Solved

Cannot establish a VPN Tunnel between Cisco ASA 5520 and Cisco 2621 router -

Posted on 2006-11-01
20
8,584 Views
Last Modified: 2008-11-27
Scenario: ASA as a VPN hub, Cisco 2621 as a spoke. ASA allows incoming peers to dynamically negotiate IPSEC SA’s:

ASA is running 7.2, 2621 is running 12.2(40). ASA works fine with many remote devices (Cisco, Fortinet, etc) using dynamically negotiated SAs. Cisco 2621 is a new installation

ASA configuration:

crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside
!
crypto isakmp identity address
crypto isakmp enable outside
!
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
crypto isakmp nat-traversal  30
crypto isakmp disconnect-notify
!
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *

2621 config:



ip dhcp pool ih_office_pool
import all
network 192.168.140.0 255.255.255.0
default-router 192.168.140.1
domain-name <removed>
dns-server 216.150.150.70 216.150.150.71
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key <removed> address <address of the ASA>
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto map ih 10 ipsec-isakmp  
set peer <addres of the ASA>
set transform-set vpn1
match address ih_sitetosite
interface FastEthernet0/0
ip address 192.168.140.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description T1
ip address 67.151.90.170 255.255.255.252
ip nat outside
encapsulation ppp
crypto map ih
!
ip nat inside source list nat_outside interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip http server
ip http authentication local

!

!
ip access-list extended ih_sitetosite
permit ip 192.168.140.0 0.0.0.255 216.150.150.0 0.0.0.255
!
ip access-list extended nat_outside
deny   ip 192.168.140.0 0.0.0.255 216.150.150.0 0.0.0.255
permit ip 192.168.140.0 0.0.0.255 any


When I initiate interesting traffic from the segment connected to the 2621, I see the following in the router log:

