Solved

Dynamic IPsec tunnel failing between ASA5505 and Westell 9100EM (Verizon FiOs)

Posted on 2013-01-18
9
883 Views
Last Modified: 2013-01-21
ASA 5505 has a static IP - scrubbed config uploaded. Westell 9100EM has a dynamic IP. Not sure what im missing.
asa-static-scrubbed.txt
asa-ipsec-debug.txt
westell-dyn.ip.png
0
Comment
Question by:mhdcommunications
  • 3
  • 3
9 Comments
 
LVL 16

Expert Comment

by:max_the_king
ID: 38793694
Hi,
try and deselect "USE Perfect Forward Secrecy (PFS)" from westell

hope this helps
max
0
 
LVL 18

Expert Comment

by:fgasimzade
ID: 38793795
You miss an outside access list to permit traffic from 20.0 subnet to 10.0

I would suggest adding

sysopt connection permit-vpn

or configure access list

access-list inbound extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0

Also disable perfect forward secrecy as was suggested earlier
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38794105
I did that (disable PFS + added sysopt connection permit-vpn + access-list), and it's getting further, but im still having an issue:

Jan 18 16:13:01 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 200
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Oakley proposal is acceptable
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received DPD VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal RFC VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal ver 03 VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Received NAT-Traversal ver 02 VID
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing VID payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing IKE SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 2
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing ISAKMP SA payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Traversal VID ver 02 payload
Jan 18 16:13:01 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing Fragmentation VID + extended capabilities payload
Jan 18 16:13:01 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing ke payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing ISA_KE payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing nonce payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, processing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing ke payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing nonce payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing Cisco Unity VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing xauth V6 VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Send IOS VID
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing VID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, constructing NAT-Discovery payload
Jan 18 16:13:02 [IKEv1 DEBUG]: IP = westell.dynamic.ip.xx, computing NAT Discovery hash
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Connection landed on tunnel_group DefaultL2LGroup
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Generating keys for Responder...
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:02 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR ID received
westell.dynamic.ip.xx
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing hash payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Computing hash for ISAKMP
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Connection landed on tunnel_group DefaultL2LGroup
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Freeing previously allocated memory for authorization-dn-attributes
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing ID payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing hash payload
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Computing hash for ISAKMP
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing dpd vid payload
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
Jan 18 16:13:02 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, PHASE 1 COMPLETED
Jan 18 16:13:02 [IKEv1]: IP = westell.dynamic.ip.xx, Keep-alive type for this connection: DPD
Jan 18 16:13:02 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Starting P1 rekey timer: 21600 seconds.
Jan 18 16:13:03 [IKEv1 DECODE]: IP = westell.dynamic.ip.xx, IKE Responder starting QM: msg id = 8f1dec92
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE RECEIVED Message (msgid=8f1dec92) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 148
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing SA payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing nonce payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:03 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.20.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, processing ID payload
Jan 18 16:13:03 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, ID_IPV4_ADDR_SUBNET ID received--192.168.10.0--255.255.255.0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.10.0, Mask 255.255.255.0, Protocol 0, Port 0
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, QM IsRekeyed old sa not found by addr
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.20.0/255.255.255.0/0/0 local proxy 192.168.10.0/255.255.255.0/0/0 on interface outside
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending notify message
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing blank hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing qm hash payload
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=e07cb57d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 196
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, QM FSM error (P2 struct &0x3a1bcc0, mess id 0x8f1dec92)!
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE QM Responder FSM error history (struct &0x3a1bcc0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending delete/delete with reason message
Jan 18 16:13:03 [IKEv1]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, Removing peer from correlator table failed, no match!
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE SA MM:e1444b7b rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, IKE SA MM:e1444b7b terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, sending delete/delete with reason message
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing blank hash payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing IKE delete payload
Jan 18 16:13:03 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = westell.dynamic.ip.xx, constructing qm hash payload
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, IKE_DECODE SENDING Message (msgid=a044cf87) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jan 18 16:13:03 [IKEv1]: IP = westell.dynamic.ip.xx, Received encrypted packet with no matching SA, dropping
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 16

Expert Comment

by:max_the_king
ID: 38794159
hi,

you need to exempt nat from tunnel:

access-list nonat extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

nat (inside) 0 access-list nonat

max
0
 
LVL 1

Author Comment

by:mhdcommunications
ID: 38794393
I exempted NAT from tunnel, still failing with same error:
Jan 18 17:25:39 [IKEv1]: IP = westell.dynamic.ip.xx, Received encrypted packet with no matching SA, dropping
Is the dynamic part of the tunnel configured incorectly? Running 'show crypto ipsec sa' gives me 'There are no ipsec sas'.
0
 
LVL 16

Accepted Solution

by:
max_the_king earned 500 total points
ID: 38801686
hi,
you need to add the following:

no crypto dynamic-map mymap 1 set reverse-route
crypto dynamic-map dynmap 30 set transform-set dyn-map
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside

hope this helps
max
0
 
LVL 1

Author Closing Comment

by:mhdcommunications
ID: 38804236
copy + paste --- tunnel immediately came up. Genius. THanks.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question