Remote Access VPN with Racoon to Cisco ASA

Unanswered Question
Jul 16th, 2008
User Badges:

Hi there,


I would like to implement a remote access VPN with Racoon to Cisco ASA using certificate.

It works fine now so the following steps have already implemented successfully:

- Phase 1 is completed with success

- Phase 2 is completed with success


but


When I try to send packets from the Linux client using racoon I got the following errors on Cisco ASA:


Jul 15 16:31:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jul 15 16:31:22 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: INTERNAL_DEST, Dst: LINUX_SRC


So the incoming traffic should be OK from racoon to ASA because it matched to my crypto map configuration on the ASA (I could see it on DEBUG level on ASA) but from some reason the answer packets are denied by the ASA.

I could debug the VPN process on the ASA and I can see all automatically and temporary generated VPN access list. So it seems everything is fine but I have this problem with the answer packets.


I haven't find any documentation for this solution but I don't think I'm the only person who wanted to implement this.


Any idea?


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Thu, 07/17/2008 - 01:47
User Badges:
  • Red, 2250 points or more

Does your linux box have multiple interfaces?


Also can you post a more detailed debug?


Perhaps:


debug crypto isakmp 127

debug crypto ipsec 127


Regards


Farrukh

norbertmurzsa Thu, 07/17/2008 - 03:21
User Badges:

I have no information about the other site because the Racoon and ASA are on two different geographic locations but I'm going to get it tomorrow.


I only have debug 255 output for these commands so I cut and pasted all lines started with date because debug 255 is too much.

Racoon uses certificate based authentication+XAUTH. Both of process are ok.

If you need specific part of the debug 255 please let me know.


I had problem with the ADSM dynamic crypto map and the automatically generated access-list because it didn't match somehow so I created an access-list "55" using the CLI to match for the traffic which works fine as you can see.


Regards


Norbert



Attachment: 
Farrukh Haroon Thu, 07/17/2008 - 03:39
User Badges:
  • Red, 2250 points or more

What does the 'auto-generated' ACL look like?


How is it different from the one you created?


Regards


Farrukh

norbertmurzsa Thu, 07/17/2008 - 06:44
User Badges:

Nothing special. I think ASA used a string.65535.number and me just a number to identify the referred ACL for the dynamic crypto map.

When I started to modify the original (not-working) configuration using CLI ASA said that the original and automatically created dynamic crypto map configuration was inactive.


I wasn't me who created the initial (original) dynamic crypto map but it wasn't tested with racoon before.


The strangest thing was that original crypto map was fine..it was totally the same than mine..it just didn't match somehow..


I have the original config and mine one as well. I will copy both of them for you to see.


Q: How ASA uses the configuration? Does it generate a binary from the clear text version?..or..can it be that the binary version didn't match to the clear text..or whatever..?



Regards


Norbert

norbertmurzsa Thu, 07/17/2008 - 16:10
User Badges:

Automatically generated:

------------------------

access-list Internet_IPSec_cryptomap_65535.55 extended permit ip RA_VPN_POOL RA_VPN_POOL_MASK host INTERNAL_IP

crypto dynamic-map Internet_IPSec_dyn_map 55 match address Internet_IPSec_cryptomap_65535.55

crypto dynamic-map Internet_IPSec_dyn_map 55 set pfs

crypto dynamic-map Internet_IPSec_dyn_map 55 set transform-set ESP-AES-192-SHA ESP-3DES-SHA ESP-AES-128-SHA

crypto map Internet_IPSec_map 65535 ipsec-isakmp dynamic Internet_IPSec_dyn_map

crypto map Internet_IPSec_map interface Internet_IPSec


Manually generated:

-------------------

access-list 55 extended permit ip RA_VPN_POOL RA_VPN_POOL_MASK host INTERNAL_IP log

crypto dynamic-map Internet_IPSec_dyn_map 55 match address 55

crypto dynamic-map Internet_IPSec_dyn_map 55 set pfs

crypto dynamic-map Internet_IPSec_dyn_map 55 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-192-SHA

crypto map Internet_IPSec_map 65535 ipsec-isakmp dynamic Internet_IPSec_dyn_map

crypto map Internet_IPSec_map interface Internet_IPSec


I tried to generate the dynamic crypto map automatically several times but it didn't match to the required traffic somehow.

We have other automatically generated crypto maps as well without any problem.

However this is the first dynamic crypto map on that interface.


Regards


Norbert

Farrukh Haroon Fri, 07/18/2008 - 04:39
User Badges:
  • Red, 2250 points or more

Well the ACL seem identical to me?


regards


Farrukh

norbertmurzsa Fri, 07/18/2008 - 17:02
User Badges:

Can I debug somehow the ASA tested ACLs as well to see which ACLs were tested by ASA for the connection?


Farrukh Haroon Fri, 07/18/2008 - 17:14
User Badges:
  • Red, 2250 points or more

You could use the 'log' keyword at the end of the ACL.


Regards


Farrukh

norbertmurzsa Sat, 07/19/2008 - 05:20
User Badges:

Yes, I know and thank you for your help.

I really appreciate your time but I meant something similar than ASA has for debugging VPN traffic.


Regards


Norbert

norbertmurzsa Thu, 07/24/2008 - 19:44
User Badges:

Hi,


Problem is still the same.

I attached the SA information.

I can see the incoming and outgoing tunnel traffic (icmp and tcp) on the internal LAN and on ASA's inside interface as well using its packet capture capability (icmp requests/replies for example).


Unfortunately the remote racoon client can not see my outgoing packets from some reasons.


How can I debug where the tunneled packages are going from the inside interface back to racoon?

Should I see any captured tunnel traffic on on the Internet_IPSec interface (external)?


Thank you for help.


Regards


Norbert



Attachment: 
Farrukh Haroon Sat, 07/26/2008 - 00:49
User Badges:
  • Red, 2250 points or more

Double check your routing and crypto ACLs.


Regards


Farrukh

Actions

This Discussion