Solved: Problem with IPSEC tunnel between Cisco PIX and Cisco ASA

AgressoAB · ‎01-14-2009

Hi All!

Have a strange problem with one of our ipsec tunnel to one of our customers, we can initiate the tunnel from the customer site but not from our site, don't understand whats wrong, if it would be a configuration issue it should not be possible to get the tunnel up at all.

On our side as an initiator:

Jan 14 13:53:26 172.27.1.254 %PIX-7-702208: ISAKMP Phase 1 exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254 %PIX-7-702210: ISAKMP Phase 1 exchange completed (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254 %PIX-6-602202: ISAKMP session connected (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254 %PIX-6-602201: ISAKMP Phase 1 SA created (local 1.1.1.1/500 (initiator), remote 2.2.2.2/500, authentication=pre-share, encryption=3DES-CBC, hash=SHA, group=2, lifetime=86400s)

Jan 14 13:53:26 172.27.1.254 %PIX-7-702209: ISAKMP Phase 2 exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254 %PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:26 172.27.1.254 %PIX-6-602203: ISAKMP session disconnected (local 1.1.1.1 (initiator), remote 2.2.2.2)

Jan 14 13:53:56 172.27.1.254 %PIX-7-702303: sa_request, (key eng. msg.) src= 1.1.1.1, dest= 2.2.2.2, src_proxy= 172.27.1.10/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.100.18/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004

From customer site as an responder:

Jan 14 11:58:23 172.27.1.254 %PIX-7-702208: ISAKMP Phase 1 exchange started (local 1.1.1.1 (responder), remote 2.2.2.2)

Jan 14 11:58:23 172.27.1.254 %PIX-7-702210: ISAKMP Phase 1 exchange completed (local 1.1.1.1 (responder), remote 2.2.2.2)

Jan 14 11:58:23 172.27.1.254 %PIX-6-602202: ISAKMP session connected (local 1.1.1.1 (responder), remote 2.2.2.2)

Jan 14 11:58:23 172.27.1.254 %PIX-6-602201: ISAKMP Phase 1 SA created (local 1.1.1.1/500 (responder), remote 2.2.2.2/500, authentication=pre-share, encryption=3DES-CBC, hash=MD5, group=1, lifetime=86400s)

Jan 14 11:58:23 172.27.1.254 %PIX-7-702209: ISAKMP Phase 2 exchange started (local 1.1.1.1 (responder), remote 2.2.2.2)

Jan 14 11:58:23 172.27.1.254 %PIX-6-602301: sa created, (sa) sa_dest= 2.2.2.2, sa_prot= 50, sa_spi= 0x9de820bd(2649235645), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 116

Jan 14 11:58:23 172.27.1.254 %PIX-7-702211: ISAKMP Phase 2 exchange completed (local 1.1.1.1 (responder), remote 2.2.2.2)

Jan 14 12:28:54 172.27.1.254 %PIX-6-602302: deleting SA, (sa) sa_dest= 2.2.2.2, sa_prot= 50, sa_spi= 0x9de820bd(2649235645), sa_trans= esp-3desesp-sha-hmac , sa_conn_id= 116

Kind Regards,

Johan

Ivan Martinon · ‎01-14-2009

In my experience when a tunnel is initiated from one side but it is not initiated from another side the problem is with a mismatch of the isakmp or ipsec policies, mainly the ipsec policies such as transform sets and match address, with ASA platform when a tunnel does not match a statically defined crypto map it sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and do a "show crypto ipsec sa" when the tunnel is active on both sides, see on the ASA, if the matching tunnel is the static crypto map defined or if it shows the dynamic crypto map.

I would advise you to go over the settings on both side and make sure they are both mirrored.

View solution in original post

Ivan Martinon · ‎01-14-2009

In my experience when a tunnel is initiated from one side but it is not initiated from another side the problem is with a mismatch of the isakmp or ipsec policies, mainly the ipsec policies such as transform sets and match address, with ASA platform when a tunnel does not match a statically defined crypto map it sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and do a "show crypto ipsec sa" when the tunnel is active on both sides, see on the ASA, if the matching tunnel is the static crypto map defined or if it shows the dynamic crypto map.

I would advise you to go over the settings on both side and make sure they are both mirrored.

AgressoAB · ‎01-14-2009

Hi!

Thanks for your reply, i dont have access to the ASA unit but i will try to get their technician on the customer side to check this!

/Johan

AgressoAB · ‎01-14-2009

This is our config on the PIX:

access-list acl_nonat permit ip host 172.27.1.10 host 192.168.100.18

access-list acl_customer permit ip host 172.27.1.10 host 192.168.100.18

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map map_outside 66 ipsec-isakmp

crypto map map_outside 66 match address acl_customer

crypto map map_outside 66 set peer 2.2.2.2

crypto map map_outside 66 set transform-set ESP-3DES-SHA

isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 3 authentication pre-share

isakmp policy 3 encryption 3des

isakmp policy 3 hash sha

isakmp policy 3 group 2

isakmp policy 3 lifetime 86400

And the ASA:

access-list CRYPTO-TO-PROVIDER extended permit ip 192.168.100.18 255.255.255.255 172.27.1.10 255.255.255.255

crypto map OUTSIDE-CM 104 set peer 2.2.2.2

crypto map OUTSIDE-CM 104 set transform-set CONSTRUCTIONSET-3DES-SHA

crypto map OUTSIDE-CM 104 set security-association lifetime seconds 28800

crypto map OUTSIDE-CM 104 set security-association lifetime kilobytes 4608000

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

pre-shared-key *

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

One thing i do see, is when their side is initiating it uses 3des/md5/group1/86400 for phase1 and 3des/sha for phase2, but not when i'm initiating and i have 3des/md5/group1/86400 as isakmp policy 2.

Haven't checked what you suggested yet, i have parts of their config after we did some troubleshooting.

AgressoAB · ‎01-16-2009

Turns out that the customer has PFS group 2 configured, but it wasnt in their config they sent to me.

But thanks for your reply, when i got the "show crypto ipsec sa" from the customer i saw the error.

Is PFS default in ASA, or is it a value on the crypto map that the customer missed to send me?

Crypto map tag: OUTSIDE-CM, seq num: 104, local addr: 2.2.2.2

access-list CRYPTO-TO-PROVIDER permit ip host 192.168.100.18 host 172.27.1.10

local ident (addr/mask/prot/port): (192.168.100.18/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (172.27.1.10/255.255.255.255/0/0)

current_peer: 1.1.1.1

#pkts encaps: 859, #pkts encrypt: 859, #pkts digest: 859

#pkts decaps: 955, #pkts decrypt: 955, #pkts verify: 955

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 859, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: BE0E1052

inbound esp sas:

spi: 0x8B48F3EF (2336814063)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 143360, crypto-map: OUTSIDE-CM

sa timing: remaining key lifetime (kB/sec): (4373848/26017)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0xBE0E1052 (3188592722)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 2, }

slot: 0, conn_id: 143360, crypto-map: OUTSIDE-CM

sa timing: remaining key lifetime (kB/sec): (4373864/26015)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Ivan Martinon · ‎01-16-2009

I don't think it is a default setting, unless, not quite sure but unless it was configured by the GUI, I think they just missed to send you that config part.

AgressoAB · ‎01-16-2009

Ok, think he uses the gui.

Thanks!

Case closed.. :D