Net 2 Net fails on phase 2

Unanswered Question

Tried so many things I'm completely lost now and need fresh eyes on the problem. I can post the ASA config and debug log. The other end device can't print out a config (custom Unix box) so ask questions if needed.


here is the relevant info.


access-list Outside_access_in remark NET2NET VPN

access-list Outside_access_in extended permit ip host 24.247.165.41 any inactive


access-list nat0 remark NET2NET INSIDE TO VPN

access-list nat0 extended permit ip 10.0.0.0 255.0.0.0 host 69.128.83.236


access-list BW-VPN_TUNNEL remark VPN TUNNEL TRAFFIC

access-list BW-VPN_TUNNEL standard permit 10.0.0.0 255.0.0.0

access-list BW-VPN_TUNNEL standard permit 192.168.1.0 255.255.255.0


access-list Outside_30_cryptomap remark NET2NET VPN IPSEC

access-list Outside_30_cryptomap extended permit ip host 192.168.5.0 10.0.0.0 255.0.0.0


ip local pool BW-VPN 10.125.1.97-10.125.1.126 mask 255.255.255.224


global (Outside) 1 63.11.111.1 netmask 255.255.255.255

global (DMZ) 1 interface

nat (Inside) 0 access-list nat0

nat (Inside) 1 0.0.0.0 0.0.0.0

nat (DMZ) 0 access-list nonat_dmz

nat (DMZ) 1 0.0.0.0 0.0.0.0

nat (management) 0 access-list management_nat0_outbound


access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

access-group DMZ_access_in in interface DMZ


route Outside 0.0.0.0 0.0.0.0 63.11.111.1 1

route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1


group-policy Cyberoam internal

group-policy Cyberoam attributes

wins-server value 10.90.6.10 10.90.6.20

dns-server value 10.90.6.10 10.90.6.20

vpn-tunnel-protocol IPSec

group-lock value 69.128.83.236

split-tunnel-policy tunnelspecified

split-tunnel-network-list value BW-VPN_TUNNEL

default-domain value our-domain.com


crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac


crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 200 set transform-set ESP-AES-256-MD5

crypto dynamic-map Outside_dyn_map 400 set transform-set ESP-3DES-SHA


crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map

crypto map Inside_map interface Inside

crypto map Outside_map 30 match address Outside_30_cryptomap

crypto map Outside_map 30 set peer 69.128.83.236

crypto map Outside_map 30 set transform-set ESP-3DES-MD5 ESP-AES-256-SHA

crypto map Outside_map 200 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside


crypto isakmp enable Outside

crypto isakmp enable Inside


crypto isakmp policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash md5

group 5

lifetime 86400


tunnel-group 69.128.83.236 type ipsec-l2l

tunnel-group 69.128.83.236 general-attributes

default-group-policy Cyberoam

tunnel-group 69.128.83.236 ipsec-attributes

pre-shared-key **********




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Here is the debug log to go along with that.


Group = 69.128.83.236 , IP = 69.128.83.236 , PHASE 1 COMPLETED

Group = 69.128.83.236 , IP = 69.128.83.236 , processing SA payload

Group = 69.128.83.236 , IP = 69.128.83.236 , processing ID payload


Group = 69.128.83.236 , IP = 69.128.83.236 , ID_IPV4_ADDR_SUBNET ID received--192.168.5.0 (unresolved) --255.255.255.0

Group = 69.128.83.236 , IP = 69.128.83.236 , Received remote IP Proxy Subnet data in ID Payload: Address 192.168.5.0 (unresolved) , Mask 255.255.255.0, Protocol 0, Port 0


Group = 69.128.83.236 , IP = 69.128.83.236 , processing ID payload

Group = 69.128.83.236 , IP = 69.128.83.236 , ID_IPV4_ADDR_SUBNET ID received--10.0.0.0 (unresolved) --255.0.0.0

Group = 69.128.83.236 , IP = 69.128.83.236 , Received local IP Proxy Subnet data in ID Payload: Address 10.0.0.0 (unresolved) , Mask 255.0.0.0, Protocol 0, Port 0

Group = 69.128.83.236 , IP = 69.128.83.236 , QM IsRekeyed old sa not found by addr

Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, checking map = Outside_map, seq = 20...

Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, map = Outside_map, seq = 20, no ACL configured

Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, checking map = Outside_map, seq = 30...


Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, map = Outside_map, seq = 30, ACL does not match proxy IDs src:192.168.5.0 (unresolved) dst:10.0.0.0 (unresolved)


oup = 69.128.83.236 , IP = 69.128.83.236 , IKE Remote Peer configured for crypto map: Outside_dyn_map

Group = 69.128.83.236 , IP = 69.128.83.236 , processing IPSec SA payload

Group = 69.128.83.236 , IP = 69.128.83.236 , All IPSec SA proposals found unacceptable!

Group = 69.128.83.236 , IP = 69.128.83.236 , sending notify message

Group = 69.128.83.236 , IP = 69.128.83.236 , constructing ipsec notify payload for msg id 2b78aaf7

IP = 69.128.83.236 , IKE_DECODE SENDING Message (msgid=931bde05) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Group = 69.128.83.236 , IP = 69.128.83.236 , QM FSM error (P2 struct &0x4d83228, mess id 0x2b78aaf7)!

Group = 69.128.83.236 , IP = 69.128.83.236 , IKE QM Responder FSM error history (struct &0x4d83228) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

Group = 69.128.83.236 , IP = 69.128.83.236 , sending delete/delete with reason message

Group = 69.128.83.236 , IP = 69.128.83.236 , sending delete/delete with reason message

Group = 69.128.83.236 , Username = 69.128.83.236 , IP = 69.128.83.236 , Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

IP = 69.128.83.236 , Received encrypted packet with no matching SA, dropping






ajagadee Thu, 01/17/2008 - 11:55
User Badges:
  • Cisco Employee,

What is your Local LAN and the remote LAN subnets. I think, the Crypto ACL's are configured incorrectly. The source and destination are reversed.


access-list Outside_30_cryptomap extended permit ip host 192.168.5.0 10.0.0.0 255.0.0.0


Also, check the mask on the 192.168.5.0. Is this a host IP Address?


Make sure to make the changes to the NAT 0 command as well and try bringing up the tunnel.


I hope it helps.


Regards,

Arul

dradhika Fri, 01/18/2008 - 06:17
User Badges:
  • Cisco Employee,

Also can you check if ipsec transform sets are same on both the devices

Actions

This Discussion