Using same transform-set on multiple VPN site-to-site tunnels

Answered Question
Dec 21st, 2007
User Badges:

Hi all.I have a rather strange situation regarding site-to-site VPN tunnel.

On one end I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

The problem is that from the side of the PIX I cannot establish a tunnel but when the traffic start from the ASA's side the tunnel establishes as normal.

I have checked the configurations on both ends and keys, passwords, mirror ACLs seem OK. The only thing that springs to attention is that I have the same transform set used for 2 different tunnels on the PIX side.

Can I use the same transform set on multiple tunnels or should I define a different transform set for every tunnel? Could this be the source of the problem?

Correct Answer by kaachary about 9 years 3 months ago

Use this on PIX


crypto map set pfs group2


Or on ASA, use :


crypto map set pfs group1






  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Fri, 12/21/2007 - 08:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


No that won't be an issue. I have used the same transform set on a pix for over 60 site-to-site VPN tunnels.


What does the debugging show ?


Jon

IgorHamzic Mon, 12/24/2007 - 02:22
User Badges:

Here are the results of the debugging on both sides of the tunnel. I was out of action for a couple of days so sorry for the late reply.


ASA side:


Dec 20 12:24:27 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3a81b50, mess id 0x4bf27953)!

Dec 20 12:24:27 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!


PIX side:


ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0


ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 7200

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload


ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0


ISAKMP (0): processing NONCE payload. message ID = 0


ISAKMP (0): processing vendor id payload


ISAKMP (0): processing vendor id payload


ISAKMP (0): received xauth v6 vendor id


ISAKMP (0): processing vendor id payload


ISAKMP (0): speaking to another IOS box!


ISAKMP (0): processing vendor id payload


ISAKMP (0): speaking to a VPN3000 concentrator


ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload


ISAKMP (0): remote peer supports dead peer detection


ISAKMP (0): SA has been authenticated


ISAKMP (0): beginning Quick Mode exchange, M-ID of -245075964:f1647004

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 0, message ID = 1293387221

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3694378254, spi size = 16

ISAKMP (0): deleting SA: src y.y.y.y, dst x.x.x.x

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0xad3ac4, conn_id = 0 DELETE IT!


VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:2


ISADB: reaper checking SA 0xaec8dc, conn_id = 0

ISADB: reaper checking SA 0xaebd5c, conn_id = 0

ISADB: reaper checking SA 0xae6f2c, conn_id = 0



I can also post the related parts of configs from both sides.

kaachary Tue, 12/25/2007 - 15:36
User Badges:
  • Cisco Employee,

Can you please post the relevant part of the config and the debugs for ipsec as well.


deb cry ipsec

IgorHamzic Thu, 12/27/2007 - 08:13
User Badges:

Here are the relevant parts of the configs from both devices.


ASA side:


crypto ipsec transform-set cp esp-des esp-sha-hmac


crypto ipsec security-association lifetime seconds 3600


crypto map vpn 20 match address 120

crypto map vpn 20 set pfs

crypto map vpn 20 set peer x.x.x.x

crypto map vpn 20 set transform-set cp


crypto map vpn interface outside


isakmp identity address

isakmp enable outside

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption aes-256

isakmp policy 2 hash sha

isakmp policy 2 group 5

isakmp policy 2 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 7200


tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key xxxxxxxxxxxxxxxxx


access-list 120 extended permit ip 172.20.8.0 255.255.255.0 172.20.9.0 255.255.255.0

access-list 120 extended permit ip 10.100.8.0 255.255.255.0 172.20.9.0 255.255.255.0

access-list 120 extended permit ip 10.100.16.0 255.255.255.0 172.20.9.0 255.255.255.0



PIX side:


crypto ipsec transform-set cp esp-des esp-sha-hmac


crypto ipsec security-association lifetime seconds 3600


crypto map vpn 20 ipsec-isakmp

crypto map vpn 20 match address 120

crypto map vpn 20 set pfs

crypto map vpn 20 set peer x.x.x.x

crypto map vpn 20 set transform-set cp


crypto map vpn interface outside


isakmp enable outside


isakmp key xxxxxxxxxxxx address x.x.x.x netmask 255.255.255.255


isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 7200

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400


access-list 120 permit ip 172.20.9.0 255.255.255.0 172.20.8.0 255.255.255.0

access-list 120 permit ip 172.20.9.0 255.255.255.0 10.100.8.0 255.255.255.0

access-list 120 permit ip 172.20.9.0 255.255.255.0 10.100.16.0 255.255.255.0


IgorHamzic Thu, 12/27/2007 - 08:15
User Badges:

Forgot the debug of ipsec.


IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x9b7d0784(2608662404) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x79d3f3bf(2043933631) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xaa3f5dbd(2856279485) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xa22a0c10(2720664592) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xef2ba5c0(4012615104) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xe9030f5b(3909291867) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xf86c4794(4167845780) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.100.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xdc627d36(3697442102) for SA

from y.y.y.y to x.x.x.x for prot 3

kaachary Thu, 12/27/2007 - 11:51
User Badges:
  • Cisco Employee,

ASA, by default, uses PFS group 2 if group is not specified. Whereas PIX 6.X uses PFS group 1 if group is not specified.


So, you need to change the PFS group on any of the devices to match the other.


Hope that helps.



Correct Answer
kaachary Thu, 12/27/2007 - 11:54
User Badges:
  • Cisco Employee,

Use this on PIX


crypto map set pfs group2


Or on ASA, use :


crypto map set pfs group1






IgorHamzic Thu, 12/27/2007 - 14:42
User Badges:

I didn't know that ASA uses PFS group 2 as default. I guess you learn something new every day. I'll change that and let you know how it went and if the problem persists.

IgorHamzic Fri, 01/11/2008 - 00:47
User Badges:

The changing of PFS values on ASA solved the problem. There are no more dropped tunnels.

Thanks for all your help.

Actions

This Discussion