Cannot establish site-to-site tunnel on ASA5505

Noureddine Djema
Noureddine Djema used Ask the Experts™
on
I am trying to establish a site-to-site VPN tunnel between an ASA 5505 and a Fortigate300d but the tunnel does not come up .
I have attached the config of the ASA.

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.251

!

interface GigabitEthernet0/2

nameif E1(outside)

security-level 0

ip address 192.168.1.2



access-list ooredoo-Tunnel extended permit ip host aspen1 10.71.100.0 255.255.255.0

access-list ooredoo-Tunnel extended permit ip 10.71.100.0 255.255.255.0 host aspen1

 

 

access-list E1_access_in extended permit icmp 10.71.100.0 255.255.255.0 host 192.168.0.205 echo-reply

access-list E1_access_in extended permit icmp 10.71.100.0 255.255.255.0 host 192.168.0.205 echo

access-list E1_access_in extended permit icmp any host 10.150.1.4 echo

access-list E1_access_in extended permit icmp any host 10.150.1.4 echo-reply

access-list E1_access_in extended permit icmp host 10.150.1.4 any echo

access-list E1_access_in extended permit icmp host 10.150.1.4 any echo-reply

access-list E1_access_in extended permit ip any any log

access-list E1_access_in extended permit ip any host 192.168.0.205

access-list E1_access_in extended permit tcp any host 192.168.0.205 eq www

access-list E1_access_in extended permit ip host 192.168.2.100 any

access-list E1_access_in extended permit ip any host 192.168.2.100

access-list E1_access_in extended permit tcp host 192.168.2.100 any eq https

access-list E1_access_in extended permit tcp any any eq ssh

access-list E1_access_in extended permit tcp any any eq https

access-list E1_access_in extended permit tcp any any eq 8080

access-list E1_access_in extended permit tcp any any eq www

access-list E1_access_in extended permit esp any any

access-list E1_access_in extended permit udp any any eq isakmp

 

 

 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association lifetime kilobytes 4608000

crypto map E1_map 1 match address ooredoo-Tunnel

crypto map E1_map 1 set peer ooredoo

crypto map E1_map 1 set transform-set ESP-AES-128-SHA

crypto map E1_map 1 set security-association lifetime seconds 3600

crypto map E1_map 1 set security-association lifetime kilobytes 4608000

crypto map E1_map interface E1

crypto isakmp identity address

crypto isakmp enable E1

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400



tunnel-group 80.88.12.10 type ipsec-l2l

tunnel-group 80.88.12.10 ipsec-attributes

pre-shared-key cisco123





sh isakmp sa

 

 

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

 

 

1   IKE Peer: ooredoo

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2



Debug:

Aug 18 10:48:27 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:27 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:28 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:29 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:29 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:30 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:30 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:30 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:31 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:31 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:32 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:33 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:33 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:33 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:33 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:34 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:34 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:34 [IKEv1]: IP = 80.88.12.10, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Aug 18 10:48:35 [IKEv1 DEBUG]: IP = 80.88.12.10, IKE MM Initiator FSM error history (struct &0xd7c8c8b8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Aug 18 10:48:35 [IKEv1 DEBUG]: IP = 80.88.12.10, IKE SA MM:ce3cacf9 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Aug 18 10:48:35 [IKEv1 DEBUG]: IP = 80.88.12.10, sending delete/delete with reason message

Aug 18 10:48:35 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Aug 18 10:48:35 [IKEv1]: IP = 80.88.12.10, IKE Initiator: New Phase 1, Intf inside, IKE Peer 80.88.12.10  local Proxy Address 192.168.0.210, remote Proxy Address 10.71.100.0,  Crypto map (E1_map)

Aug 18 10:48:35 [IKEv1 DEBUG]: IP = 80.88.12.10, constructing ISAKMP SA payload

Aug 18 10:48:35 [IKEv1 DEBUG]: IP = 80.88.12.10, constructing NAT-Traversal VID ver 02 payload

Aug 18 10:48:35 [IKEv1 DEBUG]: IP = 80.88.12.10, constructing NAT-Traversal VID ver 03 payload

Aug 18 10:48:35 [IKEv1 DEBUG]: IP = 80.88.12.10, constructing NAT-Traversal VID ver RFC payload

Aug 18 10:48:35 [IKEv1 DEBUG]: IP = 80.88.12.10, constructing Fragmentation VID + extended capabilities payload

Aug 18 10:48:35 [IKEv1]: IP = 80.88.12.10, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172

 

 

SENDING PACKET to ooredoo

ISAKMP Header

  Initiator COOKIE: 3e 26 a0 47 88 61 c6 34

  Responder COOKIE: 00 00 00 00 00 00 00 00

  Next Payload: Security Association

  Version: 1.0

  Exchange Type: Identity Protection (Main Mode)

  Flags: (none)

  MessageID: 00000000

  Length: 172

  Payload Security Association

    Next Payload: Vendor ID

    Reserved: 00

    Payload Length: 60

    DOI: IPsec

    Situation:(SIT_IDENTITY_ONLY)

    Payload Proposal

      Next Payload: None

      Reserved: 00

      Payload Length: 48

      Proposal #: 1

      Protocol-Id: PROTO_ISAKMP

      SPI Size: 0

      # of transforms: 1

      Payload Transform

        Next Payload: None

        Reserved: 00

        Payload Length: 40

        Transform #: 1

        Transform-Id: KEY_IKE

        Reserved2: 0000

        Group Description: Group 2

        Encryption Algorithm: AES-CBC

        Key Length: 128

        Hash Algorithm: SHA1

        Authentication Method: Preshared key

        Life Type: seconds

        Life Duration (Hex): 00 01 51 80

  Payload Vendor ID

    Next Payload: Vendor ID

    Reserved: 00

    Payload Length: 20

    Data (In Hex):

      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f

  Payload Vendor ID

    Next Payload: Vendor ID

    Reserved: 00

    Payload Length: 20

    Data (In Hex):

      7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56

  Payload Vendor ID

    Next Payload: Vendor ID

    Reserved: 00

    Payload Length: 20

    Data (In Hex):

      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f

  Payload Vendor ID

    Next Payload: None

    Reserved: 00

    Payload Length: 24

    Data (In Hex):

      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

      c0 00 00 00
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Please clear the logs on both ends. try to connect and then see what the log says. Post relevant parts of the log here to see if we may assist.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial