Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9493
Views
0
Helpful
3
Replies

Site-to-Site VPN ASA 5510 <-> RV220W

stownsend
Level 2
Level 2

‎01-09-2012 04:29 PM

I'm looking to get a remote office RV220W connected to my ASA5510.  I have several PIX 501 and ASA5505's connected to the ASA5510.

I've setup everthing similar that I can think of though I'm still not connecting.

IKE Policy:

Direction: Initiator

Exchange mode: Aggressive  (for using FQDN Ident)

Remotes are all DHCP, so setup Local Identifier on RV220W as FQDN and typed in a FQDN for the remote RV220W. That is the same name I used for the Tunnel-Group on the ASA.  Remote is IP, ASA is setup to send IP for Ident.

IKE SA: 

3DES, SHA, DH2, 28800

VPN Policy:

Auto Policy, Remote Endpoint IP

SA-Lifetime: 86400, 3DES, SHA-1, PFS Enabled, DH2

Below is the Log from the RV220W.  The line that stuck out to me was: 

2012-01-10 04:11:44: [rv220w][IKE] WARNING:  Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]

Why is Local= and Peer= the same IP?

10.220.1.0/24 = LAN behind RV220W

10.220.255.254 WAN IP of RV220W

10.1.0.0/16 = LAN behind ASA 5510

<PubIP> = Public IP of ASA 5510

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Using IPsec SA configuration: 10.220.1.0/24<->10.1.0.0/16
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Configuration found for <PubIP>.
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Initiating new phase 1 negotiation: 10.220.255.254[500]<=><PubIP>[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Beginning Aggressive mode.
2012-01-10 04:11:28: [rv220w][IKE] INFO:  NAT-Traversal is Enabled
2012-01-10 04:11:28: [rv220w][IKE] INFO:   [agg_i1send:256]: XXX: NUMNATTVENDORIDS: 3
2012-01-10 04:11:28: [rv220w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 4
2012-01-10 04:11:28: [rv220w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 8
2012-01-10 04:11:28: [rv220w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 9
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received Vendor ID: DPD
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received unknown Vendor ID
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received unknown Vendor ID
2012-01-10 04:11:28: [rv220w][IKE] INFO:  NAT-D payload does not match for 10.220.255.254[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO:  NAT-D payload matches for <PubIP>[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO:  For <PubIP>[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:28: [rv220w][IKE] INFO:  NAT detected: ME 
2012-01-10 04:11:28: [rv220w][IKE] INFO:  for debugging :: changing ports2012-01-10 04:11:28: [rv220w][IKE] INFO:  port changed !!
2012-01-10 04:11:28: [rv220w][IKE] ERROR:  HASH mismatched
2012-01-10 04:11:28: [rv220w][IKE] INFO:  Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]
2012-01-10 04:11:36: [rv220w][IKE] WARNING:  Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]
2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received Vendor ID: DPD
2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received unknown Vendor ID
2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received unknown Vendor ID
2012-01-10 04:11:36: [rv220w][IKE] INFO:  NAT-D payload does not match for 10.220.255.254[4500]
2012-01-10 04:11:36: [rv220w][IKE] INFO:  NAT-D payload does not match for<PubIP>[4500]
2012-01-10 04:11:36: [rv220w][IKE] INFO:  For<PubIP>[4500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:36: [rv220w][IKE] INFO:  NAT detected: ME PEER
2012-01-10 04:11:36: [rv220w][IKE] INFO:  for debugging :: changing ports2012-01-10 04:11:36: [rv220w][IKE] INFO:  port changed !!
2012-01-10 04:11:36: [rv220w][IKE] ERROR:  HASH mismatched
2012-01-10 04:11:36: [rv220w][IKE] INFO:  Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]
2012-01-10 04:11:44: [rv220w][IKE] WARNING:  Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]
2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received Vendor ID: DPD
2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received unknown Vendor ID
2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received unknown Vendor ID
2012-01-10 04:11:44: [rv220w][IKE] INFO:  NAT-D payload does not match for 10.220.255.254[4500]
2012-01-10 04:11:44: [rv220w][IKE] INFO:  NAT-D payload does not match for<PubIP>[4500]
2012-01-10 04:11:44: [rv220w][IKE] INFO:  For<PubIP>[4500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:44: [rv220w][IKE] INFO:  NAT detected: ME PEER
2012-01-10 04:11:44: [rv220w][IKE] INFO:  for debugging :: changing ports2012-01-10 04:11:44: [rv220w][IKE] INFO:  port changed !!
2012-01-10 04:11:44: [rv220w][IKE] ERROR:  HASH mismatched
2012-01-10 04:11:44: [rv220w][IKE] INFO:  Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]

ASA 5510 Configuration

object network NETWORK-SCHOLEY
 subnet 10.220.225.0 255.255.255.0

access-list scholey_split_tunnel extended permit ip object-group LOCAL_NETWORK_REMOTE_VPN object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-HBG object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-SF object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-TRAINING object NETWORK-SCHOLEY

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto dynamic-map dynamic-remote-office 65534 set transform-set ESP-3DES-SHA 
crypto map hbg-outside-198_map 65534 ipsec-isakmp dynamic dynamic-remote-office
crypto map hbg-outside-198_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto isakmp identity address
crypto isakmp enable hbg-outside-198
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

group-policy scholey internal
group-policy scholey attributes
 vpn-tunnel-protocol IPSec
 ipsec-udp disable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value scholey_split_tunnel 

tunnel-group scholey type ipsec-l2l
tunnel-group scholey general-attributes
 default-group-policy scholey.vpn.haydon-mill.com 
tunnel-group scholey ipsec-attributes
 pre-shared-key scholeykey

ASA 5510 syslog messages

%ASA-7-713236: IP = 10.220.255.254, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436
%ASA-7-715048: Group = scholey, IP = 10.220.255.254, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing VID payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, computing NAT Discovery hash
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Discovery payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, computing NAT Discovery hash
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Discovery payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing dpd vid payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing xauth V6 VID payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing Cisco Unity VID payload
%ASA-7-715076: Group = scholey, IP = 10.220.255.254, Computing hash for ISAKMP
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing hash payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ID payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, Generating keys for Responder...
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing nonce payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ke payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ISAKMP SA payload
%ASA-7-715028: Group = scholey, IP = 10.220.255.254, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
%ASA-7-715047: Group = scholey, IP = 10.220.255.254, processing IKE SA payload
%ASA-7-713906: IP = 10.220.255.254, Connection landed on tunnel_group scholey
%ASA-7-715049: IP = 10.220.255.254, Received DPD VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715049: IP = 10.220.255.254, Received NAT-Traversal RFC VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715049: IP = 10.220.255.254, Received NAT-Traversal ver 02 VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-713906: IP = 10.220.255.254, ID_FQDN ID received, len 27#%cLt#%010>0000: 7363686F 6C65792E 76706E2E 68617964 scholey.vpn.hayd#%cLt#%010>0010: 6F6E2D6D 696C6C2E 636F6D on-mill.com
%ASA-7-715047: IP = 10.220.255.254, processing ID payload
%ASA-7-715047: IP = 10.220.255.254, processing nonce payload
%ASA-7-715047: IP = 10.220.255.254, processing ISA_KE payload
%ASA-7-715047: IP = 10.220.255.254, processing ke payload
%ASA-7-715047: IP = 10.220.255.254, processing SA payload
%ASA-7-713236: IP = 10.220.255.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 347
Labels:
0 Helpful
3 Replies 3

stownsend
Level 2
Level 2

‎01-10-2012 12:49 PM

So It looks like I had a few things against me.

The SA-Lifetimes were reversed. I had the 28800 swapped with the 86400 lifetime.

PFS was Ticked, it should have been unchecked.

Though the most crutial mistake was using GMT-8 Pacific Standard Time for the Timezone setting.   I'm running software version 1.0.3.5 and the timezone GMT-8 Pacific Standard Time seems to really be -16, not -8.  Switching to GMT -8 Pitcairn Island Time Lead me to the finding the SA Lifetime issues.

Scott<-

0 Helpful

jasbryan
Level 6
Level 6
In response to stownsend

‎01-10-2012 02:12 PM

Scott,

Thanks for re-posting - so do you have the tunnels successful connected now? 

Jasbryan

0 Helpful

stownsend
Level 2
Level 2
In response to jasbryan

‎01-10-2012 02:29 PM

Yes, the Tunnels are up.  I just wish it was not so Difficult to get everything all sync'd up.

Managing many subnets and exterior gateways makes for changes on several devices when I add a new remote Subnet.

Though the Timezone bug was the real show stopper!  that needs to be looked into. Having a clock that is 8 hours off does not play nice with IPSec!

Now if I could find a way to connect to a remote Subnet from a remote subnet via the Head End ASA, that would be Super!

Thanks!

0 Helpful
Customers Also Viewed These Support Documents