Cisco ASA to Openswan Error: no matching crypto map entry for remote proxy

Unanswered Question
Jul 16th, 2010
User Badges:

I've been playing around with configs in both openswan and the ASA to try and get it working properly. I did have them talking with a dynamic crypto map set, but there would be issues after a powercycle on either device. Now im having trouble getting them to talk with static crypto maps. The full error is:

no matching crypto map entry for remote proxy 10.10.10.0/255.255.255.0/0/0 local proxy 192.168.1.0/255.255.255.0/0/0   on interface outside.


My asa config:


!
hostname ciscoasa                
enable password  8Ry2YjIyt7RRXU24 encrypted                                         
passwd  2KFQnbNIdI.2KYOU encrypted                                
names     
!
interface Vlan1              
nameif inside              
security-level 100                  
ip address 192.168.1.1  255.255.255.0                                    
!
interface  Vlan2              
nameif outside              
security-level 0                
ip address 200.200.200.1  255.255.255.0                                      
!
interface  Ethernet0/0                    
switchport access vlan  2                        
!
interface  Ethernet0/1                    
!
interface  Ethernet0/2                    
!
interface  Ethernet0/3                    
!
interface  Ethernet0/4                    
!
interface  Ethernet0/5                    
!
interface  Ethernet0/6                    
!
interface  Ethernet0/7                    
!
ftp mode  passive                                                          
access-list inbound  extended permit udp any any eq  isakmp                                                        
access-list  inbound extended permit udp any any eq  4500                                                      
access-list  inbound extended permit esp any  any                                                                                     
access-list NONAT  extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0  255.2                                                                                
55.255.0       
access-list outbound_tunnel extended permit ip  192.168.1.0 255.255.255.0 192.168.2.0  25                                                                                
5.255.255.0          
pager lines 24             
logging enable             
logging  timestamp                
logging buffered  debugging                         
logging asdm  informational                         
mtu inside 1500               
mtu outside 1500               
ip local pool name  192.168.1.40-192.168.1.60                                           
icmp  unreachable rate-limit 1 burst-size  1                                         
no asdm history  enable                     
arp timeout 14400                
global  (outside) 1 interface                           
nat (inside) 0  access-list NONAT                               
nat (inside) 1  0.0.0.0 0.0.0.0                             
access-group inbound in  interface outside                                        
route  outside 0.0.0.0 0.0.0.0  200.200.200.0                                         
timeout xlate  3:00:00                    
timeout conn 1:00:00 half-closed  0:10:00 udp 0:02:00 icmp  0:00:02                                                                
timeout  sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat  0:05:00                                                                              
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00  sip-disconnect  0:02:00                                                                               
timeout sip-provisional-media 0:02:00 uauth 0:05:00  absolute                                                           
timeout  tcp-proxy-reassembly 0:01:00                                   
dynamic-access-policy-record  DfltAccessPolicy                                            
http  server enable                 
http 192.168.1.0 255.255.255.0  inside                                    
no snmp-server  location                      
no snmp-server  contact                     
snmp-server enable traps snmp  authentication linkup linkdown  coldstart                                                                      
crypto ipsec transform-set ts2 esp-3des  esp-md5-hmac                                                   
crypto  ipsec security-association lifetime seconds  28800                                                       
crypto  ipsec security-association lifetime kilobytes  4608000                                                                                                  
crypto map emap  10 match address inbound2                                        
crypto  map emap 10 set peer  192.168.92.128                                         
crypto map  emap 10 set transform-set ts2                                                                                    
crypto map emap  interface outside                                
crypto isakmp  enab                
crypto isakmp policy 10                      
authentication pre-share                        
encryption  3des               
hash md5        
group 2       
lifetime 86400              
telnet timeout 5               
ssh  timeout 5            
console timeout 0                
management-access  inside                       
dhcpd auto_config  outside                        
!
dhcpd address  192.168.1.5-192.168.1.36  inside                                            
dhcpd enable  inside                  
!


threat-detection  basic-threat                            
threat-detection statistics  access-list                                      
no  threat-detection statistics  tcp-intercept                                           
webvpn      
username ryan password .MqBmFV5KQ86DWrJ  encrypted                                                
tunnel-group  200.200.200.2 type ipsec-l2l                                        
tunnel-group  200.200.200.2 ipsec-att                                  
pre-shared-key *                              
!
class-map  inspection_default                           
match  default-inspection-traffic                                
!
!
policy-map  type inspect dns preset_dns_map                                     
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect  ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
   inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
   inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
   inspect tftp
!
service-policy global_policy global
prompt  hostname context
Cryptochecksum:26b17c4d709bc72a3d76158f2c9997bd
:  end


My openswan config:


conn tunnelipsec

    type=tunnel

    authby=secret

    left=192.168.92.128

    leftnexthop=192.168.92.2

    leftsubnet=10.10.10.0/24

    right=200.200.200.1

    rightnexthop=200.200.200.2

    rightsubnet=192.168.1.0/24

    esp=3des-md5

    keyexchange=ike

    pfs=no

    auto=start


iptables:


$IPTABLES -A INPUT -p udp  --dport 500 -j ACCEPT
$IPTABLES -A  OUTPUT -p udp  --dport 500 -j ACCEPT
$IPTABLES -A INPUT -p udp   --dport 4500 -j ACCEPT
$IPTABLES -A OUTPUT -p udp  --dport 4500 -j  ACCEPT

$IPTABLES -A OUTPUT -p udp  --sport 4500 -j ACCEPT

$IPTABLES -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1
$IPTABLES -A FORWARD -i eth0 -m mark --mark 1 -s 10.10.10.0 -d 192.168.1.0/24 -j ACCEPT
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Hybrid461 Fri, 07/16/2010 - 06:14
User Badges:

FINALLY figured it out. I changed the outbound_tunnel ACL to a number instead of a name. IMO that's a pretty dumb fix. So everything worked. But then i rebooted to test if it would work after reboot(which it didnt with a dynamic map). But i forgot to save my config changes. So i changed it to a numbered ACL. But i just get repeated: Received encrypted packet with no matching SA, dropping. Only other change ive tried from posted config is setting crypto map emap 10 set peer 200.200.200.2


Edit: Clearing out the SAs worked. Commands:


asa# clear crypto isakmp

asa# clear crypto ipsec sa

Actions

This Discussion