Nov  1 22:25:54: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 67.151.90.170, remote= 216.150.140.42,
    local_proxy= 192.168.140.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 216.150.150.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac ,
    lifedur= 86400s and 4608000kb,
    spi= 0x70024E8C(1879199372), conn_id= 0, keysize= 0, flags= 0x400C
Nov  1 22:25:54: ISAKMP: received ke message (1/1)
Nov  1 22:25:54: ISAKMP: local port 500, remote port 500
Nov  1 22:25:54: ISAKMP (0:1): beginning Main Mode exchange
Nov  1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_NO_STATE
Nov  1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_NO_STATE
Nov  1 22:25:54: ISAKMP (0:1): processing SA payload. message ID = 0
Nov  1 22:25:54: ISAKMP (0:1): found peer pre-shared key matching 216.150.140.42
Nov  1 22:25:54: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Nov  1 22:25:54: ISAKMP:      encryption 3DES-CBC
Nov  1 22:25:54: ISAKMP:      hash SHA
Nov  1 22:25:54: ISAKMP:      default group 2
Nov  1 22:25:54: ISAKMP:      auth pre-share
Nov  1 22:25:54: ISAKMP:      life type in seconds
Nov  1 22:25:54: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Nov  1 22:25:54: ISAKMP (0:1): atts are acceptable. Next payload is 0
Nov  1 22:25:54: CryptoEngine0: generate alg parameter
Nov  1 22:25:54: CRYPTO_ENGINE: Dh phase 1 status: 0
Nov  1 22:25:54: CRYPTO_ENGINE: Dh phase 1 status: 0
Nov  1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov  1 22:25:54: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Nov  1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_SA_SETUP
Nov  1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_SA_SETUP
Nov  1 22:25:54: ISAKMP (0:1): processing KE payload. message ID = 0
Nov  1 22:25:54: CryptoEngine0: generate alg parameter
Nov  1 22:25:54: ISAKMP (0:1): processing NONCE payload. message ID = 0
Nov  1 22:25:54: ISAKMP (0:1): found peer pre-shared key matching 216.150.140.42
Nov  1 22:25:54: CryptoEngine0: create ISAKMP SKEYID for conn id 1
Nov  1 22:25:54: ISAKMP (0:1): SKEYID state generated
Nov  1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov  1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov  1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov  1 22:25:54: ISAKMP (0:1): speaking to another IOS box!
Nov  1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov  1 22:25:54: ISAKMP (1): ID payload
        next-payload : 8
        type         : 1
        protocol     : 17
        port         : 500
        length       : 8
Nov  1 22:25:54: ISAKMP (1): Total payload length: 12
Nov  1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov  1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) MM_KEY_EXCH
Nov  1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) MM_KEY_EXCH
Nov  1 22:25:54: ISAKMP (0:1): processing ID payload. message ID = 0
Nov  1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = 0
Nov  1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov  1 22:25:54: ISAKMP:received payload type 14
Nov  1 22:25:54: ISAKMP (0:1): processing vendor id payload
Nov  1 22:25:54: ISAKMP (0:1): SA has been authenticated with 216.150.140.42
Nov  1 22:25:54: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1468844170
Nov  1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov  1 22:25:54: ISAKMP (0:1): sending packet to 216.150.140.42 (I) QM_IDLE      
Nov  1 22:25:54: CryptoEngine0: clear dh number for conn id 1
Nov  1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) QM_IDLE      
Nov  1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov  1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = -513313949
Nov  1 22:25:54: ISAKMP (0:1): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = -513313949, sa = 82361EC8
Nov  1 22:25:54: ISAKMP (0:1): deleting node -513313949 error FALSE reason "informational (in) state 1"
Nov  1 22:25:54: ISAKMP (0:1): received packet from 216.150.140.42 (I) QM_IDLE      
Nov  1 22:25:54: CryptoEngine0: generate hmac context for conn id 1
Nov  1 22:25:54: ISAKMP (0:1): processing HASH payload. message ID = -1473369187
Nov  1 22:25:54: ISAKMP:received payload type 15
Nov  1 22:25:54: ISAKMP (0:1): processing DELETE_WITH_REASON payload, message ID = -1473369187, reason: Unknown delete reason!
Nov  1 22:25:54: ISAKMP (0:1): peer does not do paranoid keepalives.
Nov  1 22:25:54: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (I) QM_IDLE       (peer 216.150.140.42) input queue 0
Nov  1 22:25:54: ISAKMP (0:1): deleting node 1468844170 error FALSE reason "P1 delete notify (in)"
Nov  1 22:25:54: ISAKMP (0:1): deleting node -1473369187 error FALSE reason "P1 delete notify (in)"
Nov  1 22:26:24: IPSEC(key_engine): request timer fired: count = 1,


On the ASA, I see the following:


Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Oakley proposal is acceptable
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing IKE SA payload
oNov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 4
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing ISAKMP SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing Fragmentation VID + extended capabilities payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
 Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + NONE (0) total length : 204
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing ke payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing ISA_KE payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, processing VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000000f)
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing ke payload
dNov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing Cisco Unity VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing xauth V6 VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Send IOS VID
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, constructing VID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Connection landed on tunnel_group DefaultL2LGroup
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Generating keys for Responder...
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
ebNov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Computing hash for ISAKMP
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Connection landed on tunnel_group DefaultL2LGroup
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Freeing previously allocated memory for authorization-dn-attributes
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing ID payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Computing hash for ISAKMP
Nov 01 17:27:57 [IKEv1 DEBUG]: IP = 67.151.90.170, Constructing IOS keep alive payload: proposal=32767/32767 sec.
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing dpd vid payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Delete with reason code capability is negotiated
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, PHASE 1 COMPLETED
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, Keep-alive type for this connection: IOS
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, Starting P1 rekey timer: 64800 seconds.
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE RECEIVED Message (msgid=b491bd3d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 172
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing SA payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing nonce payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.140.0, Mask 255.255.255.0, Protocol 0, Port 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing ID payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Received local IP Proxy Subnet data in ID Payload:   Address 216.150.150.0, Mask 255.255.255.0, Protocol 0, Port 0
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, QM IsRekeyed old sa not found by addr
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE Remote Peer configured for crypto map: infohedge_dynmap
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, processing IPSec SA payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, All IPSec SA proposals found unacceptable!
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending notify message
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing blank hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing ipsec notify payload for msg id b491bd3d
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing qm hash payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=6a598c80) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, QM FSM error (P2 struct &0xdf56938, mess id 0xb491bd3d)!
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE QM Responder FSM error history (struct &0xdf56938)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending delete/delete with reason message
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Removing peer from correlator table failed, no match!
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Could not delete route for L2L peer that came in on a dynamic map. address: 192.168.140.0, mask: 255.0.0.0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE SA MM:ee2c189c rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, IKE SA MM:ee2c189c terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, sending delete/delete with reason message
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing blank hash payload
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing IKE delete with reason payload
Nov 01 17:27:57 [IKEv1]: Group = DefaultL2LGroup, IP = 67.151.90.170, Sending IKE Delete With Reason message: Phase-2 Proposal Mismatch.
Nov 01 17:27:57 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = 67.151.90.170, constructing qm hash payload
Nov 01 17:27:57 [IKEv1]: IP = 67.151.90.170, IKE_DECODE SENDING Message (msgid=a8342544) with payloads : HDR + HASH (8) + DWR (129) + NONE (0) total length : 84

