Solved

Dynamic IPsec tunnel failing between ASA5505 and Westell 9100EM (Verizon FiOs)

Posted on 2013-01-18
9
882 Views
Last Modified: 2013-01-21
ASA 5505 has a static IP - scrubbed config uploaded. Westell 9100EM has a dynamic IP. Not sure what im missing.
asa-static-scrubbed.txt
asa-ipsec-debug.txt
westell-dyn.ip.png
0
Comment
Question by:mhdcommunications
  • 3
  • 3
9 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 38793694
Hi,
try and deselect "USE Perfect Forward Secrecy (PFS)" from westell

hope this helps
max
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38793795
You miss an outside access list to permit traffic from 20.0 subnet to 10.0

I would suggest adding

sysopt connection permit-vpn

or configure access list

access-list inbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

Also disable perfect forward secrecy as was suggested earlier
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38794105
I did that (disable PFS + added sysopt connection permit-vpn + access-list), and it's getting further, but im still having an issue:

Jan 18 16:13:01 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 200
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Oakley proposal is acceptable
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received DPD VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal RFC VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal ver 03 VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal ver 02 VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing IKE SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 2
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing ISAKMP SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Traversal VID ver 02 payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing Fragmentation VID + extended capabilities payload
Jan 18 16:13:01 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing ke payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing ISA_KE payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing nonce payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing ke payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing nonce payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing Cisco Unity VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing xauth V6 VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Send IOS VID
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Connection landed on tunnel_group DefaultL2LGroup
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Generating keys for Responder...
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:02 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR ID received
westell.dynamic.ip.xx
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing hash payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Computing hash for ISAKMP
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Connection landed on tunnel_group DefaultL2LGroup
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Freeing previously allocated memory for authorization-dn-attributes
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing ID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing hash payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Computing hash for ISAKMP
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing dpd vid payload
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, PHASE 1 COMPLETED
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Keep-alive type for this connection: DPD
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Starting P1 rekey timer: 21600 seconds.
Jan 18 16:13:03 [IKEv1 DECODE]: IP = westell.dynamic.ip.xx, IKE Responder starting QM: msg id = 8f1dec92
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=8f1dec92) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 148
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing SA payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing nonce payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:03 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.20.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:03 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR_SUBNET ID received--192.168.10.0--255.255.255.0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.10.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, QM IsRekeyed old sa not found by addr
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.20.0/255.255.255.0/0/0 local proxy 192.168.10.0/255.255.255.0/0/0 on interface outside
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending notify message
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing blank hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing qm hash payload
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=e07cb57d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 196
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, QM FSM error (P2 struct &0x3a1bcc0, mess id 0x8f1dec92)!
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE QM Responder FSM error history (struct &0x3a1bcc0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending delete/delete with reason message
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Removing peer from correlator table failed, no match!
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE SA MM:e1444b7b rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE SA MM:e1444b7b terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending delete/delete with reason message
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing blank hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing IKE delete payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing qm hash payload
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=a044cf87) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, Received encrypted packet with no matching SA, dropping
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Expert Comment

by:max_the_king
ID: 38794159
hi,

you need to exempt nat from tunnel:

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat

max
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38794393
I exempted NAT from tunnel, still failing with same error:
Jan 18 17:25:39 [IKEv1]: IP = westell.dynamic.ip.xx, Received encrypted packet with no matching SA, dropping
Is the dynamic part of the tunnel configured incorectly? Running 'show crypto ipsec sa' gives me 'There are no ipsec sas'.
0
 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 38801686
hi,
you need to add the following:

no crypto dynamic-map mymap 1 set reverse-route
crypto dynamic-map dynmap 30 set transform-set dyn-map
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

hope this helps
max
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
ID: 38804236
copy + paste --- tunnel immediately came up. Genius. THanks.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question