Solved

Dynamic IPsec tunnel failing between ASA5505 and Westell 9100EM (Verizon FiOs)

Posted on 2013-01-18
9
877 Views
Last Modified: 2013-01-21
ASA 5505 has a static IP - scrubbed config uploaded. Westell 9100EM has a dynamic IP. Not sure what im missing.
asa-static-scrubbed.txt
asa-ipsec-debug.txt
westell-dyn.ip.png
0
Comment
Question by:mhdcommunications
  • 3
  • 3
9 Comments
 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
Hi,
try and deselect "USE Perfect Forward Secrecy (PFS)" from westell

hope this helps
max
0
 
LVL 18

Expert Comment

by:fgasimzade
Comment Utility
You miss an outside access list to permit traffic from 20.0 subnet to 10.0

I would suggest adding

sysopt connection permit-vpn

or configure access list

access-list inbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

Also disable perfect forward secrecy as was suggested earlier
0
 
LVL 1

Author Comment

by:mhdcommunications
Comment Utility
I did that (disable PFS + added sysopt connection permit-vpn + access-list), and it's getting further, but im still having an issue:

Jan 18 16:13:01 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 200
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Oakley proposal is acceptable
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received DPD VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal RFC VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal ver 03 VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal ver 02 VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing IKE SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 2
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing ISAKMP SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Traversal VID ver 02 payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing Fragmentation VID + extended capabilities payload
Jan 18 16:13:01 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing ke payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing ISA_KE payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing nonce payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing ke payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing nonce payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing Cisco Unity VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing xauth V6 VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Send IOS VID
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Connection landed on tunnel_group DefaultL2LGroup
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Generating keys for Responder...
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:02 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR ID received
westell.dynamic.ip.xx
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing hash payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Computing hash for ISAKMP
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Connection landed on tunnel_group DefaultL2LGroup
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Freeing previously allocated memory for authorization-dn-attributes
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing ID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing hash payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Computing hash for ISAKMP
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing dpd vid payload
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, PHASE 1 COMPLETED
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Keep-alive type for this connection: DPD
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Starting P1 rekey timer: 21600 seconds.
Jan 18 16:13:03 [IKEv1 DECODE]: IP = westell.dynamic.ip.xx, IKE Responder starting QM: msg id = 8f1dec92
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=8f1dec92) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 148
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing SA payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing nonce payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:03 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.20.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:03 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR_SUBNET ID received--192.168.10.0--255.255.255.0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.10.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, QM IsRekeyed old sa not found by addr
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.20.0/255.255.255.0/0/0 local proxy 192.168.10.0/255.255.255.0/0/0 on interface outside
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending notify message
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing blank hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing qm hash payload
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=e07cb57d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 196
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, QM FSM error (P2 struct &0x3a1bcc0, mess id 0x8f1dec92)!
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE QM Responder FSM error history (struct &0x3a1bcc0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending delete/delete with reason message
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Removing peer from correlator table failed, no match!
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE SA MM:e1444b7b rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE SA MM:e1444b7b terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending delete/delete with reason message
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing blank hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing IKE delete payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing qm hash payload
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=a044cf87) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, Received encrypted packet with no matching SA, dropping
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 15

Expert Comment

by:max_the_king
Comment Utility
hi,

you need to exempt nat from tunnel:

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat

max
0
 
LVL 1

Author Comment

by:mhdcommunications
Comment Utility
I exempted NAT from tunnel, still failing with same error:
Jan 18 17:25:39 [IKEv1]: IP = westell.dynamic.ip.xx, Received encrypted packet with no matching SA, dropping
Is the dynamic part of the tunnel configured incorectly? Running 'show crypto ipsec sa' gives me 'There are no ipsec sas'.
0
 
LVL 15

Accepted Solution

by:
max_the_king earned 500 total points
Comment Utility
hi,
you need to add the following:

no crypto dynamic-map mymap 1 set reverse-route
crypto dynamic-map dynmap 30 set transform-set dyn-map
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

hope this helps
max
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
Comment Utility
copy + paste --- tunnel immediately came up. Genius. THanks.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Messaging apps are amazing tools with the power to do a lot of good, but the truth is the process of collaborating with coworkers requires relationships established through meaningful communication - the kind of communication that only happens face-…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now