It _SEEMS_ like ASA does not like the IPSEC SAs that 2621 is providing. I am not sure why.


Please help.
0
Comment
Question by:alexandrainvestment
  • 7
  • 5
  • 3
  • +3
20 Comments
 
LVL 1

Expert Comment

by:ex-engineer
Comment Utility
When you do a "sho isakmp sa" on the 2621, what do you get?

And what about when you do a "sho ipsec sa"?
0
 
LVL 1

Expert Comment

by:ex-engineer
Comment Utility
Let me rephrase: sh crypto isakmp sa AND sh crypto ipsec sa.
0
 

Author Comment

by:alexandrainvestment
Comment Utility
While I am continuously generating interesting traffic, the following ISAKMP SAs are present:

IHRTR01#sho crypto isakmp sa  
dst             src             state           conn-id    slot
216.150.140.42  67.151.90.170   MM_NO_STATE           2       0   (deleted)
216.150.140.42  67.151.90.170   MM_NO_STATE           4       0   (deleted)
216.150.140.42  67.151.90.170   MM_NO_STATE           3       0   (deleted)

As soon as I stop generating interesting traffic, they eventually get deleted within approx. 1 minute

Here are the IPSEC SAs:

IHRTR01#show crypto ipsec sa

interface: Serial0/0
    Crypto map tag: ih_map, local addr. 67.151.90.170

   local  ident (addr/mask/prot/port): (192.168.140.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (216.150.150.0/255.255.255.0/0/0)
   current_peer: 216.150.140.42
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 18, #recv errors 0

     local crypto endpt.: 67.151.90.170, remote crypto endpt.: 216.150.140.42
     path mtu 1500, ip mtu 1500, ip mtu interface Serial0/0
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:
         
     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
0
 
LVL 10

Expert Comment

by:srgilani
Comment Utility

On Your ASA you have below transform set.

crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac

On you 2621 you have below transform set.

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

If you 2621 router support aes-256 then modify your 2621 transform as below

crypto ipsec transform-set vpn1 esp-aes-256 esp-sha-hmac

Also make below changes on 2621.

crypto isakmp policy 10
encr aes-256
authentication pre-share
group 2
crypto isakmp key <removed> address <address of the ASA>


If you router doesn't support aes-256 encryption then on your ASA transform set add 3des as well.

0
 

Author Comment

by:alexandrainvestment
Comment Utility
I added the 3DES transport set and now my ASA config contains the following:

crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto dynamic-map ih_dynmap 60 set transform-set ih_3des_set
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside

However, the tunnel still does not come up and error messages in the logs are EXACTLY the same as before (on both 2621 and the ASA)
0
 
LVL 5

Expert Comment

by:renill
Comment Utility
I think this is something related to DPD. Place this command in the router 2621

crypto isakmp keepalive 30 20 periodic

ref:http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gtdpmo.htm

renill

0
 

Author Comment

by:alexandrainvestment
Comment Utility
The router did not accept the "periodic" command, so I just added it as "crypto isakmp keepalive 30 20". Besides, I do not think the issue has to do with DPD because the tunnel never gets established in the first place.

In any event, the command did not make any difference. The tunnel still does not come up and the error messages are exactly the same.
0
 
LVL 5

Expert Comment

by:renill
Comment Utility
for this option you need to havr atleast 12.3(T) ios in the router..

renill
0
 
LVL 3

Expert Comment

by:tang_tzuchi
Comment Utility
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:alexandrainvestment
Comment Utility
renilll - unfortunately I cant run 12.3 as the 2621 only has 48MB of RAM and 12.3 crypto image needs 64MB
0
 

Author Comment

by:alexandrainvestment
Comment Utility
tang - thank you for pointing me to the "ASA 5500 Series Quick Start guide". Please note that my ASA is already rack mounted, cables are connected to it, IP addresses are assigned, etc. I think we are well beyond the quick start. I have read many documents on Cisco web site and everything seems to be configured according to them. There is a particular issue and I am having and I am looking for a particular advice on how to solve it.
0
 
LVL 1

Expert Comment

by:ex-engineer
Comment Utility
Alex:

It seems that your phase 1 isakmp negotiation never yields a successful SA. So, perhaps you should start there. Troubleshoot the isakmp phase 1 part first.

Are the isakmp keys the same on both sides? No typos?

0
 

Author Comment

by:alexandrainvestment
Comment Utility
Checked and retyped everything (including the iksakmp key) many times. No luck. Can you tell me how to further troubleshoot phase 1 given the configuration I posted above?
0
 
LVL 1

Expert Comment

by:ex-engineer
Comment Utility
Alex:

I am going to take back what I said. I should have had my first cup of coffee before opening my mouth. :-)

It seems that the phase 1 negotiation IS successful AT FIRST. It does go into QM_Idle mode on both sides. But something goes wrong right after that.

I did see that you added a new IPSec transform set to your dynamic map and it does seem like you applied it correctly. Although, i would double check that.

But honestly, if you have a support contract with Cisco, just open a TAC case and be done with it. I don't want to waste your time irresponsibly. Their VPN engineers see this stuff all day, everyday. That's all they do. So, let them take a crack at it. I think you have troubleshot this intelligently and logically. Obviously, there is something we're missing.
0
 

Author Comment

by:alexandrainvestment
Comment Utility
After much pain and suffering, I was able to resolve the issue myself with a help of a TAC engineer. The problem was that all Cisco VPN devices (such as PIX, ASA, IOS routers, etc) ignore multiple transform set statements unless they are located on the same line. Example:

Incorrect configuration:

crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
!
crypto dynamic-map ih_dynmap 50 set transform-set ih_set
crypto dynamic-map ih_dynmap 60 set transform-set ih_3des_set
!
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside


Correct configuration:

crypto ipsec transform-set ih_set esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ih_3des_set esp-3des esp-sha-hmac
!
crypto dynamic-map ih_dynmap 50 set transform-set ih_set ih_3des_set
!
crypto map ih_map 20 ipsec-isakmp dynamic ih_dynmap
crypto map ih_map interface outside

0
 
LVL 1

Expert Comment

by:ex-engineer
Comment Utility
Great work, Alex! I was suspicious about the way you applied the second transform set, which is why I suggested that you "double check" the manner in which you applied them.

"I did see that you added a new IPSec transform set to your dynamic map and it does seem like you applied it correctly. Although, i would double check that."
0
 
LVL 10

Expert Comment

by:srgilani
Comment Utility
alex, sorry i was unable to come on site after my first post and its good to see that your problem resolve.
You can define multiple transform set, but you can't define multiple crypto maps.
 
0
 
LVL 5

Expert Comment

by:renill
Comment Utility
cheers !!!!!!!!!!
0
 
LVL 1

Accepted Solution

by:
Computer101 earned 0 total points
Comment Utility
PAQed with no points refunded (of 500)

Computer101
EE Admin
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now