cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6726
Views
0
Helpful
28
Replies

Dynamic to Static IPSec with Certificate Authentication

garyshanes
Level 1
Level 1

I'm trying to set up a dynamic-to-static LAN2LAN vpn from a ASA 5505 (with a dynamic IP) to an ASA5520 (with a Static IP)
I'd like to have a small (/30) network on the Dynamic side that I can connect to a larger (/24) network on the Static side.
I'm also trying to use Identity Certificates for the Authentication.

I generated a root CA, and intermediate CA, signed the intermediate CA with the root CA, and then created identity CAs for
the ASAs, and signed them with the intermediate CA using OpenSSL, and imported them to a trustpoint

I tried using the instructions at:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml
to set up the certificates (replacing MS with OpenSSL) and using the instructions at:

I then tried to use the ASDM to set the appropriate indentity cert on the outside interface
[ Configuration->Device Management->Advanced->SSL Settings ]

and set up a Connection Profile [ Configuration->Device Management->Connection Profiles ] on both devices,
setting the side that gets its IP via DHCP to static and the side that has the permanent IP to accept from dynamic.

I apply settings and nothing happens.

show crypto isakmp just returns "There are no isakmp sas".

I'm not sure where to begin debugging this. How do I force the DHCP side to initiate a connection?

1 Accepted Solution

Accepted Solutions

Are we sure both Peers are using the same isakmp settings? it seems the policy that uses rsa-sig on one end uses a diff DH Group.

View solution in original post

28 Replies 28

Ivan Martinon
Level 7
Level 7


Gary,

Since this is an IPSEC connection, SSL is not where you need to bound the Certificate to, you need to bound it to the tunnel group for authentication, in your case to your DefaultL2LGroup on the side of the static ASA and on the tunnel group for the server on the dynamic side, once you have done that and you have all the isakmp/ipsec settings, you need to start some kind of traffic through the tunnel to make it come up, then you can debug if it does not work.

Advised debugs are:

debug crypto isakmp 15

debug crypto ca messages

The 2 above is in the case the tunnel is not established and try to make them on the 5520

debug crypto ipsec 15

As well try to make sure that your 5505 inside traffic starts the vpn.

When I go to [ Configuration -> Site-to-Site VPN -> Tunnel groups ] and Select the DefaultL2LGroup, click
"Edit" It allows me to "Edit IPsec Site-to-Site Tunnel Group: DefaultL2LGroup".

But when I set the "Identity Certificate" to the trustpoint I put under
[ Configuration -> Site-to-Site VPN -> Certificate Management -> Identity Certificates ]
the Tunnel Groups Summary Pane updates to:

   "DefaultL2LGroup| -- None -- | True | DfltGrpPolicy",

and if I set it to "-- None --" in the pop-up Dialog, the Summary Pane reads:

   "DefaultL2LGroup|                  | True | DfltGrpPolicy".

I'm assuming it should read something like:

   "DefaultL2LGroup| ASDM_TrustPoint3 | True | DfltGrpPolicy"

Is this a bug or something? How do I associate an Identity Certificate from the command-line to work around this?

I'm using:
boot system disk0:/asa821-k8.bin
asdm image disk0:/asdm-621.bin

I re-added the certs using the command line and the certificate shows up now like one would expect..

Would pinging something from the ASA itself bring up the tunnel or does it have to be something entering the ASA's "inside" interface?

Go ahead and enable management-access inside on both firewalls and ping the inside interface of the static one from the remote one using

ping inside X.X.X.X

excellent. They're trying to bring up the tunnel but I'm getting "Information Exchange processing failed" So I need to re-check my IPsec settings...

Actually that is phase 1, check your isakmp and cert settings, debug crypto isakmp 15 and debug crypto ca messages 15 too.

When I Refresh the ASDM with the running config of the device, the CA Certifcate field in the Tunnel group gets set to "::null" and the static ASA complains "Can't find a valid tunnel group, aborting...!" If I set it in the ASDM, apply, save, and then reload from the device, it goes back to ::null.

garyshanes
Level 1
Level 1

################################################################################
# I want to create a Dynamic-to-Static L2L VPN using certificate authentication.
#
# Certificates:
# The static side will be known as sys-asa01.example.com, so I create a Root CA (root_ca), an
# Intermediate CA (mid_ca) and a identity certificate for sys-asa01.example.com.
#
# The network behind sys-ii-asa00 is 10.254.254.0/255.255.255.248
# The network behind sys-asa01 is 192.168.7.0/255.255.255.0
#
# Installed the root_ca and mid_ca public keys into both ASAs, and install the
# Generate a CSR, sign it with the mid_ca and import it back into the respective
# ASA...
################################################################################
SYS-ASA01# show crypto ca certificates
Certificate
  Status: Available
  Certificate Serial Number: 08
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    ea=certificate.authority@example.com
    cn=mid-ca.example.com
    ou=Intermediate Certificate Authority
    o=Company Name
    st=StateName
    c=US
  Subject Name:
    ea=sysadmin@example.com
    cn=sys-asa01.example.com
    ou=Information Technology
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Validity Date:
    start date: 10:46:12 CST Dec 3 2009
    end   date: 10:46:12 CST Dec 2 2012
  Associated Trustpoints: sys-asa01

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Issuer Name:
    ea=certificate.authority@example.com
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Subject Name:
    ea=certificate.authority@example.com
    cn=mid-ca.example.com
    ou=Intermediate Certificate Authority
    o=Company Name
    st=StateName
    c=US
  Validity Date:
    start date: 12:31:16 CST Dec 24 2008
    end   date: 12:31:16 CST Dec 24 2011
  Associated Trustpoints: sys-asa01 example.com-mid_ca

CA Certificate
  Status: Available
  Certificate Serial Number: 009f7176cfd4d4a69b
  Certificate Usage: General Purpose
  Public Key Type: RSA (512 bits)
  Issuer Name:
    ea=certificate.authority@example.com
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Subject Name:
    ea=certificate.authority@example.com
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Validity Date:
    start date: 12:31:10 CST Dec 24 2008
    end   date: 12:31:10 CST Dec 23 2013
  Associated Trustpoints: example.com-root_ca
             
SYS-ASA01#
################################################################################
sys-ii-asa00# show crypto ca certificates
CA Certificate
  Status: Available
  Certificate Serial Number: 009f7176cfd4d4a69b
  Certificate Usage: General Purpose
  Public Key Type: RSA (512 bits)
  Issuer Name:
    ea=certificate.authority@example.com
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Subject Name:
    ea=certificate.authority@example.com
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Validity Date:
    start date: 12:31:10 CST Dec 24 2008
    end   date: 12:31:10 CST Dec 23 2013
  Associated Trustpoints: example.com-root_ca

Certificate  
  Status: Available
  Certificate Serial Number: 06
  Certificate Usage: General Purpose
  Public Key Type: RSA (1024 bits)
  Issuer Name:
    ea=certificate.authority@example.com
    cn=mid-ca.example.com
    ou=Intermediate Certificate Authority
    o=Company Name
    st=StateName
    c=US
  Subject Name:
    ea=sysadmin@example.com
    cn=sys-ii-asa00.example.com
    ou=Information Technology
    o=Company Name
    l=CityName
    st=Tennesee
    c=US
  Validity Date:
    start date: 13:42:41 CST Nov 27 2009
    end   date: 13:42:41 CST Nov 26 2012
  Associated Trustpoints: sys-ii-asa00

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: General Purpose
  Public Key Type: RSA (4096 bits)
  Issuer Name:
    ea=certificate.authority@example.com
    cn=root-ca.example.com
    ou=Root Certificate Authority
    o=Company Name
    l=CityName
    st=StateName
    c=US
  Subject Name:
    ea=certificate.authority@example.com
    cn=mid-ca.example.com
    ou=Intermediate Certificate Authority
    o=Company Name
    st=StateName
    c=US
  Validity Date:
    start date: 12:31:16 CST Dec 24 2008
    end   date: 12:31:16 CST Dec 24 2011
  Associated Trustpoints: sys-ii-asa00 example.com-mid_ca
             
sys-ii-asa00#

################################################################################
# Set up the isakmp policies (the same on both ASAs) (some of this is more than I
# need, but there are remote-access vpns on the static ASA as well) since the
# "isakmp policy 150" is the only one that uses rsa-sig, that is the one we'll be
# using for certificates.
################################################################################
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 130
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 150
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

################################################################################
# configure the trust points
################################################################################
# sys-ii-asa01#
crypto ca trustpoint example.com-root_ca
enrollment terminal
crl configure
crypto ca trustpoint example.com-mid_ca
enrollment terminal
crl configure
crypto ca trustpoint sys-ii-asa00
revocation-check crl none
enrollment terminal
email sysadmin@example.com
subject-name CN=sys-ii-asa00.example.com,OU=Information Technology,O=Company Name,C=US,St=Tennesee,L=CityName,EA=sysadmin@example.com
no client-types
crl configure

################################################################################
# SYS-ASA01#
crypto ca trustpoint example.com-root_ca
enrollment terminal
crl configure
crypto ca trustpoint example.com-mid_ca
enrollment terminal
crl configure
crypto ca trustpoint sys-asa01
revocation-check crl none
enrollment terminal
email sysadmin@example.com
subject-name CN=sys-asa01.example.com,OU=Information Technology,O=Company Name,C=US,St=Tennesee,L=CityName,EA=sysadmin@example.com
keypair sys-asa01.example.com
no client-types
crl configure

################################################################################
# I have static-to-static VPNs, remote-access VPNs, and want certificate
# authenticated dynamic-to-static, I'll need to set identity auto
################################################################################

SYS-ASA01# conf t                    
SYS-ASA01(config)# crypto isakmp identity auto
SYS-ASA01(config)# end
SYS-ASA01#

sys-ii-asa00# conf t
sys-ii-asa00(config)# crypto isakmp identity auto
sys-ii-asa00(config)# end
sys-ii-asa00#

################################################################################
# Since we'll be using certificate authentication, we'll need to create a tunnel
# group named after the remote site's certificate CN (we could do this by OU as
# well, which is the default)
################################################################################

################################################################################
# SYS-ASA01#
conf t
group-policy instant-issue-group-policy internal
group-policy instant-issue-group-policy attributes
vpn-tunnel-protocol IPSec
dns-server value 192.168.7.58
quit
tunnel-group sys-ii-asa00.example.com type ipsec-l2l
tunnel-group sys-ii-asa00.example.com general-attributes
default-group-policy instant-issue-group-policy
quit
tunnel-group sys-ii-asa00.example.com ipsec-attributes
peer-id-validate cert
notrust-point example.com-mid_ca
quit
tunnel-group-map enable rules
crypto ca certificate map 1
subject-name attr cn eq sys-ii-asa00.example.com
quit
tunnel-group-map 1 sys-ii-asa00.example.com
end

################################################################################
# sys-ii-asa00#
conf t
group-policy instant-issue-group-policy internal
group-policy instant-issue-group-policy attributes
vpn-tunnel-protocol IPSec
quit
! tunnel-group sys-asa01.example.com type ipsec-l2l
tunnel-group sys-asa01.example.com general-attributes
default-group-policy instant-issue-group-policy
quit
tunnel-group sys-asa01.example.com ipsec-attributes
peer-id-validate cert
trust-point example.com-mid_ca
quit
tunnel-group-map enable rules
crypto ca certificate map 1
subject-name attr cn eq sys-asa01.example.com
quit
tunnel-group-map 1 sys-asa01.example.com
end

################################################################################
#
################################################################################
# sys-ii-asa01
access-list inside_nat0_outbound extended permit ip 10.254.254.0 255.255.255.248 192.168.7.0 255.255.255.0
access-list outside_cryptomap extended permit ip 10.254.254.0 255.255.255.248 192.168.7.0 255.255.255.0
nat (inside) 0 access-list nonat_inside
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 74.255.131.2
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 interface outside

# SYS-ASA01
access-list nonat_inside extended permit ip 192.168.7.0 255.255.255.0 10.254.254.0 255.255.255.248
access-list outside_cryptomap_2 extended permit ip 192.168.7.0 255.255.255.0 10.254.254.0 255.255.255.248
nat (inside) 0 access-list inside_nat0_outbound

################################################################################
# results
################################################################################
SYS-ASA01#
debug crypto isakmp
debug crypto ca messages
Dec 07 09:37:44 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Can't find a valid tunnel group, aborting...!
Dec 07 09:37:44 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Removing peer from peer table failed, no match!
Dec 07 09:37:44 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Error: Unable to remove PeerTblEntry
Dec 07 09:37:52 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)

sys-ii-asa00#
Dec 07 09:38:30 [IKEv1]: IP = 74.255.131.2, Information Exchange processing failed

Any Idea why my IKE keep failing to find the tunnel group? what did I miss?

Gary,

Under your tunnel group, I can't see you matching the trustpoint on the box:

# SYS-ASA01#
tunnel-group sys-ii-asa00.example.com ipsec-attributes
no trust-point example.com-mid_ca
quit

You should use here the following

# SYS-ASA01#
tunnel-group sys-ii-asa00.example.com ipsec-attributes
trust-point sys-asa01
quit

# sys-ii-asa00#
tunnel-group sys-asa01.example.com ipsec-attributes
trust-point sys-ii-asa00

That is since on both ASA this trustpoint is the one that has both CA and ID certificate, as well on your certificate map, try using the operator co for contains.

Add the level 15 or 25 to both debugs you used for higher detail

debug crypto isakmp 25

debug crypto ca messages 25

Ivan

More information:

################################################################################
# crypto maps
################################################################################

# SYS-ASA01
crypto map vpn 8 ipsec-isakmp dynamic instant-issue-00
crypto map vpn 8 match address outside_cryptomap_2
crypto map vpn 8 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map vpn interface outside


# sys-ii-asa00
crypto map outside_map1 1 match address outside_cryptomap
crypto map outside_map1 1 set peer 74.255.131.2
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 interface outside

################################################################################
#  Static side debug 15 (isakmp & crypto ca)
################################################################################

SYS-ASA01# Dec 07 10:17:14 [IKEv1]: IP = 96.24.196.33, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 408
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing SA payload
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Oakley proposal is acceptable
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Fragmentation VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing IKE SA payload
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 5
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 11
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing ISAKMP SA payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing Fragmentation VID + extended capabilities payload
Dec 07 10:17:14 [IKEv1]: IP = 96.24.196.33, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Dec 07 10:17:14 [IKEv1]: IP = 96.24.196.33, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing ke payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing ISA_KE payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing nonce payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Cisco Unity client VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Received xauth V6 VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, processing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing ke payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing nonce payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing Cisco Unity VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing xauth V6 VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Send IOS VID
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, constructing VID payload
Dec 07 10:17:14 [IKEv1 DEBUG]: IP = 96.24.196.33, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 07 10:17:14 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Can't find a valid tunnel group, aborting...!
Dec 07 10:17:14 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, IKE MM Responder FSM error history (struct &0xd0feeaf8)  , :  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
Dec 07 10:17:14 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, IKE SA MM:15f59e3e terminating:  flags 0x0100c002, refcnt 0, tuncnt 0
Dec 07 10:17:14 [IKEv1 DEBUG]: Group = 96.24.196.33, IP = 96.24.196.33, sending delete/delete with reason message
Dec 07 10:17:14 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Removing peer from peer table failed, no match!
Dec 07 10:17:14 [IKEv1]: Group = 96.24.196.33, IP = 96.24.196.33, Error: Unable to remove PeerTblEntry
Dec 07 10:17:22 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 10:17:22 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Dec 07 10:17:30 [IKEv1]: IP = 96.24.196.33, Header invalid, missing SA payload! (next payload = 4)
Dec 07 10:17:30 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
no debug crypto isakmp
SYS-ASA01# no debug crypto ca messages
SYS-ASA01#

...

It still doesn't know which tunnel group to use....

Are we sure both Peers are using the same isakmp settings? it seems the policy that uses rsa-sig on one end uses a diff DH Group.

As well the reason it does not find the tunnel group is due to the fact that the certificate map is not finding the att, has it been changed to use co rather than eq?

This is how it looks now. Is this not right?

sys-ii-asa00#
crypto ca certificate map DefaultCertificateMap 1
subject-name attr cn eq sys-asa01.example.com
crypto ca certificate map DefaultCertificateMap 10

SYS-ASA01#
crypto ca certificate map DefaultCertificateMap 1
subject-name attr cn eq sys-ii-asa00.example.com
crypto ca certificate map DefaultCertificateMap 10

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: