Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3492
Views
10
Helpful
2
Replies

ipSec VPN between 3825 and ASA

Go to solution
Clifford McGlamry
Spotlight
Spotlight

‎03-08-2010 07:15 PM - edited ‎02-21-2020 04:32 PM

I’ve followed the configuration guidelines, but I’m getting some rather strange behavior.  I’m not sure why.

Network looks like this:

10.16.1.1/24 (Loopback 0) = Cisco 3825 =  2.2.2.1 (Gig 0/0) çè2.2.2.2 WAN ROUTER 1.1.1.2çè  1.1.1.1 (outside) ASA 5520  10.17.1.2 (inside)çè 10.17.1.1  Cisco 3725

NAT is configured on ASA. 

The 3725 can ping each device on the public network. 

NAT is not configured on the 3825 (yet).

I am attempting to get the ipSec tunnel up using the outside interfaces on the 3825 and the ASA as the tunnel endpoints.  I followed the configuration guidelines here (http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI ).  It isn’t working…and I’m not sure why.

I’ve noticed the following when I debug on the router.  The router is complaining about not having a matching pre shared key for 10.17.1.2…but that’s the INSIDE interface on the ASA.  If I add that in, it gets past that, but still won’t come up.  See highlighted below.  I’m attaching the configs, and if any of you guys could help shed some light on this, I’d REALLY be appreciative. 

I'm really not understanding why it's trying to negotiate against the inside interface instead of the outside interface. 

*Mar  8 22:59:56.131: ISAKMP (0:0): received packet from 10.17.1.2 dport 500 sport 1024 Global (N) NEW SA

*Mar  8 22:59:56.131: ISAKMP: Created a peer struct for 10.17.1.2, peer port 1024

*Mar  8 22:59:56.131: ISAKMP: New peer created peer = 0x65310D30 peer_handle = 0x80000016

*Mar  8 22:59:56.131: ISAKMP: Locking peer struct 0x65310D30, refcount 1 for crypto_isakmp_process_block

*Mar  8 22:59:56.131: ISAKMP: local port 500, remote port 1024

*Mar  8 22:59:56.131: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 646B48D0

*Mar  8 22:59:56.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  8 22:59:56.131: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar  8 22:59:56.135: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID is NAT-T v2

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID is NAT-T v3

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): processing IKE frag vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar  8 22:59:56.135: ISAKMP:(0):found peer pre-shared key matching 10.17.1.2   (this seems WRONG to me)

*Mar  8 22:59:56.135: ISAKMP:(0): local preshared key found

*Mar  8 22:59:56.135: ISAKMP : Scanning profiles for xauth ...

*Mar  8 22:59:56.135: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Mar  8 22:59:56.135: ISAKMP:      default group 2

*Mar  8 22:59:56.135: ISAKMP:      encryption 3DES-CBC

*Mar  8 22:59:56.135: ISAKMP:      hash MD5

*Mar  8 22:59:56.135: ISAKMP:      auth pre-share

*Mar  8 22:59:56.135: ISAKMP:      life type in seconds

*Mar  8 22:59:56.135: ISAKMP:      life duration (VPI) of  0x0 0x0 0xA8 0xC0

*Mar  8 22:59:56.135: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar  8 22:59:56.135: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar  8 22:59:56.135: ISAKMP:(0):Acceptable atts:life: 0

*Mar  8 22:59:56.135: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar  8 22:59:56.135: ISAKMP:(0):Fill atts in sa life_in_seconds:43200

*Mar  8 22:59:56.135: ISAKMP:(0):Returning Actual lifetime: 43200

*Mar  8 22:59:56.135: ISAKMP:(0)::Started lifetime timer: 43200.

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch   (not sure what this is)

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID is NAT-T v2

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch   (not sure what this is)

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID is NAT-T v3

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): processing IKE frag vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar  8 22:59:56.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  8 22:59:56.135: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Mar  8 22:59:56.135: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar  8 22:59:56.135: ISAKMP:(0): sending packet to 10.17.1.2 my_port 500 peer_port 1024 (R) MM_SA_SETUP

*Mar  8 22:59:56.135: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  8 22:59:56.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  8 22:59:56.135: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Mar  8 23:00:04.131: ISAKMP (0:0): received packet from 10.17.1.2 dport 500 sport 1024 Global (R) MM_SA_SETUP

*Mar  8 23:00:04.131: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

*Mar  8 23:00:04.131: ISAKMP:(0): retransmitting due to retransmit phase 1

*Mar  8 23:00:04.631: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Mar  8 23:00:04.631: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar  8 23:00:04.631: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Mar  8 23:00:04.631: ISAKMP:(0): sending packet to 10.17.1.2 my_port 500 peer_port 1024 (R) MM_SA_SETUP

*Mar  8 23:00:04.631: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  8 23:00:12.131: ISAKMP (0:0): received packet from 10.17.1.2 dport 500 sport 1024 Global (R) MM_SA_SETUP

*Mar  8 23:00:12.131: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

*Mar  8 23:00:12.131: ISAKMP:(0): retransmitting due to retransmit phase 1

*Mar  8 23:00:12.631: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

Labels:
61931-Bos Router.txt.zip
61941-HQ ASA.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
slmansfield
Level 4
Level 4

‎03-09-2010 06:52 AM

I don't see the statement on the ASA:  crypto isakmp enable outside

View solution in original post

2 Replies 2

Go to solution
slmansfield
Level 4
Level 4

‎03-09-2010 06:52 AM

I don't see the statement on the ASA:  crypto isakmp enable outside

Go to solution
Clifford McGlamry
Spotlight
Spotlight
In response to slmansfield

‎03-09-2010 06:57 AM

Dude....you rock!!!

6 of us have been looking at this for 12 hours, and no one caught that!  Dropped that command in and it came up immediately!!!    

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents