site to site tunnel between IOS router and ASA

Answered Question
Feb 12th, 2007

I've combed through the configs on both sides of this tunnel 4x now and the policies look like they match. I followd the note http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

My crypto access lsits are good and my nat on the IOS side are bundled with a route map and look good. On the ASA side traffic from the ASA side to the remote tunnel is exempt from NAT. Each side already has a site to site tunnel setup, so i've added the appropriate lines to the existing crypto maps that include peer, transform set, and match address "access-list". The crypto isakmp polcies on both ends are compatible. I've attached some configs and debugs(from IOS router), but essentially the log on the ASA starts out with phase 1 completed, and then reads received non routing notify message, no proposal chosen and then it goes to IKE lost connection to remote peer, deleting connection, removing peer from correlator table failed, no match, and finally session disconnected, reason lost service.

Connection is good, their other tunnel stays up along with the remote access vpn config.

I found a note that recommends checking any security access-list, so I removed them, but no luck, and one from cisco related to a concentrator, but had some sound logic to it,

Normally appears with the

corresponding Cisco VPN 3000

concentrator message: No proposal

chosen(14). This is a result of the

connections being host-to-host.

The router configuration had the

IPSec proposals ordered so that the

proposal chosen for the router

matched the access-list, but not the

peer. The access-list had a larger

network that included the host that

was intersecting traffic.

Make the router proposal for this

concentrator-to-router connection

first in line, so that it matches the

specific host first.

however it didn't work either.

thank you,

Bill

I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 7 months ago

Bill,

Take a look at this

000610: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Need XAUTH

000611: *Sep 27 10:42:15.094 PCTime: ISAKMP: set new node 920927400 to CONF_XAUTH

000612: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

000613: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

000614: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): initiating peer config to 74.92.97.166. ID = 920927400

000615: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): sending packet to 74.92.97.166 my_port 4500 peer_port 4500 (R) CONF_XAUTH

--More-- 000616: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

000617: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT

It should not be going for Extended Authentication. Since you have the client and the L2L on the same router and the clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the command "no-xauth" after the pre-shared key

Please implement the command:

crypto isakmp key cleartext address 74.92.97.166 no-xauth

Thanks

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ggilbert Mon, 02/12/2007 - 14:27

Bill,

I looked at the PIX config and seems like there is a mismatch on the peer statements.

Please take a look at the tunnel-group IP address and the IP address on the set peer commands on the crypto map section.

Which one is correct?

Cheers

Gilbert

WILLIAM STEGMAN Mon, 02/12/2007 - 14:47

sorry, I was trying to remove the real IP addresses but missed them in the group attribute statements. The remote peer from the pix is 71.33.245.25 (the tunnel I'm trying to create now) and another tunnel 65.202.177.130 (already established). It looks like I attached the IOS debug twice instead of the running config. I don't have access to that file right now, but will again in a few hours.

ggilbert Tue, 02/13/2007 - 07:01

The config of ASA looks good.

The policies on the ASA and the router should match.

Can you please enable debugs on the router

deb cry isa

deb cry ipsec

Enable debugs on the ASA

deb cry isa 129

deb cry ipsec 129

Do "cle cry isa" and "cle cry sa" on the router and then initiate the tunnel.

Capture the debugs on the router and the ASA - Send them to me.

Let me take a look.

Cheers

Gilbert

ggilbert Tue, 02/13/2007 - 09:38

Looking at the config on the IOS router, I do see that you are doing NAT. Please implement the following commands

conf t

ip access-list ext 102

1 deny ip 192.168.100.0 0.0.0.255 10.4.1.0 0.0.0.255

On the ASA, look at the statement

crypto map outside_map 15 set transform-set CO ESP-3DES-SHA

Can you please make sure that you have only

crypto map outside_map 15 set transform-set CO

Let me know if this fixes the problem.

Thanks

Gilbert

Rate it, if this helps.

WILLIAM STEGMAN Tue, 02/13/2007 - 10:10

ok, added the deny ip line to the access-list 102 with a log on the end. When pinging though nothing shows up for 10.4.1.100, however the logs do reflect a test ping to the working tunnel. Not sure if they should be showing up regardless of the tunnel's condition. I mean should a failed attempt still show up if deny ip 192.168.100.0 0.0.0.255 10.4.1.0 0.0.0.255 log exists?

I've also removed the 2nd transform-set ESP-3DES-SHA, but still get the same behaviour and errors. "received non-routine notify message. No proposal chosen"

ggilbert Tue, 02/13/2007 - 12:30

Bill,

According to the logs

001262: *Sep 26 11:00:21.467 PCTime: ISAKMP (0:2009): NAT found, the node outside NAT

001263: *Sep 26 11:00:21.467 PCTime: ISAKMP:(2009):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

It stops after NAT detection.

Send me the full logs by clearing the tunnel and initiating from the router side.

Thanks

Gilbert

Correct Answer
ggilbert Tue, 02/13/2007 - 12:34

Bill,

Take a look at this

000610: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Need XAUTH

000611: *Sep 27 10:42:15.094 PCTime: ISAKMP: set new node 920927400 to CONF_XAUTH

000612: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2

000613: *Sep 27 10:42:15.094 PCTime: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2

000614: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): initiating peer config to 74.92.97.166. ID = 920927400

000615: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039): sending packet to 74.92.97.166 my_port 4500 peer_port 4500 (R) CONF_XAUTH

--More-- 000616: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

000617: *Sep 27 10:42:15.094 PCTime: ISAKMP:(2039):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT

It should not be going for Extended Authentication. Since you have the client and the L2L on the same router and the clients are configured for Extended authentication, the router will ask for XAUTH unless you configure the command "no-xauth" after the pre-shared key

Please implement the command:

crypto isakmp key cleartext address 74.92.97.166 no-xauth

Thanks

Gilbert

ggilbert Tue, 02/13/2007 - 12:37

Bill,

Let me know if that works.

Take care

Gilbert

Rate it, if this helps.

Actions

This Discussion