alexandrainvestment
asked on
Cannot establish a VPN Tunnel between Cisco ASA 5520 and Cisco 2621 router -
Scenario: ASA as a VPN hub, Cisco 2621 as a spoke. ASA allows incoming peers to dynamically negotiate IPSEC SA’s:
ASA is running 7.2, 2621 is running 12.2(40). ASA works fine with many remote devices (Cisco, Fortinet, etc) using dynamically negotiated SAs. Cisco 2621 is a new installation
ASA configuration:
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
!
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto isakmp nat-traversal 30
crypto isakmp disconnect-notify
!
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
2621 config:
ip dhcp pool ih_office_pool
import all
network 192.168.140.0 255.255.255.0
default-router 192.168.140.1
domain-name <removed>
dns-server 216.150.150.70 216.150.150.71
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key <removed> address <address of the ASA>
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto map ih 10 ipsec-isakmp
set peer <addres of the ASA>
set transform-set vpn1
match address ih_sitetosite
interface FastEthernet0/0
ip address 192.168.140.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description T1
ip address 67.151.90.170 255.255.255.252
ip nat outside
encapsulation ppp
crypto map ih
!
ip nat inside source list nat_outside interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip http server
ip http authentication local
!
!
ip access-list extended ih_sitetosite
permit ip 192.168.140.0 0.0.0.255 216.150.150.0 0.0.0.255
!
ip access-list extended nat_outside
deny ip 192.168.140.0 0.0.0.255 216.150.150.0 0.0.0.255
permit ip 192.168.140.0 0.0.0.255 any
When I initiate interesting traffic from the segment connected to the 2621, I see the following in the router log:
Nov 1 22:25:54: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 67.151.90.170, remote= 216.150.140.42,
local_proxy= 192.168.140.0/255.255.255.
remote_proxy= 216.150.150.0/255.255.255.
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 86400s and 4608000kb,
spi= 0x70024E8C(1879199372), conn_id= 0, keysize= 0, flags= 0x400C
Nov 1 22:25:54: ISAKMP: received ke message (1/1)
Nov 1 22:25:54: ISAKMP: local port 500, remote port 500
Nov 1 22:25:54: ISAKMP (0:1): beginning Main Mode exchange
Nov 1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_NO_STATE
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_NO_STATE
Nov 1 22:25:54: ISAKMP (0:1): processing SA payload. message ID = 0
Nov 1 22:25:54: ISAKMP (0:1): found peer pre-shared key matching 216.150.140.42
Nov 1 22:25:54: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Nov 1 22:25:54: ISAKMP: encryption 3DES-CBC
Nov 1 22:25:54: ISAKMP: hash SHA
Nov 1 22:25:54: ISAKMP: default group 2
Nov 1 22:25:54: ISAKMP: auth pre-share
Nov 1 22:25:54: ISAKMP: life type in seconds
Nov 1 22:25:54: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 1 22:25:54: ISAKMP (0:1): atts are acceptable. Next payload is 0
Nov 1 22:25:54: CryptoEngine0: generate alg parameter
Nov 1 22:25:54: CRYPTO_ENGINE: Dh phase 1 status: 0
Nov 1 22:25:54: CRYPTO_ENGINE: Dh phase 1 status: 0
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_SA_SETUP
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_SA_SETUP
Nov 1 22:25:54: ISAKMP (0:1): processing KE payload. message ID = 0
Nov 1 22:25:54: CryptoEngine0: generate alg parameter
Nov 1 22:25:54: ISAKMP (0:1): processing NONCE payload. message ID = 0
Nov 1 22:25:54: ISAKMP (0:1): found peer pre-shared key matching 216.150.140.42
Nov 1 22:25:54: CryptoEngine0: create ISAKMP SKEYID for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): SKEYID state generated
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): speaking to another IOS box!
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
Nov 1 22:25:54: ISAKMP (1): Total payload length: 12
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_KEY_EXCH
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_KEY_EXCH
Nov 1 22:25:54: ISAKMP (0:1): processing ID payload. message ID = 0
Nov 1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = 0
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP:received payload type 14
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): SA has been authenticated with 216.150.140.42
Nov 1 22:25:54: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1468844170
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) QM_IDLE
Nov 1 22:25:54: CryptoEngine0: clear dh number for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) QM_IDLE
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = -513313949
Nov 1 22:25:54: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = -513313949, sa = 82361EC8
Nov 1 22:25:54: ISAKMP (0:1): deleting node -513313949 error FALSE reason "informational (in) state 1"
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) QM_IDLE
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = -1473369187
Nov 1 22:25:54: ISAKMP:received payload type 15
Nov 1 22:25:54: ISAKMP (0:1): processing DELETE_WITH_REASON payload, message ID = -1473369187, reason: Unknown delete reason!
Nov 1 22:25:54: ISAKMP (0:1): peer does not do paranoid keepalives.
Nov 1 22:25:54: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE (peer 216.150.140.42) input queue 0
Nov 1 22:25:54: ISAKMP (0:1): deleting node 1468844170 error FALSE reason "P1 delete notify (in)"
Nov 1 22:25:54: ISAKMP (0:1): deleting node -1473369187 error FALSE reason "P1 delete notify (in)"
Nov 1 22:26:24: IPSEC(key_engine): request timer fired: count = 1,
On the ASA, I see the following:
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Oakley proposal is acceptable
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing IKE SA payload
oNov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing ISAKMP SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing Fragmentation VID + extended capabilities payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NONE (0) total length : 204
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing ke payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing ISA_KE payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000000f)
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing ke payload
dNov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing Cisco Unity VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing xauth V6 VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Send IOS VID
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Connection landed on tunnel_group DefaultL2LGroup
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Generating keys for Responder...
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
ebNov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Computing hash for ISAKMP
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Connection landed on tunnel_group DefaultL2LGroup
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Freeing previously allocated memory for authorization-dn-attribute
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing ID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Computing hash for ISAKMP
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing dpd vid payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Delete with reason code capability is negotiated
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, PHASE 1 COMPLETED
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Keep-alive type for this connection: IOS
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Starting P1 rekey timer: 64800 seconds.
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=b491bd3d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.140.0, Mask 255.255.255.0, Protocol 0, Port 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Received local IP Proxy Subnet data in ID Payload: Address 216.150.150.0, Mask 255.255.255.0, Protocol 0, Port 0
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, QM IsRekeyed old sa not found by addr
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE Remote Peer configured for crypto map: infohedge_dynmap
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing IPSec SA payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, All IPSec SA proposals found unacceptable!
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending notify message
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing blank hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing ipsec notify payload for msg id b491bd3d
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing qm hash payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=6a598c80) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, QM FSM error (P2 struct &0xdf56938, mess id 0xb491bd3d)!
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE QM Responder FSM error history (struct &0xdf56938) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2,
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending delete/delete with reason message
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Removing peer from correlator table failed, no match!
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Could not delete route for L2L peer that came in on a dynamic map. address: 192.168.140.0, mask: 255.0.0.0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE SA MM:ee2c189c rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE SA MM:ee2c189c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending delete/delete with reason message
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing blank hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing IKE delete with reason payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Sending IKE Delete With Reason message: Phase-2 Proposal Mismatch.
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing qm hash payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=a8342544) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 84
It _SEEMS_ like ASA does not like the IPSEC SAs that 2621 is providing. I am not sure why.
Please help.
ASA is running 7.2, 2621 is running 12.2(40). ASA works fine with many remote devices (Cisco, Fortinet, etc) using dynamically negotiated SAs. Cisco 2621 is a new installation
ASA configuration:
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
!
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
crypto isakmp nat-traversal 30
crypto isakmp disconnect-notify
!
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
2621 config:
ip dhcp pool ih_office_pool
import all
network 192.168.140.0 255.255.255.0
default-router 192.168.140.1
domain-name <removed>
dns-server 216.150.150.70 216.150.150.71
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key <removed> address <address of the ASA>
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto map ih 10 ipsec-isakmp
set peer <addres of the ASA>
set transform-set vpn1
match address ih_sitetosite
interface FastEthernet0/0
ip address 192.168.140.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description T1
ip address 67.151.90.170 255.255.255.252
ip nat outside
encapsulation ppp
crypto map ih
!
ip nat inside source list nat_outside interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip http server
ip http authentication local
!
!
ip access-list extended ih_sitetosite
permit ip 192.168.140.0 0.0.0.255 216.150.150.0 0.0.0.255
!
ip access-list extended nat_outside
deny ip 192.168.140.0 0.0.0.255 216.150.150.0 0.0.0.255
permit ip 192.168.140.0 0.0.0.255 any
When I initiate interesting traffic from the segment connected to the 2621, I see the following in the router log:
Nov 1 22:25:54: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 67.151.90.170, remote= 216.150.140.42,
local_proxy= 192.168.140.0/255.255.255.
remote_proxy= 216.150.150.0/255.255.255.
protocol= ESP, transform= esp-3des esp-sha-hmac ,
lifedur= 86400s and 4608000kb,
spi= 0x70024E8C(1879199372), conn_id= 0, keysize= 0, flags= 0x400C
Nov 1 22:25:54: ISAKMP: received ke message (1/1)
Nov 1 22:25:54: ISAKMP: local port 500, remote port 500
Nov 1 22:25:54: ISAKMP (0:1): beginning Main Mode exchange
Nov 1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_NO_STATE
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_NO_STATE
Nov 1 22:25:54: ISAKMP (0:1): processing SA payload. message ID = 0
Nov 1 22:25:54: ISAKMP (0:1): found peer pre-shared key matching 216.150.140.42
Nov 1 22:25:54: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Nov 1 22:25:54: ISAKMP: encryption 3DES-CBC
Nov 1 22:25:54: ISAKMP: hash SHA
Nov 1 22:25:54: ISAKMP: default group 2
Nov 1 22:25:54: ISAKMP: auth pre-share
Nov 1 22:25:54: ISAKMP: life type in seconds
Nov 1 22:25:54: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Nov 1 22:25:54: ISAKMP (0:1): atts are acceptable. Next payload is 0
Nov 1 22:25:54: CryptoEngine0: generate alg parameter
Nov 1 22:25:54: CRYPTO_ENGINE: Dh phase 1 status: 0
Nov 1 22:25:54: CRYPTO_ENGINE: Dh phase 1 status: 0
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov 1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_SA_SETUP
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_SA_SETUP
Nov 1 22:25:54: ISAKMP (0:1): processing KE payload. message ID = 0
Nov 1 22:25:54: CryptoEngine0: generate alg parameter
Nov 1 22:25:54: ISAKMP (0:1): processing NONCE payload. message ID = 0
Nov 1 22:25:54: ISAKMP (0:1): found peer pre-shared key matching 216.150.140.42
Nov 1 22:25:54: CryptoEngine0: create ISAKMP SKEYID for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): SKEYID state generated
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): speaking to another IOS box!
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (1): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
Nov 1 22:25:54: ISAKMP (1): Total payload length: 12
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_KEY_EXCH
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_KEY_EXCH
Nov 1 22:25:54: ISAKMP (0:1): processing ID payload. message ID = 0
Nov 1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = 0
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP:received payload type 14
Nov 1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov 1 22:25:54: ISAKMP (0:1): SA has been authenticated with 216.150.140.42
Nov 1 22:25:54: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1468844170
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) QM_IDLE
Nov 1 22:25:54: CryptoEngine0: clear dh number for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) QM_IDLE
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = -513313949
Nov 1 22:25:54: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = -513313949, sa = 82361EC8
Nov 1 22:25:54: ISAKMP (0:1): deleting node -513313949 error FALSE reason "informational (in) state 1"
Nov 1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) QM_IDLE
Nov 1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov 1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = -1473369187
Nov 1 22:25:54: ISAKMP:received payload type 15
Nov 1 22:25:54: ISAKMP (0:1): processing DELETE_WITH_REASON payload, message ID = -1473369187, reason: Unknown delete reason!
Nov 1 22:25:54: ISAKMP (0:1): peer does not do paranoid keepalives.
Nov 1 22:25:54: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE (peer 216.150.140.42) input queue 0
Nov 1 22:25:54: ISAKMP (0:1): deleting node 1468844170 error FALSE reason "P1 delete notify (in)"
Nov 1 22:25:54: ISAKMP (0:1): deleting node -1473369187 error FALSE reason "P1 delete notify (in)"
Nov 1 22:26:24: IPSEC(key_engine): request timer fired: count = 1,
On the ASA, I see the following:
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Oakley proposal is acceptable
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing IKE SA payload
oNov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing ISAKMP SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing Fragmentation VID + extended capabilities payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NONE (0) total length : 204
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing ke payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing ISA_KE payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000000f)
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing ke payload
dNov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing Cisco Unity VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing xauth V6 VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Send IOS VID
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Connection landed on tunnel_group DefaultL2LGroup
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Generating keys for Responder...
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
ebNov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Computing hash for ISAKMP
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Connection landed on tunnel_group DefaultL2LGroup
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Freeing previously allocated memory for authorization-dn-attribute
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing ID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Computing hash for ISAKMP
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing dpd vid payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Delete with reason code capability is negotiated
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, PHASE 1 COMPLETED
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Keep-alive type for this connection: IOS
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Starting P1 rekey timer: 64800 seconds.
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=b491bd3d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.140.0, Mask 255.255.255.0, Protocol 0, Port 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Received local IP Proxy Subnet data in ID Payload: Address 216.150.150.0, Mask 255.255.255.0, Protocol 0, Port 0
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, QM IsRekeyed old sa not found by addr
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE Remote Peer configured for crypto map: infohedge_dynmap
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing IPSec SA payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, All IPSec SA proposals found unacceptable!
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending notify message
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing blank hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing ipsec notify payload for msg id b491bd3d
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing qm hash payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=6a598c80) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, QM FSM error (P2 struct &0xdf56938, mess id 0xb491bd3d)!
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE QM Responder FSM error history (struct &0xdf56938) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2,
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending delete/delete with reason message
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Removing peer from correlator table failed, no match!
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Could not delete route for L2L peer that came in on a dynamic map. address: 192.168.140.0, mask: 255.0.0.0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE SA MM:ee2c189c rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE SA MM:ee2c189c terminating: flags 0x01000002, refcnt 0, tuncnt 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending delete/delete with reason message
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing blank hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing IKE delete with reason payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Sending IKE Delete With Reason message: Phase-2 Proposal Mismatch.
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing qm hash payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=a8342544) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 84
It _SEEMS_ like ASA does not like the IPSEC SAs that 2621 is providing. I am not sure why.
Please help.
Let me rephrase: sh crypto isakmp sa AND sh crypto ipsec sa.
ASKER
While I am continuously generating interesting traffic, the following ISAKMP SAs are present:
IHRTR01#sho crypto isakmp sa
dst src state conn-id slot
216.150.140.42 67.151.90.170 MM_NO_STATE 2 0 (deleted)
216.150.140.42 67.151.90.170 MM_NO_STATE 4 0 (deleted)
216.150.140.42 67.151.90.170 MM_NO_STATE 3 0 (deleted)
As soon as I stop generating interesting traffic, they eventually get deleted within approx. 1 minute
Here are the IPSEC SAs:
IHRTR01#show crypto ipsec sa
interface: Serial0/0
Crypto map tag: ih_map, local addr. 67.151.90.170
local ident (addr/mask/prot/port): (192.168.140.0/255.255.255
remote ident (addr/mask/prot/port): (216.150.150.0/255.255.255
current_peer: 216.150.140.42
PERMIT, flags={origin_is_acl,ipsec
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 18, #recv errors 0
local crypto endpt.: 67.151.90.170, remote crypto endpt.: 216.150.140.42
path mtu 1500, ip mtu 1500, ip mtu interface Serial0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
IHRTR01#sho crypto isakmp sa
dst src state conn-id slot
216.150.140.42 67.151.90.170 MM_NO_STATE 2 0 (deleted)
216.150.140.42 67.151.90.170 MM_NO_STATE 4 0 (deleted)
216.150.140.42 67.151.90.170 MM_NO_STATE 3 0 (deleted)
As soon as I stop generating interesting traffic, they eventually get deleted within approx. 1 minute
Here are the IPSEC SAs:
IHRTR01#show crypto ipsec sa
interface: Serial0/0
Crypto map tag: ih_map, local addr. 67.151.90.170
local ident (addr/mask/prot/port): (192.168.140.0/255.255.255
remote ident (addr/mask/prot/port): (216.150.150.0/255.255.255
current_peer: 216.150.140.42
PERMIT, flags={origin_is_acl,ipsec
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 18, #recv errors 0
local crypto endpt.: 67.151.90.170, remote crypto endpt.: 216.150.140.42
path mtu 1500, ip mtu 1500, ip mtu interface Serial0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
On Your ASA you have below transform set.
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
On you 2621 you have below transform set.
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
If you 2621 router support aes-256 then modify your 2621 transform as below
crypto ipsec transform-set vpn1 esp-aes-256 esp-sha-hmac
Also make below changes on 2621.
crypto isakmp policy 10
encr aes-256
authentication pre-share
group 2
crypto isakmp key <removed> address <address of the ASA>
If you router doesn't support aes-256 encryption then on your ASA transform set add 3des as well.
ASKER
I added the 3DES transport set and now my ASA config contains the following:
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto dynamic-map ih_dynmap 60 set transform-set ih_3des_set
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
However, the tunnel still does not come up and error messages in the logs are EXACTLY the same as before (on both 2621 and the ASA)
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto dynamic-map ih_dynmap 60 set transform-set ih_3des_set
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
However, the tunnel still does not come up and error messages in the logs are EXACTLY the same as before (on both 2621 and the ASA)
I think this is something related to DPD. Place this command in the router 2621
crypto isakmp keepalive 30 20 periodic
ref:http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gtdpmo.htm
renill
crypto isakmp keepalive 30 20 periodic
ref:http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gtdpmo.htm
renill
ASKER
The router did not accept the "periodic" command, so I just added it as "crypto isakmp keepalive 30 20". Besides, I do not think the issue has to do with DPD because the tunnel never gets established in the first place.
In any event, the command did not make any difference. The tunnel still does not come up and the error messages are exactly the same.
In any event, the command did not make any difference. The tunnel still does not come up and the error messages are exactly the same.
for this option you need to havr atleast 12.3(T) ios in the router..
renill
renill
Take a look on the following link:
http://cisco.com/en/US/products/ps6120/products_quick_start09186a00803eaf00.html
regards.
http://cisco.com/en/US/products/ps6120/products_quick_start09186a00803eaf00.html
regards.
ASKER
renilll - unfortunately I cant run 12.3 as the 2621 only has 48MB of RAM and 12.3 crypto image needs 64MB
ASKER
tang - thank you for pointing me to the "ASA 5500 Series Quick Start guide". Please note that my ASA is already rack mounted, cables are connected to it, IP addresses are assigned, etc. I think we are well beyond the quick start. I have read many documents on Cisco web site and everything seems to be configured according to them. There is a particular issue and I am having and I am looking for a particular advice on how to solve it.
Alex:
It seems that your phase 1 isakmp negotiation never yields a successful SA. So, perhaps you should start there. Troubleshoot the isakmp phase 1 part first.
Are the isakmp keys the same on both sides? No typos?
It seems that your phase 1 isakmp negotiation never yields a successful SA. So, perhaps you should start there. Troubleshoot the isakmp phase 1 part first.
Are the isakmp keys the same on both sides? No typos?
ASKER
Checked and retyped everything (including the iksakmp key) many times. No luck. Can you tell me how to further troubleshoot phase 1 given the configuration I posted above?
Alex:
I am going to take back what I said. I should have had my first cup of coffee before opening my mouth. :-)
It seems that the phase 1 negotiation IS successful AT FIRST. It does go into QM_Idle mode on both sides. But something goes wrong right after that.
I did see that you added a new IPSec transform set to your dynamic map and it does seem like you applied it correctly. Although, i would double check that.
But honestly, if you have a support contract with Cisco, just open a TAC case and be done with it. I don't want to waste your time irresponsibly. Their VPN engineers see this stuff all day, everyday. That's all they do. So, let them take a crack at it. I think you have troubleshot this intelligently and logically. Obviously, there is something we're missing.
I am going to take back what I said. I should have had my first cup of coffee before opening my mouth. :-)
It seems that the phase 1 negotiation IS successful AT FIRST. It does go into QM_Idle mode on both sides. But something goes wrong right after that.
I did see that you added a new IPSec transform set to your dynamic map and it does seem like you applied it correctly. Although, i would double check that.
But honestly, if you have a support contract with Cisco, just open a TAC case and be done with it. I don't want to waste your time irresponsibly. Their VPN engineers see this stuff all day, everyday. That's all they do. So, let them take a crack at it. I think you have troubleshot this intelligently and logically. Obviously, there is something we're missing.
ASKER
After much pain and suffering, I was able to resolve the issue myself with a help of a TAC engineer. The problem was that all Cisco VPN devices (such as PIX, ASA, IOS routers, etc) ignore multiple transform set statements unless they are located on the same line. Example:
Incorrect configuration:
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
!
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto dynamic-map ih_dynmap 60 set transform-set ih_3des_set
!
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
Correct configuration:
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
!
crypto dynamic-map ih_dynmap 50 set transform-set ih_set ih_3des_set
!
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
Incorrect configuration:
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
!
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto dynamic-map ih_dynmap 60 set transform-set ih_3des_set
!
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
Correct configuration:
crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
!
crypto dynamic-map ih_dynmap 50 set transform-set ih_set ih_3des_set
!
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
Great work, Alex! I was suspicious about the way you applied the second transform set, which is why I suggested that you "double check" the manner in which you applied them.
"I did see that you added a new IPSec transform set to your dynamic map and it does seem like you applied it correctly. Although, i would double check that."
"I did see that you added a new IPSec transform set to your dynamic map and it does seem like you applied it correctly. Although, i would double check that."
alex, sorry i was unable to come on site after my first post and its good to see that your problem resolve.
You can define multiple transform set, but you can't define multiple crypto maps.
You can define multiple transform set, but you can't define multiple crypto maps.
cheers !!!!!!!!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
And what about when you do a "sho ipsec sa"?