Hello Marcin,

Thank you very much for your reply. I will try to modify the ASAs config and get back to you.

In the meantime, the debug snippet you have quoted appears also when the software Cisco VPN Client is connecting. It's kind of logical because I have deactivated all authentication options for the tunnel group (the only one remaining is the RSA signature during the IKE Phase 1).

What also bugs me is that basically, the IKE Phase 1 is actually reported as completed by the ASA. It is the transition through the Phase 1.5 (the XAUTH) which should not be there at all when the ASA reports a problem.

Thank you very much for replying!

Best regards,

Peter

Peter,

It appears to be the zyxel box:

Jun 21 13:46:11 [IKEv1 DECODE]: IP = 158.193.139.173, ID_FQDN ID received, len 17
0000: 7A797831 2E76706E 2E656365 72742E73     zyx1.vpn.ecert.s
0010: 6B                                      k

Marcin

Marcin,

Thank you very much for your answer. Can you please elaborate in more detail why do you believe this is a problem? I have noticed that the ZyWALL is sending its ID as the FQDN, as opposed to Cisco VPN Client that sends the client's ID as the DER_ASN1_DN (Distinguished Name).

Thank you!

Best regards,

Peter

Peter,

I believe at the base of the problem lies the fact that you're falling under dynamic crypto and not statically assigned, thus you're not able to specify which trustpoint you will use to send for authentication.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2239653

If in doubt debug isakmp at 100 + debug crypt ca ... debugs.

Marcin

Hello Marcin,

I believe at the base of the problem lies the fact that you're falling
under dynamic crypto and not statically assigned, thus you're not able
to specify which trustpoint you will use to send for authentication.

This statement is true but I am afraid that it does not apply here. In the deployment I am troubleshooting, the ASA is and always will be a responder, never an initiator of an IPsec tunnel. The URL that you have referenced about the crypto map set trustpoint command states specifically:

This crypto map command is valid only for initiating a connection. For information on the responder side, see the tunnel-group commands.

Thus, for my ASA in the responder role, this command does not apply. The configuration file I have attached in my first reply contains the following stanza:

tunnel-group TG-RAIS ipsec-attributes
 trust-point CA-ECert
 isakmp ikev1-user-authentication none

So the trustpoint for this connection can be obviously determined clearly. Actually, the IKE Phase 1 is shown in the debug to be completed successfully which would not be the case if the actual trustpoint and the related certificate exchange was not successful in the first place. I have also to stress that the same configuration using a Cisco VPN client works just fine. I am attaching the output of the debug crypto isakmp 127 using the Cisco VPN Client software to compare the results.

There is something fishy going on... something is different and I cannot find out what it is.

Best regards,

Peter

Peter,

OK this was the information I missed.

To avoid further back and forth, please attach.

Full debug from ASA  when zyxel is connecting (where peer is the IP address of zyxel device at time of testing)

-------

deb crypto cond peer ....

deb cry isa 100

deb crypto ipsec 100

deb cry ca mess 100

deb cry ca trans 100

--------

and following sections from config;
---------

show run crypto

show run tunnel-group

show run group-policy

---------

Hello Marcin,

Please find attached the information you have requested. Also please check the attachments in my original post - they also contain selected snippets of the relevant configuration.

Thank you for your ongoing support!

Best regards,

Peter

Marcin,

Perhaps there can be an issue with the certificate data itself. I am enclosing the certificate information in the attachment. Please note that the Subject Name identifies me as a person while the Subject Alternative Name refers to the DNS FQDN of the ZyWALL appliance. Do you believe that these two fields should correspond to each other? Also, the name "zyx1.vpn.ecert.sk" is not currently present in DNS. Is that perhaps required?

Thank you!

Best regards,

Peter

Marcin,

Thank you for asking me about the EzVPN and/or L2L tunnels. Actually I wanted to create a L2L tunnel but I was trying to terminate it on a remote access tunnel group and that was the problem! Man, am I stupid...

Nevertheless, thank you! After creating a separate tunnel group with the type ipsec-l2l and mapping the ZyWALL into it, I am now able to successfully establish the IPsec connection.

I still do have a problem, though. It seems to be related to routing. The ZyWALL now nicely creates an IPsec tunnel and the ASA accepts it. It also recognizes the network behind the ZyWALL, according to the debug output. However, no route is added to the ASA's routing table pointing towards the network behind the ZyWALL. The traffic sourced on the internal network behind the ASA destined for the network behind the ZyWALL leaves the ASA unencrypted via the default route and never reaches the ZyWALL. What am I missing here?

The relevant portions of the configuration now look as follows:

group-policy GP-RAIS-PeterP-ZyX internal
group-policy GP-RAIS-PeterP-ZyX attributes
 vpn-tunnel-protocol IPSec
tunnel-group TG-PeterP-ZyX type ipsec-l2l
tunnel-group TG-PeterP-ZyX general-attributes
 default-group-policy GP-RAIS-PeterP-ZyX
tunnel-group TG-PeterP-ZyX ipsec-attributes
 trust-point CA-ECert

After the IPsec connection is closed, the debug contains the following line:

Jun 22 13:11:03 [IKEv1]: Group = TG-PeterP-ZyX, IP = 158.193.139.173,
Deleting static route for L2L peer that came in on a dynamic map.
address: 192.168.167.0, mask: 255.255.255.0

However, there was no such "static" route present in the routing table at all during the entire duration of the IPsec connection.

Thank you so much with your patience with me, Marcin!

Best regards,

Peter

Hello Marcin,

That command did it. Thank you!

I would like to thank you very much for all your patience and help. You have been a great support and I appreciate it very much. I owe you one should you ever travel to Slovakia

Best regards,

Peter

Peter,

Have a Zlaty Bazant for me ;-)

Marcin