cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1816
Views
0
Helpful
12
Replies

L2L ASA vs C3745 Unable to bring up Phase II

mathieu.ploton
Level 1
Level 1

Hi,

I'm unable to bring up the tunnel between this two devices. The remote is an ASA, the local a cisco 3745 (c3745-ik9o3s-mz.122-13.T4.bin).

The configuration in the 3745 is the following :

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600


crypto isakmp key password address asa_external_ip


crypto ipsec transform-set TEST esp-3des esp-sha-hmac


crypto map map1 73 ipsec-isakmp
set peer
asa_external_ip
set transform-set TEST
set pfs group2
match address ACL_NAT

ip access-list extended ACL_NAT
permit ip host 10.40.0.1 host 10.50.0.1
permit ip host
10.50.0.1 host 10.40.0.1

ip nat inside source static 172.16.1.1 10.40.0.1
ip nat outside source static 10.50.0.1 192.168.1.1

and the log message :

1418028: Nov 20 10:13:12: ISAKMP (0:2615): Old State = IKE_READY  New State = IKE_R_MM1

1418029: Nov 20 10:13:12: ISAKMP (0:2615): processing SA payload. message ID = 0
1418030: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418031: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418032: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID is NAT-T
1418033: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418034: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418035: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID is NAT-T
1418036: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418037: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418038: Nov 20 10:13:12: ISAKMP (0:2615): found peer pre-shared key matching asa_external_ip
1418039: Nov 20 10:13:12: ISAKMP (0:2615) local preshared key found
1418040: Nov 20 10:13:12: ISAKMP (0:2615): Checking ISAKMP transform 1 against priority 1 policy
1418041: Nov 20 10:13:12: ISAKMP:      default group 2
1418042: Nov 20 10:13:12: ISAKMP:      encryption 3DES-CBC
1418043: Nov 20 10:13:12: ISAKMP:      hash SHA
1418044: Nov 20 10:13:12: ISAKMP:      auth pre-share
1418045: Nov 20 10:13:12: ISAKMP:      life type in seconds
1418046: Nov 20 10:13:12: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
1418047: Nov 20 10:13:12: ISAKMP (0:2615): atts are acceptable. Next payload is 3
1418048: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418049: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418050: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID is NAT-T
1418051: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418052: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418053: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID is NAT-T
1418054: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418055: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418056: Nov 20 10:13:12: ISAKMP (0:2615): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1418057: Nov 20 10:13:12: ISAKMP (0:2615): Old State = IKE_R_MM1  New State = IKE_R_MM1

1418058: Nov 20 10:13:12: ISAKMP (0:2609): retransmitting phase 1 MM_SA_SETUP...
1418059: Nov 20 10:13:12: ISAKMP (0:2609): incrementing error counter on sa: retransmit phase 1
1418060: Nov 20 10:13:12: ISAKMP (0:2609): retransmitting phase 1 MM_SA_SETUP
1418061: Nov 20 10:13:12: ISAKMP (0:2609): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418062: Nov 20 10:13:12: ISAKMP (0:2615): constructed NAT-T vendor-03 ID
1418063: Nov 20 10:13:12: ISAKMP (0:2615): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418064: Nov 20 10:13:12: ISAKMP (0:2615): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1418065: Nov 20 10:13:12: ISAKMP (0:2615): Old State = IKE_R_MM1  New State = IKE_R_MM2

1418066: Nov 20 10:13:12: ISAKMP: received ke message (1/1)
1418067: Nov 20 10:13:12: ISAKMP: local port 500, remote port 500
1418068: Nov 20 10:13:12: ISAKMP: set new node 0 to QM_IDLE
1418069: Nov 20 10:13:12: ISAKMP (0:2616): constructed NAT-T vendor-03 ID
1418070: Nov 20 10:13:12: ISAKMP (0:2616): constructed NAT-T vendor-02 ID
1418071: Nov 20 10:13:12: ISAKMP (0:2616): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1418072: Nov 20 10:13:12: ISAKMP (0:2616): Old State = IKE_READY  New State = IKE_I_MM1

1418073: Nov 20 10:13:12: ISAKMP (0:2616): beginning Main Mode exchange
1418074: Nov 20 10:13:12: ISAKMP (0:2616): sending packet to asa_external_ip my_port 500 peer_port 500 (I) MM_NO_STATE
1418075: Nov 20 10:13:14: ISAKMP (0:2608): retransmitting phase 1 MM_SA_SETUP...
1418076: Nov 20 10:13:14: ISAKMP (0:2608): incrementing error counter on sa: retransmit phase 1
1418077: Nov 20 10:13:14: ISAKMP (0:2608): retransmitting phase 1 MM_SA_SETUP
1418078: Nov 20 10:13:14: ISAKMP (0:2608): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418079: Nov 20 10:13:14: ISAKMP (0:2614): retransmitting phase 1 MM_SA_SETUP...
1418080: Nov 20 10:13:14: ISAKMP (0:2614): incrementing error counter on sa: retransmit phase 1
1418081: Nov 20 10:13:14: ISAKMP (0:2614): retransmitting phase 1 MM_SA_SETUP
1418082: Nov 20 10:13:14: ISAKMP (0:2614): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418083: Nov 20 10:13:16: ISAKMP (0:2607): retransmitting phase 1 MM_SA_SETUP...
1418084: Nov 20 10:13:16: ISAKMP (0:2607): peer does not do paranoid keepalives.

1418085: Nov 20 10:13:16: ISAKMP (0:2607): deleting SA reason "death by retransmission P1" state (R) MM_SA_SETUP (peer asa_external_ip) input queue 0
1418086: Nov 20 10:13:16: ISAKMP (0:2612): retransmitting phase 1 MM_SA_SETUP...
1418087: Nov 20 10:13:16: ISAKMP (0:2612): incrementing error counter on sa: retransmit phase 1
1418088: Nov 20 10:13:16: ISAKMP (0:2612): retransmitting phase 1 MM_SA_SETUP
1418089: Nov 20 10:13:16: ISAKMP (0:2612): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418090: Nov 20 10:13:16: ISAKMP (0:2607): deleting SA reason "death by retransmission P1" state (R) MM_SA_SETUP (peer asa_external_ip) input queue 0
1418091: Nov 20 10:13:16: ISAKMP (0:2607): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1418092: Nov 20 10:13:16: ISAKMP (0:2607): Old State = IKE_R_MM2  New State = IKE_DEST_SA

1418093: Nov 20 10:13:18: ISAKMP (0:2611): retransmitting phase 1 MM_SA_SETUP...
1418094: Nov 20 10:13:18: ISAKMP (0:2611): incrementing error counter on sa: retransmit phase 1

In the other side :

crypto isakmp enable OUTSIDE
crypto isakmp policy  10
authentication pre-share
encryption  3des
hash sha
group 2
lifetime  86400
crypto isakmp policy 30
authentication  pre-share
encryption des
hash md5
group  2
lifetime 86400
crypto isakmp policy  50
authentication pre-share
encryption  3des
hash sha
group 1
lifetime  86400
crypto isakmp policy 70
authentication  pre-share
encryption 3des
hash md5
group  2
lifetime 86400
crypto isakmp policy  90
authentication pre-share
encryption  des
hash sha
group 2
lifetime  86400
crypto isakmp policy 110
authentication  pre-share
encryption aes-256
hash sha
group  2
lifetime 86400
crypto isakmp nat-traversal   20
crypto isakmp ipsec-over-tcp port 10000

object-group network TEST_prod_local
description Network list TEST Prod Local
network-object host
10.50.0.1
object-group network  TEST_prod_remote
description Network list TEST Prod  Remote
network-object host
10.40.0.1
access-list  INSIDE_nat0_outbound extended permit ip object-group TEST_prod_local  object-group test_prod_remote
access-list OUTSIDE_57_cryptomap  extended permit ip object-group TEST_prod_local object-group test_prod_remote
tunnel-group ip_cisco3745 type  ipsec-l2l
tunnel-group ip_cisco3745  ipsec-attributes
pre-shared-key password
crypto map OUTSIDE_map interface  OUTSIDE
crypto map OUTSIDE_map 57 match address  OUTSIDE_57_cryptomap
crypto map OUTSIDE_map 57 set  pfs
crypto map OUTSIDE_map 57 set peer
ip_cisco3745
crypto map OUTSIDE_map 57 set transform-set 
ESP-3DES-SHA1

And the asa keep repeating :

6|Nov 19 2009|18:02:30|713219|||IP = ip_cisco3745, Queuing KEY-ACQUIRE  messages to be processed when P1 SA is complete.
6|Nov 19  2009|18:02:29|713219|||IP = ip_cisco3745, Queuing KEY-ACQUIRE messages to be  processed when P1 SA is complete.
6|Nov 19 2009|18:02:28|713219|||IP  = ip_cisco3745, Queuing KEY-ACQUIRE messages to be processed when P1 SA is  complete.
6|Nov 19 2009|18:02:27|713219|||IP = ip_cisco3745, Queuing  KEY-ACQUIRE messages to be processed when P1 SA is complete.

Why can I bring up Phase 2 ?

Thank you for your help !

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Youre transform set on the 3745 for Phase 2 is 3des sha-hmac

On the ASA your transform set is 3des md5-hmac.

You need to change one of these so they match.

Also on Phase 2 on the 3745 you have PFS group 1. On the ASA it's not clear what group you have set this to ?

Jon

View solution in original post

12 Replies 12

Jon Marshall
Hall of Fame
Hall of Fame

Youre transform set on the 3745 for Phase 2 is 3des sha-hmac

On the ASA your transform set is 3des md5-hmac.

You need to change one of these so they match.

Also on Phase 2 on the 3745 you have PFS group 1. On the ASA it's not clear what group you have set this to ?

Jon

Sorry, It was not the last configuration,

The transform set in the ASA is ESP-3DES-SHA1

and pfs group2 on Phase 2 on the 3745

I will edit my first post sorry for that.

mopaul
Cisco Employee
Cisco Employee

Hi ,




I have reviewed the configs both on router and ASA. Besides ACL rest is good so far.

With the following NAT statements made on router, i understand you are doing Dual NAT for VPN.

ip nat inside source static 172.16.1.1 10.40.0.1
ip nat outside source static 10.50.0.1 192.168.1.1

With the ACL on ASA, i have an understanding that the internal host behind ASA is 10.50.0.1, and you want to NAT it to 192.168.1.1 on router, PLease correct me if am wrong.

If this is correct, then try the following configuration.

#########ip nat outside source static 192.168.1.1 10.50.0.1#############

As an additional information on above NAT statement, following is the option on router.

cisco(config)#ip nat outside source static ?
  A.B.C.D  Outside global IP address <<<<<<<< NAT'd ip 192.168.1.1
  network  Subnet translation
  tcp      Transmission Control Protocol
  udp      User Datagram Protocol

cisco(config)#ip nat outside source static 1.1.1.1     ?
  A.B.C.D  Outside local IP address <<<<<<< LocaL ip i.e 10.50.0.1


Also, you need to remove the seond entry in the crypto ACL on router, which is :-

########permit ip host 10.50.0.1 host 10.40.0.1 ####### REMOVE THIS.


On ASA
-----

The  object group that defines the host behind router is this:-
object-group network ipsos_prod_remote
description Network list TEST Prod  Remote
network-object host 10.40.0.1

But the one used as destination in the crypto ACL is object-group test_prod_remote ...
Please do make sure you bind the correct group to in the ACL below....

access-list INSIDE_nat0_outbound extended permit ip object-group TEST_prod_local object-group test_prod_remote << should use  ipsos_prod_remote
access-list OUTSIDE_57_cryptomap extended permit ip object-group TEST_prod_local object-group test_prod_remote << should use  ipsos_prod_remote

***PFS on both router and ASA is set to group 2 which is correct***


Hope this helps.


Regards
M

P.S : In case you still, face any issues please post the "deb cry isa 127" and "deb cry ipse 127" from ASA.

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

What we want to have in the crypto is 10.50.0.1 and 10.40.0.1.

Unfortunately I'm just the local manager (router) and remotely (ASA), I should see 10.40.0.1 coming from them.

So we should have :


192.168.1.1 -- ROUTER -- 10.50.0.1 --- 10.40.0.1 -- ASA -- 10.40.0.1

As I don't want to see those two addresses in my network (10.50.0.1 and 10.40.0.1), I configured a NAT :

ip nat inside source static 172.16.1.1 10.40.0.1
ip nat outside source static 10.50.0.1 192.168.1.1

10.50.0.1 is global and 192.168.1.1 should be local. I think my access list :

ip nat outside source static 10.50.0.1 192.168.1.1

is in the good way and I don't have to change that.

On ASA
-----

I just forgot to anonymise everything, you gat me but I bind the correct group to in the ACL for sure.

The debug crypto in the ASA is in my first post.

Thank you very much for your help !

I would suggest to remove this staements.

crypto isakmp policy  50
authentication pre-share
encryption  3des
hash sha
group 1
lifetime  86400

Since you are using group 2 only.

Could you also reload the ISP device and the firewall if possible.

HTH

pravin

I cannot remove it because it's the remote client configuration. And by the way, as you can see in the log, it's not used :

1418040: Nov 20 10:13:12: ISAKMP (0:2615): Checking ISAKMP transform 1 against priority 1 policy
1418041: Nov 20 10:13:12: ISAKMP:      default group 2
1418042: Nov 20 10:13:12: ISAKMP:      encryption 3DES-CBC
1418043: Nov 20 10:13:12: ISAKMP:      hash SHA
1418044: Nov 20 10:13:12: ISAKMP:      auth pre-share
1418045: Nov 20 10:13:12: ISAKMP:      life type in seconds
1418046: Nov 20 10:13:12: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

fine by default the pfs is in group 2.

can you check with adding the below command

crypto map OUTSIDE_map 57 set  pfs group2

do clear crypto ipsec sa peer

What I see is :

In one side :

1418082: Nov 20 10:13:14: ISAKMP (0:2614): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418083: Nov 20 10:13:16: ISAKMP (0:2607): retransmitting phase 1 MM_SA_SETUP...


sh crypto isakmp sa  | i asa_external_ip
router_external_ip    asa_external_ip  MM_SA_SETUP        2145       0

In the other side :


26  IKE Peer: router_external_ip
Type    : user            Role    :  initiator
Rekey   : no              State   :  MM_WAIT_MSG2

IP = router_external_ip, Queuing KEY-ACQUIRE messages to be processed when P1 SA is  complete.

Does it look like a packet drop or something like that ?

mopaul
Cisco Employee
Cisco Employee

######################################################

@pravin : Need not to remove the group2 to group 1 as Tunnel is negotaiting fine with the first best match on ASA as pointed out by mathieu.ploton.

@mathieu.ploton :


I had posted my understanding as per the information available in your first post. Now with your reply to it, things appears to be other way around.
The host with ip addr 192.168.1.1 needs to be NAT'd to 10.50.0.1 to go through the tunnel. The remote host 10.40.0.1 should appear as it is when it is decrypted on router's public interface. But should undergo the translation to 172.16.1.1 after decryption so that internal host see it as 172.16.1.1 .

Your statement "ip nat outside source static 10.50.0.1 192.168.1.1" is incorrect.

In that case the configuration should be this...

ip nat inside source static 192.168.1.1 10.50.0.1

ip nat outside source static 172.16.1.1 10.40.0.1

From crypto ACL REMOVE the following entry from router.
permit ip host 10.40.0.1 host 10.50.0.1

On ASA
-------
They need to change their ACL

**From**


access-list  INSIDE_nat0_outbound extended permit ip object-group TEST_prod_local  object-group test_prod_remote
10.50.0.1 >>> 10.40.0.1

access-list OUTSIDE_57_cryptomap  extended permit ip object-group TEST_prod_local object-group test_prod_remote
10.50.0.1 >>> 10.40.0.1

**TO**

Real ip address of host behind the ASA 10.40.0.1 >>>  10.50.0.1  NAT'd ip of host behind the router.

You might need to go through the following documents.

http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

####################


Guidelines for posters (esp new one) , please make your first post clear for quicker resolution otherwise it can take 5-10 posts just to find out the exact nature of the problem. Post the configuration and debugs correct in first time along with the topology.

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

I'm maybe not clear but that's not what I want to do.

Let's sum up :

My internal host :

Real IP : 172.16.1.1

Address in the tunnel : 10.40.0.1

The remote host :

Real ip : don't care

Address in the tunnel : 10.40.0.1

Adresse nated in my internal area : 192.168.1.1

So what should be the nat commands in my router in this case ?

mopaul
Cisco Employee
Cisco Employee

This shows that ASA is sending the MSG1 as an intiator, in the debugs you sent i see router is retransmitting 500 packet to ASA. but ASA is still waiting for the MSG2 from router.


Make sure your ISP is not blocking udp500 / 4500 .

Though by default NAT-t is enabled on router , still go for the command below , just in case...

cry ipsec nat-transparency udp-encapsulation


get the captures from ASA's outside interface . Command syntax for same


access-l test per ip host "external ip of asa" host " external ip of router"

access-l test per ip host  " external ip of router" host   "external ip of asa"

capture capout access-l test interface  " name of the outside interface'


Execute the command " show cap capout" to see the packet on outside interface for udp 500 ... post the output here.


On router you can use the same acl as mentioned above and then run ;

deb ip packet detail " name of acl"


post both the outputs here.



Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries

I have no access to the command cry ipsec nat-transparency udp-encapsulation

I think the problem is that c3745-ik9o3s-mz.122-13.T4.bin does not support IPSec NAT Transparency !!

Sorry it's mathieu.ploton using another account...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: