Tunnel working in one direction - All IPSec SA proposals found unacceptable!

Unanswered Question
Aug 19th, 2010
User Badges:

Hello

If I match traffic on the ASA towards the 877 the tunnel comes up 100%

If I match traffic on the 877 towards the ASA the tunnel is not coming up - I get below from a debug

…(lines removed)…

Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, PHASE 1 COMPLETED

...(lines removed)…

Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, Static Crypto Map check, map outside_map, seq = 5 is a successful match

Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, IKE Remote Peer configured for crypto map: outside_map

Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, processing IPSec SA payload

Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, All IPSec SA proposals found unacceptable!

Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, sending notify message

Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, constructing blank hash payload

Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, constructing ipsec notify payload for msg id 3e05497d

Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, constructing qm hash payload

Aug 19 12:48:12 [IKEv1]: IP = 1.1.1.136, IKE_DECODE SENDING Message (msgid=fc4879ef) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, QM FSM error (P2 struct &0xd8c6e6b0, mess id 0x3e05497d)!

Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, IKE QM Responder FSM error history (struct &0xd8c6e6b0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, sending delete/delete with reason message

Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, Removing peer from correlator table failed, no match!

See relevant configuration below

877

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key abc123 address 2.2.2.220

!

crypto ipsec transform-set TRANS esp-3des esp-md5-hmac

!

crypto map TUNNEL_2_64 10 ipsec-isakmp

set peer 2.2.2.220

set transform-set TRANS

match address TUNNEL

!

interface Dialer1

crypto map TUNNEL_2_64

!

ip nat inside source list NAT interface Dialer1 overload

!

ip access-list extended NAT

deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

ip access-list extended TUNNEL

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip host 1.1.1.136 host 2.2.2.220

permit ip host 2.2.2.220 host 1.1.1.136

ASA

name 192.168.2.0 sitex

name 192.168.1.0 sitey

!

interface Vlan2

nameif outside

security-level 0

ip address 2.2.2.28.220 255.255.255.248

!

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 sitex 255.255.255.0

access-list outside_1_cryptomap extended permit ip sitex 255.255.255.0 192.168.2.0 255.255.255.0

access-list outside_1_cryptomap extended permit icmp host 2.2.2.220 host 1.1.1.136

access-list outside_1_cryptomap extended permit icmp host 1.1.1.136 host 2.2.2.220

access-list outside_1_cryptomap extended permit ip host 2.2.2.220 host 1.1.1.136

access-list outside_1_cryptomap extended permit ip host 1.1.1.136 host 2.2.2.220

!

crypto ipsec transform-set TEST_TRANS esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

!

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group1

crypto map outside_map 1 set peer 1.1.1.136

crypto map outside_map 1 set transform-set TEST_TRANS

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

tunnel-group 1.1.1.136 type ipsec-l2l

tunnel-group 1.1.1.136 ipsec-attributes

pre-shared-key *

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 08/19/2010 - 05:29
User Badges:
  • Cisco Employee,

The crypto ACL is incorrect.


Assuming that ASA LAN is 192.168.2.0/24 and router LAN is 192.168.1.0/24, the following ACL should be configured:


On the router:

ip access-list extended TUNNEL

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255


On the ASA:

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0


The rest of the other ACL lines that have been configured should be removed. Most importantly, the number of ACL line on the router should match the same on the ASA with mirror image ACL for the subnet.


You also need to remove the following on the ASA as the router is not configured to use PFS:

crypto map outside_map 1 set pfs group1


Hope that helps.

Actions

This Discussion