01-09-2012 04:29 PM
I'm looking to get a remote office RV220W connected to my ASA5510. I have several PIX 501 and ASA5505's connected to the ASA5510.
I've setup everthing similar that I can think of though I'm still not connecting.
IKE Policy:
Direction: Initiator
Exchange mode: Aggressive (for using FQDN Ident)
Remotes are all DHCP, so setup Local Identifier on RV220W as FQDN and typed in a FQDN for the remote RV220W. That is the same name I used for the Tunnel-Group on the ASA. Remote is IP, ASA is setup to send IP for Ident.
IKE SA:
3DES, SHA, DH2, 28800
VPN Policy:
Auto Policy, Remote Endpoint IP
SA-Lifetime: 86400, 3DES, SHA-1, PFS Enabled, DH2
Below is the Log from the RV220W. The line that stuck out to me was:
2012-01-10 04:11:44: [rv220w][IKE] WARNING: Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]
Why is Local= and Peer= the same IP?
10.220.1.0/24 = LAN behind RV220W
10.220.255.254 WAN IP of RV220W
10.1.0.0/16 = LAN behind ASA 5510
<PubIP> = Public IP of ASA 5510
2012-01-10 04:11:28: [rv220w][IKE] INFO: Using IPsec SA configuration: 10.220.1.0/24<->10.1.0.0/16
2012-01-10 04:11:28: [rv220w][IKE] INFO: Configuration found for <PubIP>.
2012-01-10 04:11:28: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 10.220.255.254[500]<=><PubIP>[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO: Beginning Aggressive mode.
2012-01-10 04:11:28: [rv220w][IKE] INFO: NAT-Traversal is Enabled
2012-01-10 04:11:28: [rv220w][IKE] INFO: [agg_i1send:256]: XXX: NUMNATTVENDORIDS: 3
2012-01-10 04:11:28: [rv220w][IKE] INFO: [agg_i1send:260]: XXX: setting vendorid: 4
2012-01-10 04:11:28: [rv220w][IKE] INFO: [agg_i1send:260]: XXX: setting vendorid: 8
2012-01-10 04:11:28: [rv220w][IKE] INFO: [agg_i1send:260]: XXX: setting vendorid: 9
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received Vendor ID: DPD
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:28: [rv220w][IKE] INFO: NAT-D payload does not match for 10.220.255.254[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO: NAT-D payload matches for <PubIP>[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO: For <PubIP>[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:28: [rv220w][IKE] INFO: NAT detected: ME
2012-01-10 04:11:28: [rv220w][IKE] INFO: for debugging :: changing ports2012-01-10 04:11:28: [rv220w][IKE] INFO: port changed !!
2012-01-10 04:11:28: [rv220w][IKE] ERROR: HASH mismatched
2012-01-10 04:11:28: [rv220w][IKE] INFO: Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]
2012-01-10 04:11:36: [rv220w][IKE] WARNING: Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received Vendor ID: DPD
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:36: [rv220w][IKE] INFO: NAT-D payload does not match for 10.220.255.254[4500]
2012-01-10 04:11:36: [rv220w][IKE] INFO: NAT-D payload does not match for<PubIP>[4500]
2012-01-10 04:11:36: [rv220w][IKE] INFO: For<PubIP>[4500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:36: [rv220w][IKE] INFO: NAT detected: ME PEER
2012-01-10 04:11:36: [rv220w][IKE] INFO: for debugging :: changing ports2012-01-10 04:11:36: [rv220w][IKE] INFO: port changed !!
2012-01-10 04:11:36: [rv220w][IKE] ERROR: HASH mismatched
2012-01-10 04:11:36: [rv220w][IKE] INFO: Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]
2012-01-10 04:11:44: [rv220w][IKE] WARNING: Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received Vendor ID: DPD
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:44: [rv220w][IKE] INFO: NAT-D payload does not match for 10.220.255.254[4500]
2012-01-10 04:11:44: [rv220w][IKE] INFO: NAT-D payload does not match for<PubIP>[4500]
2012-01-10 04:11:44: [rv220w][IKE] INFO: For<PubIP>[4500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:44: [rv220w][IKE] INFO: NAT detected: ME PEER
2012-01-10 04:11:44: [rv220w][IKE] INFO: for debugging :: changing ports2012-01-10 04:11:44: [rv220w][IKE] INFO: port changed !!
2012-01-10 04:11:44: [rv220w][IKE] ERROR: HASH mismatched
2012-01-10 04:11:44: [rv220w][IKE] INFO: Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]
ASA 5510 Configuration
object network NETWORK-SCHOLEY
subnet 10.220.225.0 255.255.255.0
access-list scholey_split_tunnel extended permit ip object-group LOCAL_NETWORK_REMOTE_VPN object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-HBG object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-SF object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-TRAINING object NETWORK-SCHOLEY
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto dynamic-map dynamic-remote-office 65534 set transform-set ESP-3DES-SHA
crypto map hbg-outside-198_map 65534 ipsec-isakmp dynamic dynamic-remote-office
crypto map hbg-outside-198_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto isakmp identity address
crypto isakmp enable hbg-outside-198
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy scholey internal
group-policy scholey attributes
vpn-tunnel-protocol IPSec
ipsec-udp disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value scholey_split_tunnel
tunnel-group scholey type ipsec-l2l
tunnel-group scholey general-attributes
default-group-policy scholey.vpn.haydon-mill.com
tunnel-group scholey ipsec-attributes
pre-shared-key scholeykey
ASA 5510 syslog messages
%ASA-7-713236: IP = 10.220.255.254, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436%ASA-7-715048: Group = scholey, IP = 10.220.255.254, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing VID payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, computing NAT Discovery hash
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Discovery payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, computing NAT Discovery hash
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Discovery payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing dpd vid payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing xauth V6 VID payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing Cisco Unity VID payload
%ASA-7-715076: Group = scholey, IP = 10.220.255.254, Computing hash for ISAKMP
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing hash payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ID payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, Generating keys for Responder...
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing nonce payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ke payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ISAKMP SA payload
%ASA-7-715028: Group = scholey, IP = 10.220.255.254, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
%ASA-7-715047: Group = scholey, IP = 10.220.255.254, processing IKE SA payload
%ASA-7-713906: IP = 10.220.255.254, Connection landed on tunnel_group scholey
%ASA-7-715049: IP = 10.220.255.254, Received DPD VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715049: IP = 10.220.255.254, Received NAT-Traversal RFC VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715049: IP = 10.220.255.254, Received NAT-Traversal ver 02 VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-713906: IP = 10.220.255.254, ID_FQDN ID received, len 27#%cLt#%010>0000: 7363686F 6C65792E 76706E2E 68617964 scholey.vpn.hayd#%cLt#%010>0010: 6F6E2D6D 696C6C2E 636F6D on-mill.com
%ASA-7-715047: IP = 10.220.255.254, processing ID payload
%ASA-7-715047: IP = 10.220.255.254, processing nonce payload
%ASA-7-715047: IP = 10.220.255.254, processing ISA_KE payload
%ASA-7-715047: IP = 10.220.255.254, processing ke payload
%ASA-7-715047: IP = 10.220.255.254, processing SA payload
%ASA-7-713236: IP = 10.220.255.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 347
01-10-2012 12:49 PM
So It looks like I had a few things against me.
The SA-Lifetimes were reversed. I had the 28800 swapped with the 86400 lifetime.
PFS was Ticked, it should have been unchecked.
Though the most crutial mistake was using GMT-8 Pacific Standard Time for the Timezone setting. I'm running software version 1.0.3.5 and the timezone GMT-8 Pacific Standard Time seems to really be -16, not -8. Switching to GMT -8 Pitcairn Island Time Lead me to the finding the SA Lifetime issues.
Scott<-
01-10-2012 02:12 PM
Scott,
Thanks for re-posting - so do you have the tunnels successful connected now?
Jasbryan
01-10-2012 02:29 PM
Yes, the Tunnels are up. I just wish it was not so Difficult to get everything all sync'd up.
Managing many subnets and exterior gateways makes for changes on several devices when I add a new remote Subnet.
Though the Timezone bug was the real show stopper! that needs to be looked into. Having a clock that is 8 hours off does not play nice with IPSec!
Now if I could find a way to connect to a remote Subnet from a remote subnet via the Head End ASA, that would be Super!
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: