cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
919
Views
0
Helpful
1
Replies

Cisco ASA 8.4 IKEv1 mismatch

anthonykahwati
Level 1
Level 1

Hi                  

I am trying to ensure that I match the Amazon Web Services config I have been given for a VPN, but I always get the "duplicate first packet" error and it never makes the IKE SA.

In looking further into the config, when I see the

Configuration>site-to-site vpn>advanced>IKE Policies

page, I have priority 201, which is defined as

aes-128 - sha - 2 - pre-share - 28800

BUT

When I edit the item, it always has encryption as des and this  item does not get chosen. I think that this may be why we are not able to build phase 1.

I have attached a picture for evidence of what I am seeing. This is non edited since opening the edit box for this policy.

Any suggestions on the phase1 not forming would be handy too.... AWS are strict in their config and have given me this...... I am thinking I have followed it.

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : AZxyiirs0IFXGIPwLG9l3ncDVkcz4rpc
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

Thanks in advance

Anthonyikev1_error.jpg

1 Reply 1

Itzcoatl Espinosa
Cisco Employee
Cisco Employee

Hi Anthony,

The messages you are getting could be caused by UDP500 or UPD4500 ports being blocked in the middle or not being sent by the remote site.

The best way to determine the root cause is to run captures on the outside interfaces of both devices, to verify if they are sending and receiving traffic on these ports.

regards,

Itzcoatl

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: