cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2364
Views
0
Helpful
4
Replies

IPSEC tunnel is not coming up (Site to site)

Hi

My site to site ipsec tunnel is not coming up

R2>R0>FW>R3

connectivity is ok.

Plz find the configuration od R2 and Firewall

R2
============================================================
crypto isakmp policy 10
hash md5
authentication pre-share
group 5
encryption des
crypto isakmp key cisco123 address 192.168.3.3 255.255.255.0
crypto ipsec transform-set To-FW0 esp-des esp-md5-hmac

crypto map To-FW0 10 ipsec-isakmp
set peer 192.168.3.3
set transform-set To-FW0
match address IPSEC

ip access-list extended IPSEC
permit ip 172.16.1.0 0.0.0.63 10.1.3.0 0.0.0.31 log


===========================================================

ASA
===========================================================

crypto isakmp policy 10 encryption des
crypto isakmp policy 10 hash md5
crypto isakmp policy 10 authentication pre-share
crypto isakmp policy 10 group 5

sysopt connection permit-ipsec

crypto isakmp policy 10 lifetime 86400

crypto isakmp enable outside
crypto isakm key cisco123 address 192.168.1.2 netmask

255.255.255.0

crypto ipsec transform-set To-R2 esp-des

crypto map To-R2 10 match address IPSEC
crypto map To-R2 10 set peer 192.168.1.2
crypto map To-R2 10 set transform-set To-R2
crypto map To-R2 10 set security-association lifetime seconds 3600

crypto map To-R2 interface outside

ip access-list extended IPSEC
permit ip  10.1.3.0 255.255.255.224 172.16.1.0 255.255.255.192

log

====================================================================

I am attaching the debug logs :

R2:

*Apr 25 11:25:30.095: ISAKMP:(1031):purging node -1057690575
*Apr 25 11:25:30.099: ISAKMP:(1031):purging node 1410283793
*Apr 25 11:25:30.103: ISAKMP:(1031):purging node 215542685
*Apr 25 11:25:40.091: ISAKMP:(1031):purging SA., sa=674D7128, delme=674D7128
*Apr 25 11:25:40.215: ISAKMP:(0): SA request profile is (NULL)
*Apr 25 11:25:40.219: ISAKMP: Created a peer struct for 192.168.3.3, peer port 500
*Apr 25 11:25:40.219: ISAKMP: New peer created peer = 0x65CCCA78 peer_handle = 0x80000022
*Apr 25 11:25:40.223: ISAKMP: Locking peer struct 0x65CCCA78, refcount 1 for isakmp_initiator
*Apr 25 11:25:40.223: ISAKMP: local port 500, remote port 500
*Apr 25 11:25:40.223: ISAKMP: set new node 0 to QM_IDLE     
*Apr 25 11:25:40.223: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 674D3F7C
*Apr 25 11:25:40.223: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Apr 25 11:25:40.223: ISAKMP:(0):found peer pre-shared key matching 192.168.3.3
*Apr 25 11:25:40.223: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Apr 25 11:25:40.223: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Apr 25 11:25:40.223: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Apr 25 11:25:40.223: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 25 11:25:40.223: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Apr 25 11:25:40.223: ISAKMP:(0): beginning Main Mode exchange
*Apr 25 11:25:40.223: ISAKMP:(0): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 25 11:25:40.251: ISAKMP (0:0): received packet from 192.168.3.3 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 25 11:25:40.251: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 25 11:25:40.251: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Apr 25 11:25:40.255: ISAKMP:(0): processing SA payload. message ID = 0
*Apr 25 11:25:40.255: ISAKMP:(0): processing vendor id payload
*Apr 25 11:25:40.255: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Apr 25 11:25:40.255: ISAKMP:(0):found peer pre-shared key matching 192.168.3.3
*Apr 25 11:25:40.255: ISAKMP:(0): local preshared key found
*Apr 25 11:25:40.255: ISAKMP : Scanning profiles for xauth ...
*Apr 25 11:25:40.255: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Apr 25 11:25:40.255: ISAKMP:      encryption DES-CBC
*Apr 25 11:25:40.255: ISAKMP:      hash MD5
*Apr 25 11:25:40.255: ISAKMP:      default group 5
*Apr 25 11:25:40.255: ISAKMP:      auth pre-share
*Apr 25 11:25:40.255: ISAKMP:      life type in seconds
*Apr 25 11:25:40.255: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Apr 25 11:25:40.255: ISAKMP:(0):atts are acceptable. Next payload is 0
*Apr 25 11:25:40.255: ISAKMP:(0): processing vendor id payload
*Apr 25 11:25:40.255: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Apr 25 11:25:40.255: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 25 11:25:40.255: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Apr 25 11:25:40.255: ISAKMP:(0): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Apr 25 11:25:40.255: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 25 11:25:40.255: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Apr 25 11:25:40.471: ISAKMP (0:0): received packet from 192.168.3.3 dport 500 sport 500 Global (I) MM_SA_SETUP
*Apr 25 11:25:40.471: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 25 11:25:40.471: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Apr 25 11:25:40.471: ISAKMP:(0): processing KE payload. message ID = 0
*Apr 25 11:25:40.551: ISAKMP:(0): processing NONCE payload. message ID = 0
*Apr 25 11:25:40.551: ISAKMP:(0):found peer pre-shared key matching 192.168.3.3
*Apr 25 11:25:40.551: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.551: ISAKMP:(1033): vendor ID is Unity
*Apr 25 11:25:40.551: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.551: ISAKMP:(1033): vendor ID seems Unity/DPD but major 74 mismatch
*Apr 25 11:25:40.551: ISAKMP:(1033): vendor ID is XAUTH
*Apr 25 11:25:40.551: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.551: ISAKMP:(1033): speaking to another IOS box!
*Apr 25 11:25:40.551: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.551: ISAKMP:(1033):vendor ID seems Unity/DPD but hash mismatch
*Apr 25 11:25:40.551: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 25 11:25:40.551: ISAKMP:(1033):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Apr 25 11:25:40.555: ISAKMP:(1033):Send initial contact
*Apr 25 11:25:40.555: ISAKMP:(1033):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Apr 25 11:25:40.555: ISAKMP (0:1033): ID payload
    next-payload : 8
    type         : 1
    address      : 192.168.1.2
    protocol     : 17
    port         : 500
    length       : 12
*Apr 25 11:25:40.555: ISAKMP:(1033):Total payload length: 12
*Apr 25 11:25:40.555: ISAKMP:(1033): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Apr 25 11:25:40.555: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 25 11:25:40.555: ISAKMP:(1033):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Apr 25 11:25:40.567: ISAKMP (0:1033): received packet from 192.168.3.3 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Apr 25 11:25:40.567: ISAKMP:(1033): processing ID payload. message ID = 0
*Apr 25 11:25:40.567: ISAKMP (0:1033): ID payload
    next-payload : 8
    type         : 2
    FQDN name    : pixfirewall
    protocol     : 0
    port         : 0
    length       : 19
*Apr 25 11:25:40.567: ISAKMP:(0):: peer matches *none* of the profiles
*Apr 25 11:25:40.567: ISAKMP:(1033): processing HASH payload. message ID = 0
*Apr 25 11:25:40.567: ISAKMP:received payload type 17
*Apr 25 11:25:40.567: ISAKMP:(1033): processing vendor id payload
*Apr 25 11:25:40.567: ISAKMP:(1033): vendor ID is DPD
*Apr 25 11:25:40.567: ISAKMP:(1033):SA authentication status:
    authenticated
*Apr 25 11:25:40.567: ISAKMP:(1033):SA has been authenticated with 192.168.3.3
*Apr 25 11:25:40.567: ISAKMP: Trying to insert a peer 192.168.1.2/192.168.3.3/500/,  and inserted successfully 65CCCA78.
*Apr 25 11:25:40.567: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 25 11:25:40.567: ISAKMP:(1033):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Apr 25 11:25:40.567: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Apr 25 11:25:40.567: ISAKMP:(1033):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Apr 25 11:25:40.567: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Apr 25 11:25:40.567: ISAKMP:(1033):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Apr 25 11:25:40.567: ISAKMP:(1033):beginning Quick Mode exchange, M-ID of -117702153
*Apr 25 11:25:40.567: ISAKMP:(1033):QM Initiator gets spi
*Apr 25 11:25:40.571: ISAKMP:(1033): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) QM_IDLE     
*Apr 25 11:25:40.571: ISAKMP:(1033):Node -117702153, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Apr 25 11:25:40.571: ISAKMP:(1033):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Apr 25 11:25:40.571: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Apr 25 11:25:40.571: ISAKMP:(1033):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 25 11:25:40.587: ISAKMP (0:1033): received packet from 192.168.3.3 dport 500 sport 500 Global (I) QM_IDLE     
*Apr 25 11:25:40.587: ISAKMP: set new node -85370112 to QM_IDLE     
*Apr 25 11:25:40.587: ISAKMP:(1033): processing HASH payload. message ID = -85370112
*Apr 25 11:25:40.587: ISAKMP:(1033): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 0, message ID = -85370112, sa = 674D3F7C
*Apr 25 11:25:40.587: ISAKMP:(1033):deleting node -85370112 error FALSE reason "Informational (in) state 1"
*Apr 25 11:25:40.587: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 25 11:25:40.587: ISAKMP:(1033):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Apr 25 11:25:40.607: ISAKMP (0:1033): received packet from 192.168.3.3 dport 500 sport 500 Global (I) QM_IDLE     
*Apr 25 11:25:40.611: ISAKMP: set new node -894937366 to QM_IDLE     
*Apr 25 11:25:40.619: ISAKMP:(1033): processing HASH payload. message ID = -894937366
*Apr 25 11:25:40.623: ISAKMP:(1033): processing DELETE payload. message ID = -894937366
*Apr 25 11:25:40.623: ISAKMP:(1033):peer does not do paranoid keepalives.

*Apr 25 11:25:40.623: ISAKMP:(1033):deleting SA reason "No reason" state (I) QM_IDLE       (peer 192.168.3.3)
*Apr 25 11:25:40.623: ISAKMP:(1033):deleting node -894937366 error FALSE reason "Informational (in) state 1"
*Apr 25 11:25:40.623: ISAKMP: set new node -1375397005 to QM_IDLE     
*Apr 25 11:25:40.623: ISAKMP:(1033): sending packet to 192.168.3.3 my_port 500 peer_port 500 (I) QM_IDLE     
*Apr 25 11:25:40.623: ISAKMP:(1033):purging node -1375397005
*Apr 25 11:25:40.623: ISAKMP:(1033):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 25 11:25:40.623: ISAKMP:(1033):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Apr 25 11:25:40.623: ISAKMP:(1033):deleting SA reason "No reason" state (I) QM_IDLE       (peer 192.168.3.3)
*Apr 25 11:25:40.623: ISAKMP: Unlocking peer struct 0x65CCCA78 for isadb_mark_sa_deleted(), count 0
*Apr 25 11:25:40.623: ISAKMP: Deleting peer node by peer_reap for 192.168.3.3: 65CCCA78
*Apr 25 11:25:40.627: ISAKMP:(1033):deleting node -117702153 error FALSE reason "IKE deleted"
*Apr 25 11:25:40.627: ISAKMP:(1033):deleting node -85370112 error FALSE reason "IKE deleted"
*Apr 25 11:25:40.627: ISAKMP:(1033):deleting node -894937366 error FALSE reason "IKE deleted"
*Apr 25 11:25:40.627: ISAKMP:(1033):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Apr 25 11:25:40.627: ISAKMP:(1033):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

===================================

Firewall debug ( isakmp) :


pixfirewall#     Apr 25 05:52:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244de78, mess id 0x208599d0)!
Apr 25 05:52:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:53:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244eb88, mess id 0x865dc7e0)!
Apr 25 05:53:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:53:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244dc10, mess id 0x90fd705a)!
Apr 25 05:53:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:54:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244dc28, mess id 0x7186b2e5)!
Apr 25 05:54:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:54:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244db10, mess id 0xc0f4ec31)!
Apr 25 05:54:37 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!
Apr 25 05:55:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, QM FSM error (P2 struct &0x244eb88, mess id 0x107bce05)!
Apr 25 05:55:07 [IKEv1]: Group = 192.168.1.2, IP = 192.168.1.2, Removing peer from correlator table failed, no match!

Appreciate your

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

Phase 2 proposal does not match between the router and ASA.

Router: crypto ipsec transform-set To-FW0 esp-des esp-md5-hmac

ASA : crypto ipsec transform-set To-R2 esp-des

Add "esp-md5-hmac" to the ASA transform set: crypto ipsec transform-set To-R2 esp-des esp-md5-hmac

Hope that resolves the issue.

Hi

Thanks for your reply.

I have a doubt that ideally in the transform set it should choose the protocol that is commond in both the transform set " esp-des"

however i have done the configuration on router for only "esp-des" and now i can see my pase i in my router as QM_IDLE means up but im the ASA i only see MM_active:

Firewall:

pixfirewall#  sh crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 192.168.1.2
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

however in the show ipsec status in firewall i acn see the packet decryption is incerasing when i ping from router side.

However when ping from ASA side i am getting no hit in the interesting ACL on the firewall, however i the capture in the inside interface i caan c that the packet are comming.

The version is 7.1(2)

I m attaching the config for refernce

MM_ACTIVE on the ASA is fully negotiated phase 1 that has brought up phase 2 tunnels.  Are you sure have the necessary routing towards the remote end pointed to your ASA?

show ipsec sa peer 192.168.1.2

packet-tracer input inside icmp 10.1.3.1 8 0 172.16.1.1 det     ---- run this twice

show ipsec sa peer 192.168.1.2

If you have incrementing encaps, sounds like like a routing issue.

-skint

MM_ACTIVE and QM_IDLE means the same thing. It means that Phase 1 is up and running.

Transform set needs to match between the 2 sites. On one site you only have DES, and the other site you have DES and MD5. It does not just choose the same for transform set. It is a set just like the isakmp policy (it matches the whole policy suite, not just some matching ones). That is why you are getting the following error in the debug output:

*Apr 25 11:25:40.587: ISAKMP:(1033): processing NOTIFY  PROPOSAL_NOT_CHOSEN protocol 3
    spi 0, message ID = -85370112, sa =  674D3F7C

The latest config, you have the following:

Router: crypto ipsec transform-set To-FW0 esp-des

ASA: crypto ipsec transform-set To-R2 esp-des esp-none  <---- remove the esp-none, it needs to exactly match the router.

On the ASA, you would also need to configure NAT exemption:

access-list nonat extended permit ip 10.1.3.0 255.255.255.224 172.16.1.0 255.255.255.192

nat (inside) 0 access-list nonat

Also, change the security level of the outside interface of the ASA to 0, currently it's set to 100.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: