01-16-2008 07:07 AM - edited 03-09-2019 07:53 PM
Tried so many things I'm completely lost now and need fresh eyes on the problem. I can post the ASA config and debug log. The other end device can't print out a config (custom Unix box) so ask questions if needed.
here is the relevant info.
access-list Outside_access_in remark NET2NET VPN
access-list Outside_access_in extended permit ip host 24.247.165.41 any inactive
access-list nat0 remark NET2NET INSIDE TO VPN
access-list nat0 extended permit ip 10.0.0.0 255.0.0.0 host 69.128.83.236
access-list BW-VPN_TUNNEL remark VPN TUNNEL TRAFFIC
access-list BW-VPN_TUNNEL standard permit 10.0.0.0 255.0.0.0
access-list BW-VPN_TUNNEL standard permit 192.168.1.0 255.255.255.0
access-list Outside_30_cryptomap remark NET2NET VPN IPSEC
access-list Outside_30_cryptomap extended permit ip host 192.168.5.0 10.0.0.0 255.0.0.0
ip local pool BW-VPN 10.125.1.97-10.125.1.126 mask 255.255.255.224
global (Outside) 1 63.11.111.1 netmask 255.255.255.255
global (DMZ) 1 interface
nat (Inside) 0 access-list nat0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat_dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 63.11.111.1 1
route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1
group-policy Cyberoam internal
group-policy Cyberoam attributes
wins-server value 10.90.6.10 10.90.6.20
dns-server value 10.90.6.10 10.90.6.20
vpn-tunnel-protocol IPSec
group-lock value 69.128.83.236
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BW-VPN_TUNNEL
default-domain value our-domain.com
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 200 set transform-set ESP-AES-256-MD5
crypto dynamic-map Outside_dyn_map 400 set transform-set ESP-3DES-SHA
crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 30 match address Outside_30_cryptomap
crypto map Outside_map 30 set peer 69.128.83.236
crypto map Outside_map 30 set transform-set ESP-3DES-MD5 ESP-AES-256-SHA
crypto map Outside_map 200 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
tunnel-group 69.128.83.236 type ipsec-l2l
tunnel-group 69.128.83.236 general-attributes
default-group-policy Cyberoam
tunnel-group 69.128.83.236 ipsec-attributes
pre-shared-key **********
01-16-2008 07:11 AM
Here is the debug log to go along with that.
Group = 69.128.83.236 , IP = 69.128.83.236 , PHASE 1 COMPLETED
Group = 69.128.83.236 , IP = 69.128.83.236 , processing SA payload
Group = 69.128.83.236 , IP = 69.128.83.236 , processing ID payload
Group = 69.128.83.236 , IP = 69.128.83.236 , ID_IPV4_ADDR_SUBNET ID received--192.168.5.0 (unresolved) --255.255.255.0
Group = 69.128.83.236 , IP = 69.128.83.236 , Received remote IP Proxy Subnet data in ID Payload: Address 192.168.5.0 (unresolved) , Mask 255.255.255.0, Protocol 0, Port 0
Group = 69.128.83.236 , IP = 69.128.83.236 , processing ID payload
Group = 69.128.83.236 , IP = 69.128.83.236 , ID_IPV4_ADDR_SUBNET ID received--10.0.0.0 (unresolved) --255.0.0.0
Group = 69.128.83.236 , IP = 69.128.83.236 , Received local IP Proxy Subnet data in ID Payload: Address 10.0.0.0 (unresolved) , Mask 255.0.0.0, Protocol 0, Port 0
Group = 69.128.83.236 , IP = 69.128.83.236 , QM IsRekeyed old sa not found by addr
Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, checking map = Outside_map, seq = 20...
Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, map = Outside_map, seq = 20, no ACL configured
Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, checking map = Outside_map, seq = 30...
Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, map = Outside_map, seq = 30, ACL does not match proxy IDs src:192.168.5.0 (unresolved) dst:10.0.0.0 (unresolved)
oup = 69.128.83.236 , IP = 69.128.83.236 , IKE Remote Peer configured for crypto map: Outside_dyn_map
Group = 69.128.83.236 , IP = 69.128.83.236 , processing IPSec SA payload
Group = 69.128.83.236 , IP = 69.128.83.236 , All IPSec SA proposals found unacceptable!
Group = 69.128.83.236 , IP = 69.128.83.236 , sending notify message
Group = 69.128.83.236 , IP = 69.128.83.236 , constructing ipsec notify payload for msg id 2b78aaf7
IP = 69.128.83.236 , IKE_DECODE SENDING Message (msgid=931bde05) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Group = 69.128.83.236 , IP = 69.128.83.236 , QM FSM error (P2 struct &0x4d83228, mess id 0x2b78aaf7)!
Group = 69.128.83.236 , IP = 69.128.83.236 , IKE QM Responder FSM error history (struct &0x4d83228) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Group = 69.128.83.236 , IP = 69.128.83.236 , sending delete/delete with reason message
Group = 69.128.83.236 , IP = 69.128.83.236 , sending delete/delete with reason message
Group = 69.128.83.236 , Username = 69.128.83.236 , IP = 69.128.83.236 , Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
IP = 69.128.83.236 , Received encrypted packet with no matching SA, dropping
01-17-2008 11:47 AM
No help here?
01-17-2008 11:55 AM
What is your Local LAN and the remote LAN subnets. I think, the Crypto ACL's are configured incorrectly. The source and destination are reversed.
access-list Outside_30_cryptomap extended permit ip host 192.168.5.0 10.0.0.0 255.0.0.0
Also, check the mask on the 192.168.5.0. Is this a host IP Address?
Make sure to make the changes to the NAT 0 command as well and try bringing up the tunnel.
I hope it helps.
Regards,
Arul
01-18-2008 06:17 AM
Also can you check if ipsec transform sets are same on both the devices
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: