IPSEC tunnel is not coming up (Site to site)

Unanswered Question
Apr 25th, 2010

Hi

My site to site ipsec tunnel is not coming up

R2>R0>FW>R3

connectivity is ok.

Plz find the configuration od R2 and Firewall

R2
============================================================
crypto isakmp policy 10
hash md5
authentication pre-share
group 5
encryption des
crypto isakmp key cisco123 address 192.168.3.3 255.255.255.0
crypto ipsec transform-set To-FW0 esp-des esp-md5-hmac

crypto map To-FW0 10 ipsec-isakmp
set peer 192.168.3.3
set transform-set To-FW0
match address IPSEC

ip access-list extended IPSEC
permit ip 172.16.1.0 0.0.0.63 10.1.3.0 0.0.0.31 log


===========================================================

ASA
===========================================================

crypto isakmp policy 10 encryption des
crypto isakmp policy 10 hash md5
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 group 5

sysopt connection permit-ipsec

crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside
crypto isakm key cisco123 address 192.168.1.2 netmask

255.255.255.0

crypto ipsec transform-set To-R2 esp-des

crypto map To-R2 10 match address IPSEC
crypto map To-R2 10 set peer 192.168.1.2
crypto map To-R2 10 set transform-set To-R2
crypto map To-R2 10 set security-association lifetime seconds 3600

crypto map To-R2 interface outside

ip access-list extended IPSEC
permit ip  10.1.3.0 255.255.255.224 172.16.1.0 255.255.255.192

log

====================================================================

I am attaching the debug logs :

R2:

*Apr 25 11:25:30.095: ISAKMP:(1031):purging node -1057690575
*Apr 25 11:25:30.099: ISAKMP:(1031):purging node 1410283793
*Apr 25 11:25:30.103: ISAKMP:(1031):purging node 215542685
*Apr 25 11:25:40.091: ISAKMP:(1031):purging SA., sa=674D7128, delme=674D7128
*Apr 25 11:25:40.215: ISAKMP:(0): SA request profile is (NULL)
*Apr 25 11:25:40.219: ISAKMP: Created a peer struct for 192.168.3.3, peer port 500
*Apr 25 11:25:40.219: ISAKMP: New peer created peer = 0x65CCCA78 peer_handle = 0x80000022
*Apr 25 11:25:40.223: ISAKMP: Locking peer struct 0x65CCCA78, refcount 1 for isakmp_initiator
*Apr 25 11:25:40.223: ISAKMP: local port 500, remote port 500
*Apr 25 11:25:40.223: ISAKMP: set new node 0 to QM_IDLE     
*Apr 25 11:25:40.223: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 674D3F7C
*Apr 25 11:25:40.223: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 25 11:25:40.223: ISAKMP:(0):found peer pre-shared key matching 192.168.3.3
*Apr 25 11:25:40.223: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 25 11:25:40.223: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 25 11:25:40.223: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 25 11:25:40.223: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 25 11:25:40.223: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Apr 25 11:25:40.223: ISAKMP:(0): beginning Main Mode exchange
*Apr 25 11:25:40.223: ISAKMP:(0): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 25 11:25:40.251: ISAKMP (0:0): received packet from 192.168.3.3 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 25 11:25:40.251: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 25 11:25:40.251: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Apr 25 11:25:40.255: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 25 11:25:40.255: ISAKMP:(0): processing vendor id payload
*Apr 25 11:25:40.255: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Apr 25 11:25:40.255: ISAKMP:(0):found peer pre-shared key matching 192.168.3.3
*Apr 25 11:25:40.255: ISAKMP:(0): local preshared key found
*Apr 25 11:25:40.255: ISAKMP : Scanning profiles for xauth ...
*Apr 25 11:25:40.255: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Apr 25 11:25:40.255: ISAKMP:      encryption DES-CBC
*Apr 25 11:25:40.255: ISAKMP:      hash MD5
*Apr 25 11:25:40.255: ISAKMP:      default group 5
*Apr 25 11:25:40.255: ISAKMP:      auth pre-share
*Apr 25 11:25:40.255: ISAKMP:      life type in seconds
*Apr 25 11:25:40.255: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Apr 25 11:25:40.255: ISAKMP:(0):atts are acceptable. Next payload is 0
*Apr 25 11:25:40.255: ISAKMP:(0): processing vendor id payload
*Apr 25 11:25:40.255: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Apr 25 11:25:40.255: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 25 11:25:40.255: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Apr 25 11:25:40.255: ISAKMP:(0): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Apr 25 11:25:40.255: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 25 11:25:40.255: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Apr 25 11:25:40.471: ISAKMP (0:0): received packet from 192.168.3.3 dport 500 sport 500 Global (I) MM_SA_SETUP
*Apr 25 11:25:40.471: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 25 11:25:40.471: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Apr 25 11:25:40.471: ISAKMP:(0): processing KE payload. message ID = 0
*Apr 25 11:25:40.551: ISAKMP:(0): processing NONCE payload. message ID = 0
*Apr 25 11:25:40.551: ISAKMP:(0):found peer pre-shared key matching 192.168.3.3
*Apr 25 11:25:40.551: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.551: ISAKMP:(1033): vendor ID is Unity
*Apr 25 11:25:40.551: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.551: ISAKMP:(1033): vendor ID seems Unity/DPD but major 74 mismatch
*Apr 25 11:25:40.551: ISAKMP:(1033): vendor ID is XAUTH
*Apr 25 11:25:40.551: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.551: ISAKMP:(1033): speaking to another IOS box!
*Apr 25 11:25:40.551: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.551: ISAKMP:(1033):vendor ID seems Unity/DPD but hash mismatch
*Apr 25 11:25:40.551: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 25 11:25:40.551: ISAKMP:(1033):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Apr 25 11:25:40.555: ISAKMP:(1033):Send initial contact
*Apr 25 11:25:40.555: ISAKMP:(1033):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 25 11:25:40.555: ISAKMP (0:1033): ID payload
    next-payload : 8
    type         : 1
    address      : 192.168.1.2
    protocol     : 17
    port         : 500
    length       : 12
*Apr 25 11:25:40.555: ISAKMP:(1033):Total payload length: 12
*Apr 25 11:25:40.555: ISAKMP:(1033): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Apr 25 11:25:40.555: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 25 11:25:40.555: ISAKMP:(1033):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Apr 25 11:25:40.567: ISAKMP (0:1033): received packet from 192.168.3.3 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 25 11:25:40.567: ISAKMP:(1033): processing ID payload. message ID = 0
*Apr 25 11:25:40.567: ISAKMP (0:1033): ID payload
    next-payload : 8
    type         : 2
    FQDN name    : pixfirewall
    protocol     : 0
    port         : 0
    length       : 19
*Apr 25 11:25:40.567: ISAKMP:(0):: peer matches *none* of the profiles
*Apr 25 11:25:40.567: ISAKMP:(1033): processing HASH payload. message ID = 0
*Apr 25 11:25:40.567: ISAKMP:received payload type 17
*Apr 25 11:25:40.567: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.567: ISAKMP:(1033): vendor ID is DPD
*Apr 25 11:25:40.567: ISAKMP:(1033):SA authentication status:
    authenticated
*Apr 25 11:25:40.567: ISAKMP:(1033):SA has been authenticated with 192.168.3.3
*Apr 25 11:25:40.567: ISAKMP: Trying to insert a peer 192.168.1.2/192.168.3.3/500/,  and inserted successfully 65CCCA78.
*Apr 25 11:25:40.567: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 25 11:25:40.567: ISAKMP:(1033):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Apr 25 11:25:40.567: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 25 11:25:40.567: ISAKMP:(1033):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Apr 25 11:25:40.567: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 25 11:25:40.567: ISAKMP:(1033):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Apr 25 11:25:40.567: ISAKMP:(1033):beginning Quick Mode exchange, M-ID of -117702153
*Apr 25 11:25:40.567: ISAKMP:(1033):QM Initiator gets spi
*Apr 25 11:25:40.571: ISAKMP:(1033): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) QM_IDLE     
*Apr 25 11:25:40.571: ISAKMP:(1033):Node -117702153, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Apr 25 11:25:40.571: ISAKMP:(1033):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Apr 25 11:25:40.571: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Apr 25 11:25:40.571: ISAKMP:(1033):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 25 11:25:40.587: ISAKMP (0:1033): received packet from 192.168.3.3 dport 500 sport 500 Global (I) QM_IDLE     
*Apr 25 11:25:40.587: ISAKMP: set new node -85370112 to QM_IDLE     
*Apr 25 11:25:40.587: ISAKMP:(1033): processing HASH payload. message ID = -85370112
*Apr 25 11:25:40.587: ISAKMP:(1033): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 0, message ID = -85370112, sa = 674D3F7C
*Apr 25 11:25:40.587: ISAKMP:(1033):deleting node -85370112 error FALSE reason "Informational (in) state 1"
*Apr 25 11:25:40.587: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 25 11:25:40.587: ISAKMP:(1033):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 25 11:25:40.607: ISAKMP (0:1033): received packet from 192.168.3.3 dport 500 sport 500 Global (I) QM_IDLE     
*Apr 25 11:25:40.611: ISAKMP: set new node -894937366 to QM_IDLE     
*Apr 25 11:25:40.619: ISAKMP:(1033): processing HASH payload. message ID = -894937366
*Apr 25 11:25:40.623: ISAKMP:(1033): processing DELETE payload. message ID = -894937366
*Apr 25 11:25:40.623: ISAKMP:(1033):peer does not do paranoid keepalives.

*Apr 25 11:25:40.623: ISAKMP:(1033):deleting SA reason "No reason" state (I) QM_IDLE       (peer 192.168.3.3)
*Apr 25 11:25:40.623: ISAKMP:(1033):deleting node -894937366 error FALSE reason "Informational (in) state 1"
*Apr 25 11:25:40.623: ISAKMP: set new node -1375397005 to QM_IDLE     
*Apr 25 11:25:40.623: ISAKMP:(1033): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) QM_IDLE     
*Apr 25 11:25:40.623: ISAKMP:(1033):purging node -1375397005
*Apr 25 11:25:40.623: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 25 11:25:40.623: ISAKMP:(1033):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Apr 25 11:25:40.623: ISAKMP:(1033):deleting SA reason "No reason" state (I) QM_IDLE       (peer 192.168.3.3)
*Apr 25 11:25:40.623: ISAKMP: Unlocking peer struct 0x65CCCA78 for isadb_mark_sa_deleted(), count 0
*Apr 25 11:25:40.623: ISAKMP: Deleting peer node by peer_reap for 192.168.3.3: 65CCCA78
*Apr 25 11:25:40.627: ISAKMP:(1033):deleting node -117702153 error FALSE reason "IKE deleted"
*Apr 25 11:25:40.627: ISAKMP:(1033):deleting node -85370112 error FALSE reason "IKE deleted"
*Apr 25 11:25:40.627: ISAKMP:(1033):deleting node -894937366 error FALSE reason "IKE deleted"
*Apr 25 11:25:40.627: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 25 11:25:40.627: ISAKMP:(1033):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

===================================

Firewall debug ( isakmp) :


pixfirewall#     Apr 25 05:52:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244de78, mess id 0x208599d0)!
Apr 25 05:52:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:53:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244eb88, mess id 0x865dc7e0)!
Apr 25 05:53:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:53:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244dc10, mess id 0x90fd705a)!
Apr 25 05:53:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:54:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244dc28, mess id 0x7186b2e5)!
Apr 25 05:54:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:54:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244db10, mess id 0xc0f4ec31)!
Apr 25 05:54:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:55:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244eb88, mess id 0x107bce05)!
Apr 25 05:55:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!

Appreciate your

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sun, 04/25/2010 - 00:31

Phase 2 proposal does not match between the router and ASA.

Router: crypto ipsec transform-set To-FW0 esp-des esp-md5-hmac

ASA : crypto ipsec transform-set To-R2 esp-des

Add "esp-md5-hmac" to the ASA transform set: crypto ipsec transform-set To-R2 esp-des esp-md5-hmac

Hope that resolves the issue.

rupam_chakra1983 Sun, 04/25/2010 - 02:38

Hi

Thanks for your reply.

I have a doubt that ideally in the transform set it should choose the protocol that is commond in both the transform set " esp-des"

however i have done the configuration on router for only "esp-des" and now i can see my pase i in my router as QM_IDLE means up but im the ASA i only see MM_active:

Firewall:

pixfirewall#  sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.1.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

however in the show ipsec status in firewall i acn see the packet decryption is incerasing when i ping from router side.

However when ping from ASA side i am getting no hit in the interesting ACL on the firewall, however i the capture in the inside interface i caan c that the packet are comming.

The version is 7.1(2)

I m attaching the config for refernce

skint Sun, 04/25/2010 - 03:13

MM_ACTIVE on the ASA is fully negotiated phase 1 that has brought up phase 2 tunnels.  Are you sure have the necessary routing towards the remote end pointed to your ASA?

show ipsec sa peer 192.168.1.2

packet-tracer input inside icmp 10.1.3.1 8 0 172.16.1.1 det     ---- run this twice

show ipsec sa peer 192.168.1.2

If you have incrementing encaps, sounds like like a routing issue.

-skint

Jennifer Halim Sun, 04/25/2010 - 05:53

MM_ACTIVE and QM_IDLE means the same thing. It means that Phase 1 is up and running.

Transform set needs to match between the 2 sites. On one site you only have DES, and the other site you have DES and MD5. It does not just choose the same for transform set. It is a set just like the isakmp policy (it matches the whole policy suite, not just some matching ones). That is why you are getting the following error in the debug output:

*Apr 25 11:25:40.587: ISAKMP:(1033): processing NOTIFY  PROPOSAL_NOT_CHOSEN protocol 3
    spi 0, message ID = -85370112, sa =  674D3F7C

The latest config, you have the following:

Router: crypto ipsec transform-set To-FW0 esp-des

ASA: crypto ipsec transform-set To-R2 esp-des esp-none  <---- remove the esp-none, it needs to exactly match the router.

On the ASA, you would also need to configure NAT exemption:

access-list nonat extended permit ip 10.1.3.0 255.255.255.224 172.16.1.0 255.255.255.192

nat (inside) 0 access-list nonat

Also, change the security level of the outside interface of the ASA to 0, currently it's set to 100.

Actions

This Discussion