Solved

No IKE (ISAKMP) Message Exchange Between Huawei Eudemon 200 and Cisco ASA 5520

Posted on 2010-08-13
4
2,589 Views
Last Modified: 2013-11-05
The requirement to secure the traffic is to establish L2L (Site-to-Site) IPSec VPN between Huawei Eudemon 200 and Cisco ASA 5520. Both outside interfaces of these 2 firewalls are reachable and the configuration is done on both ends with the mirrored ACLs on the firewalls. I turn on the debug on both firewalls but there is no any negotiation message for phase 1 between them, neither on Huawei Eudemon 200 nor on Cisco ASA 5522.

Debugging commands On Huawei Eudemon 200:
info-center enable
debugging ike all
terminal debugging
terminal monitor


Debugging commands On Cisco ASA 5520:
debug crypto isakmp 127

I am wonder what are the main reasons behind the fact that there is any single phase I negotiation message exchanged between both firewalls. I appreciate your suggestions to have these 2 firewalls negotiate successfully for Phase I. Why I cannot see any message related to Phase I negotiation between Huawei firewall and Cisco ASA?

Note: I have tried to reset/clear SA but there is no hope to see the negotiation message among them neither from Eudemon 200 nor from Cisco ASA 5520.
0
Comment
Question by:tballah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 33439921
Can you post configs?  My guess is there's a mismatch in the default ISAKMP parameters, such as the DH group.
0
 
LVL 9

Expert Comment

by:gavving
ID: 33442170
Have you attempted to create interesting traffic which would trigger the tunnels to come up?  On the Cisco ASA it will not bring the tunnel up until it sees traffic that requires the tunnel.  

Assuming that the inside interface of the ASA is in the netblock you've got configured in the VPN ACL you should be able to do this by doing:

management-access inside
ping inside 10.x.x.x

Where 10.x.x.x is an IP number on the other side of the tunnel.  If you've got the crypto map applied correctly then you should see some debug output.

0
 
LVL 1

Author Comment

by:tballah
ID: 33464181
@jmeggers: DH group 2 is used
@gavving: I tried to trigger the traffic to let the tunnel up. What I observed is that there is no hit on my ACL.

I'm sorry for being late to respond as I check my email and access to EE not quite often. Please refer to the attachment for the configuration on Eudemon 200. Do you still need to see also configuration from Cisco ASA 5520? If so I will need to ask the guy in charge to share me his configuration. I do debugging on ISAKMP but there is any message complaining about any error related to Phase I negotiation. The traffic that I simulate is from Trust to Trust. From Eudemon 200 it can reach 10.30.105.20 normally.
IPSec-Erbil20100809.TXT
0
 
LVL 1

Accepted Solution

by:
tballah earned 0 total points
ID: 33589081
The problem is resolved, and the tunnel can be up after simulating ICMP traffic. The correct configuration on outgoing interface should look like to disable fast-forwarding on both incoming and outgoing interface:

interface Ethernet0/0/1
 ip address 10.30.30.12 255.255.255.224
 undo ip fast-forwarding qff
 undo ip fast-forwarding output
 vrrp vrid 3 virtual-ip 10.30.30.18
 ipsec policy poltbibank

Please close this question
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Trouble with VPN DENY rules on sonicwall 1 55
unable to create the folder new folder too many files opened for sharing 3 386
VPN problems 4 90
SSL-VPN Solution 8 36
I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question