01-14-2009 07:04 AM - edited 02-21-2020 04:07 PM
Hi All!
Have a strange problem with one of our ipsec tunnel to one of our customers, we can initiate the tunnel from the customer site but not from our site, don't understand whats wrong, if it would be a configuration issue it should not be possible to get the tunnel up at all.
On our side as an initiator:
Jan 14 13:53:26 172.27.1.254 %PIX-7-702208: ISAKMP Phase 1 exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254 %PIX-7-702210: ISAKMP Phase 1 exchange completed (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254 %PIX-6-602202: ISAKMP session connected (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254 %PIX-6-602201: ISAKMP Phase 1 SA created (local 1.1.1.1/500 (initiator), remote 2.2.2.2/500, authentication=pre-share, encryption=3DES-CBC, hash=SHA, group=2, lifetime=86400s)
Jan 14 13:53:26 172.27.1.254 %PIX-7-702209: ISAKMP Phase 2 exchange started (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254 %PIX-7-702201: ISAKMP Phase 1 delete received (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:26 172.27.1.254 %PIX-6-602203: ISAKMP session disconnected (local 1.1.1.1 (initiator), remote 2.2.2.2)
Jan 14 13:53:56 172.27.1.254 %PIX-7-702303: sa_request, (key eng. msg.) src= 1.1.1.1, dest= 2.2.2.2, src_proxy= 172.27.1.10/255.255.255.255/0/0 (type=1), dest_proxy= 192.168.100.18/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4004
From customer site as an responder:
Jan 14 11:58:23 172.27.1.254 %PIX-7-702208: ISAKMP Phase 1 exchange started (local 1.1.1.1 (responder), remote 2.2.2.2)
Jan 14 11:58:23 172.27.1.254 %PIX-7-702210: ISAKMP Phase 1 exchange completed (local 1.1.1.1 (responder), remote 2.2.2.2)
Jan 14 11:58:23 172.27.1.254 %PIX-6-602202: ISAKMP session connected (local 1.1.1.1 (responder), remote 2.2.2.2)
Jan 14 11:58:23 172.27.1.254 %PIX-6-602201: ISAKMP Phase 1 SA created (local 1.1.1.1/500 (responder), remote 2.2.2.2/500, authentication=pre-share, encryption=3DES-CBC, hash=MD5, group=1, lifetime=86400s)
Jan 14 11:58:23 172.27.1.254 %PIX-7-702209: ISAKMP Phase 2 exchange started (local 1.1.1.1 (responder), remote 2.2.2.2)
Jan 14 11:58:23 172.27.1.254 %PIX-6-602301: sa created, (sa) sa_dest= 2.2.2.2, sa_prot= 50, sa_spi= 0x9de820bd(2649235645), sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 116
Jan 14 11:58:23 172.27.1.254 %PIX-7-702211: ISAKMP Phase 2 exchange completed (local 1.1.1.1 (responder), remote 2.2.2.2)
Jan 14 12:28:54 172.27.1.254 %PIX-6-602302: deleting SA, (sa) sa_dest= 2.2.2.2, sa_prot= 50, sa_spi= 0x9de820bd(2649235645), sa_trans= esp-3desesp-sha-hmac , sa_conn_id= 116
Kind Regards,
Johan
Solved! Go to Solution.
01-14-2009 09:16 AM
In my experience when a tunnel is initiated from one side but it is not initiated from another side the problem is with a mismatch of the isakmp or ipsec policies, mainly the ipsec policies such as transform sets and match address, with ASA platform when a tunnel does not match a statically defined crypto map it sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and do a "show crypto ipsec sa" when the tunnel is active on both sides, see on the ASA, if the matching tunnel is the static crypto map defined or if it shows the dynamic crypto map.
I would advise you to go over the settings on both side and make sure they are both mirrored.
01-14-2009 09:16 AM
In my experience when a tunnel is initiated from one side but it is not initiated from another side the problem is with a mismatch of the isakmp or ipsec policies, mainly the ipsec policies such as transform sets and match address, with ASA platform when a tunnel does not match a statically defined crypto map it sometimes use the dynamic tag to allocate this vpn connection. To check if this is the case go ahead and do a "show crypto ipsec sa" when the tunnel is active on both sides, see on the ASA, if the matching tunnel is the static crypto map defined or if it shows the dynamic crypto map.
I would advise you to go over the settings on both side and make sure they are both mirrored.
01-14-2009 12:05 PM
Hi!
Thanks for your reply, i dont have access to the ASA unit but i will try to get their technician on the customer side to check this!
/Johan
01-14-2009 12:48 PM
This is our config on the PIX:
access-list acl_nonat permit ip host 172.27.1.10 host 192.168.100.18
access-list acl_customer permit ip host 172.27.1.10 host 192.168.100.18
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map map_outside 66 ipsec-isakmp
crypto map map_outside 66 match address acl_customer
crypto map map_outside 66 set peer 2.2.2.2
crypto map map_outside 66 set transform-set ESP-3DES-SHA
isakmp key ******** address 2.2.2.2 netmask 255.255.255.255 no-xauth no-config-mode
isakmp policy 3 authentication pre-share
isakmp policy 3 encryption 3des
isakmp policy 3 hash sha
isakmp policy 3 group 2
isakmp policy 3 lifetime 86400
And the ASA:
access-list CRYPTO-TO-PROVIDER extended permit ip 192.168.100.18 255.255.255.255 172.27.1.10 255.255.255.255
crypto map OUTSIDE-CM 104 set peer 2.2.2.2
crypto map OUTSIDE-CM 104 set transform-set CONSTRUCTIONSET-3DES-SHA
crypto map OUTSIDE-CM 104 set security-association lifetime seconds 28800
crypto map OUTSIDE-CM 104 set security-association lifetime kilobytes 4608000
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
One thing i do see, is when their side is initiating it uses 3des/md5/group1/86400 for phase1 and 3des/sha for phase2, but not when i'm initiating and i have 3des/md5/group1/86400 as isakmp policy 2.
Haven't checked what you suggested yet, i have parts of their config after we did some troubleshooting.
01-16-2009 04:54 AM
Turns out that the customer has PFS group 2 configured, but it wasnt in their config they sent to me.
But thanks for your reply, when i got the "show crypto ipsec sa" from the customer i saw the error.
Is PFS default in ASA, or is it a value on the crypto map that the customer missed to send me?
Crypto map tag: OUTSIDE-CM, seq num: 104, local addr: 2.2.2.2
access-list CRYPTO-TO-PROVIDER permit ip host 192.168.100.18 host 172.27.1.10
local ident (addr/mask/prot/port): (192.168.100.18/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.27.1.10/255.255.255.255/0/0)
current_peer: 1.1.1.1
#pkts encaps: 859, #pkts encrypt: 859, #pkts digest: 859
#pkts decaps: 955, #pkts decrypt: 955, #pkts verify: 955
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 859, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: BE0E1052
inbound esp sas:
spi: 0x8B48F3EF (2336814063)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 143360, crypto-map: OUTSIDE-CM
sa timing: remaining key lifetime (kB/sec): (4373848/26017)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBE0E1052 (3188592722)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 143360, crypto-map: OUTSIDE-CM
sa timing: remaining key lifetime (kB/sec): (4373864/26015)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
01-16-2009 07:01 AM
I don't think it is a default setting, unless, not quite sure but unless it was configured by the GUI, I think they just missed to send you that config part.
01-16-2009 07:07 AM
Ok, think he uses the gui.
Thanks!
Case closed.. :D
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide