specify the
fixed IP address here.

But entering these addresses won't harm, I will try it.

>> Set the Always ON value to 0 seconds in draytek config 1 screenshot <<
Why? Do you assume 0 seconds will mean infinite? (If I check the Always On flag, the value changes to
 -1!  A value of 0 might imply an immediate timeout.
But I'll try.

>> then run SYSLOG from draytek router tools utility and enable syslog on your router and initiate the vpn transaction <<

Ok, thanks for your thoughts, I'll try them out and report back.

 

by: mutahirPosted on 2009-08-29 at 02:58:22ID: 25213545

Always ON means , as soon as the tunnel drops , it will initiate in 0 seconds

 

by: j66stPosted on 2009-08-29 at 03:52:41ID: 25213680

Agreed.
But the idle timeout value T indicates that if the Always On checkbox is NOT checked, the connection will be dropped after T seconds of no traffic. A value of 0 would theoretically mean that the connection is dropped immediately. If 0 is interpreted as infinite, that would be fine, but that could be set by the Always On flag.

However, Always On implies that the dial direction is Outbound. (it will set the radiobutton Dial Out automatically. I tried that, the Draytek is then continuously calling the Cisco.

 

by: j66stPosted on 2009-08-29 at 03:54:36ID: 25213682

... So for the first tests, a 3600 second idle timeout is. We'll first have to see the tunnel kept up for an hour.

 

by: j66stPosted on 2009-08-29 at 05:03:28ID: 25213790

@mutahir
Followed your tips. I am pleasantly surprised by the Draytek syslog tool!

However, your advice >> under remote gateway specify the public static from where the request is coming << turned out not to be a good idea.
Although the manual says this setting is only used for PPTP and L2TP, it has the effect that I can't ping anymore from the home LAN to the Cisco at the office. Instead, when I ping the public office address 82.X.X.48, I see the Draytek trying to open a tunnel. This is wrong. The tunnel should only be built when pinging to the 192.168.1.x LAN !

 

by: j66stPosted on 2009-08-29 at 05:35:39ID: 25213835

WIth the Remote Gateway again set to 0.0.0.0, the behavior is better:
ping the office WAN address will echo back (no tunneling).
ping a office LAN address, and the DrayTek attempts building the tunnel
The Draytek syslog says:
  Dialing Node2 (mu6b_ipsec) : 82.X.X.48
  >>> Dial-up triggered by user : 192.168.2.101 ; proto=icmp, to 192.168.1.7
  Initiating IKE Main Mode to 82.X.X.48

So it is trying properly, but does not succeed to finish the tunnel to the Cisco.

 

by: j66stPosted on 2009-08-29 at 08:30:23ID: 25214341

After several hours of experimenting I've got FINALLY at least SOMETHING that works!!!

I changed the isakmp lifetime back to 86400 and the hash type to MD5 for both phase 1 and phase 2.
Now when calling from the Draytek  to the Cisco, also phase 2 completes.
The resulting SAs are:
ciscoasa(config)# show crypto isakmp sa detail

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 82.X.X.56
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : MD5
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86060
ciscoasa(config)# show crypto ipsec sa detail
interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: 82.X.X.48

      access-list outside_cryptomap permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 82.X.X.56

      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 21, #pkts decrypt: 21, #pkts verify: 21
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 5, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 82.X.X.48, remote crypto endpt.: 82.X.X.56

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: EC76BB5F

    inbound esp sas:
      spi: 0x95386386 (2503500678)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 118784, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28423
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xEC76BB5F (3967204191)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 118784, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 28423
         IV size: 8 bytes
         replay detection support: Y

ciscoasa(config)#

Now I can start to explore the boundaries between what works and what doesn't...

 

by: geergonPosted on 2009-08-29 at 11:52:43ID: 25214929

Great to know!

Also I recommend you to have just one transform-set per tunnel
Example:
crypto map outside_map 1 set transform-set ESP-3DES-MD5

Other details that maybe could help:

- The ASA does not support any kind of DDNS.

- Also CISCO always recommends to match the lifetimes of both phases in order to avoid future problems and disabled keepalives in the 3rd party side.
(problems related to vpn flapping can occur, I have seen a lot problematic tunnels getting fixed with this...)

 

by: j66stPosted on 2009-09-26 at 13:15:37ID: 25431355

Wished I had a document showing the detailed state machine of the Cisco ASA and the error's, so that I could determine what's causing the timeout.
Well, it works fine now with the Draytek as the originator of the tunnel, with the Always On setting. I did never succeed to have the Cisco ASA call the Draytek. Oh, well.
 

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...