we are trying to establish IPsec VPN between two locations from ASA 5510 to Cisco 3845 and the setup is as follows:
The ASA receives a PPPoE dynamic public address from the Service provider A through a Cisco 1941 router set up as a bridge. All standard IPsec VPN policies ie interesting traffic, crypto maps etc are implemented on the ASA and the software version is 8.4(1). Existing users on the LAN also access a cloud based service on the Internet by means of dynamic NAT to the cloud service. The IPsec session is set up to peer to the remote site public IP which is provided by Service Provider B
The Cisco router is connected to the Service Provider B firewall through a local gateway. Service Provider B provides a Static IP address which is used as the peer IP address from the ASA. All IPsec policies are implemented on Cisco 3845 router which is in the private network. The Cisco 3845 is configured with a default route to the provider firewall using Private IP as the next hop. The Service Provider B also implement 1:1 NAT to translate incoming session requests to the public IP and also NAT Traversal.
The scenario is depicted as follows:
Customer LAN/WLAN -> ASA-> Bridge -> PPPoE (SP A) --------------------------(SP B) Firewall -> Default Gateway -> Cisco IOS 3845
Public IP Public IP +NAT+NAT-traversal VPN Policies
If a VPN tunnel is initiated by a ping from the Cisco 3845 end, the crypto isakmp sa output shows MM_NO_STATE
If a VPN tunnel is initiated by a ping from the ASA end the crypto ikev1 sa output shows MM_WAIT_MSG2.
The state above describes that both the devices have sent their IKE requests and as there is no response from the remote end, the state information is set to either MSG2 at ASA end or NO_STATE on the 3845.
The extract of the log capture on the ASA is as follows:
[IKEv1 DEBUG]IP = 126.96.36.199, IKE MM Initiator FSM error history (struct &0xade91ce0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jun 08 12:01:32 [IKEv1 DEBUG]IP = 188.8.131.52, IKE SA MM:98976544 terminating: flags 0x01000022, refcnt 0, tuncnt 0
and the IKE fails to establish. Sometimes can see "Duplicate packets" in the log messages.
Suspected problems may be due to
1) Routing related : From the ASA, can ping to the public IP of the SP B, but from Cisco 3845 we cannot ping to the public IP of ASA
2) ASA users are connected to a cloud based service on the Internet and advise needed if some kind of split tunneling is required for IPsec traffic
and any NAT or ACLs required to ensure that IPsec traffic is pushed out through the tunnel.
Currently, interesting traffic is configured to permit IP traffic from LAN A to LAN B and mirror image on the other end.
NAT and ACLs allow icmp inbound to the LAN/WLAN devices and management access is allowed in the ASA for this subnet.
3) ASA version is 8.4(1) is implemented with IKEv1 policies.
Let me know if you need detailed configs and i can send this through