Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Dynamic IPsec tunnel failing between ASA5505 and Westell 9100EM (Verizon FiOs)

Posted on 2013-01-18
9
Medium Priority
?
890 Views
Last Modified: 2013-01-21
ASA 5505 has a static IP - scrubbed config uploaded. Westell 9100EM has a dynamic IP. Not sure what im missing.
asa-static-scrubbed.txt
asa-ipsec-debug.txt
westell-dyn.ip.png
0
Comment
Question by:mhdcommunications
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
9 Comments
 
LVL 17

Expert Comment

by:max_the_king
ID: 38793694
Hi,
try and deselect "USE Perfect Forward Secrecy (PFS)" from westell

hope this helps
max
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38793795
You miss an outside access list to permit traffic from 20.0 subnet to 10.0

I would suggest adding

sysopt connection permit-vpn

or configure access list

access-list inbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

Also disable perfect forward secrecy as was suggested earlier
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38794105
I did that (disable PFS + added sysopt connection permit-vpn + access-list), and it's getting further, but im still having an issue:

Jan 18 16:13:01 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 200
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Oakley proposal is acceptable
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received DPD VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal RFC VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal ver 03 VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal ver 02 VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing IKE SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 2
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing ISAKMP SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Traversal VID ver 02 payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing Fragmentation VID + extended capabilities payload
Jan 18 16:13:01 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing ke payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing ISA_KE payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing nonce payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing ke payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing nonce payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing Cisco Unity VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing xauth V6 VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Send IOS VID
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Connection landed on tunnel_group DefaultL2LGroup
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Generating keys for Responder...
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:02 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR ID received
westell.dynamic.ip.xx
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing hash payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Computing hash for ISAKMP
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Connection landed on tunnel_group DefaultL2LGroup
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Freeing previously allocated memory for authorization-dn-attributes
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing ID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing hash payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Computing hash for ISAKMP
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing dpd vid payload
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, PHASE 1 COMPLETED
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Keep-alive type for this connection: DPD
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Starting P1 rekey timer: 21600 seconds.
Jan 18 16:13:03 [IKEv1 DECODE]: IP = westell.dynamic.ip.xx, IKE Responder starting QM: msg id = 8f1dec92
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=8f1dec92) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 148
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing SA payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing nonce payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:03 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.20.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:03 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR_SUBNET ID received--192.168.10.0--255.255.255.0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.10.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, QM IsRekeyed old sa not found by addr
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.20.0/255.255.255.0/0/0 local proxy 192.168.10.0/255.255.255.0/0/0 on interface outside
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending notify message
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing blank hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing qm hash payload
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=e07cb57d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 196
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, QM FSM error (P2 struct &0x3a1bcc0, mess id 0x8f1dec92)!
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE QM Responder FSM error history (struct &0x3a1bcc0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending delete/delete with reason message
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Removing peer from correlator table failed, no match!
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE SA MM:e1444b7b rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE SA MM:e1444b7b terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending delete/delete with reason message
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing blank hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing IKE delete payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing qm hash payload
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=a044cf87) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, Received encrypted packet with no matching SA, dropping
0
Ready for your healthcare security check-up?

In the past few years, healthcare organizations have become a prime target for advanced attacks. Does your organization have what it needs to defend itself? Schedule your healthcare security check-up today and download our free Healthcare Security Resource Kit today!

 
LVL 17

Expert Comment

by:max_the_king
ID: 38794159
hi,

you need to exempt nat from tunnel:

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat

max
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38794393
I exempted NAT from tunnel, still failing with same error:
Jan 18 17:25:39 [IKEv1]: IP = westell.dynamic.ip.xx, Received encrypted packet with no matching SA, dropping
Is the dynamic part of the tunnel configured incorectly? Running 'show crypto ipsec sa' gives me 'There are no ipsec sas'.
0
 
LVL 17

Accepted Solution

by:
max_the_king earned 2000 total points
ID: 38801686
hi,
you need to add the following:

no crypto dynamic-map mymap 1 set reverse-route
crypto dynamic-map dynmap 30 set transform-set dyn-map
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

hope this helps
max
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
ID: 38804236
copy + paste --- tunnel immediately came up. Genius. THanks.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Why do some people recommend buying business VoIP from an ISP? What are the benefits to my company? What are the costs?
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question