Site to Site VPN between two ASA 5505 not working

Answered Question
Jun 5th, 2014
User Badges:

Good afternoon gents,

I am trying to use the VPN Wizard to setup a site to site VPN tunnel between two identical ASA 5505 firewalls but having different IOS versions (8.2 and 8.4). Although I managed to created  VPN connections on both ends, they do not seem to communicate and the Real Time Log Viewer is display these error messages (i modified IP's for security reasons):

4|Jun 05 2014|13:34:49|113019|||||Group = 2.2.2.2, Username = 2.2.2.2, IP = SiteB-FW, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
5|Jun 05 2014|13:34:49|713259|||||Group = 2.2.2.2, IP = 2.2.2.2, Session is being torn down. Reason: User Requested
7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE SA MM:299483b5 terminating:  flags 0x0100c822, refcnt 0, tuncnt 0
3|Jun 05 2014|13:34:49|713902|||||Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from correlator table failed, no match!
7|Jun 05 2014|13:34:49|715009|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE Deleting SA: Remote Proxy 192.168.200.0, Local Proxy 192.168.100.0
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=eacc21a4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec delete payload
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, sending delete/delete with reason message
5|Jun 05 2014|13:34:49|713050|||||Group = 2.2.2.2, IP = 2.2.2.2, Connection terminated for peer 2.2.2.2.  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A
7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, processing delete
7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=70148cdb) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
5|Jun 05 2014|13:34:49|713068|||||Group = 2.2.2.2, IP = 2.2.2.2, Received non-routine Notify message: No proposal chosen (14)
7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=423f193d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=feaa0acd) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 400
7|Jun 05 2014|13:34:49|714004|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE Initiator sending 1st QM pkt: msg id = feaa0acd
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
7|Jun 05 2014|13:34:49|714007|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE Initiator sending Initial Contact
7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, Transmitting Proxy Id:
7|Jun 05 2014|13:34:49|715001|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing proxy ID
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing pfs ke payload
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec nonce payload
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec SA payload
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, oakley constucting quick mode
7|Jun 05 2014|13:34:49|715006|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE got SPI from key engine: SPI = 0xfddfaa1f
6|Jun 05 2014|13:34:49|713220|||||Group = 2.2.2.2, IP = 2.2.2.2, De-queuing KEY-ACQUIRE messages that were left pending.
7|Jun 05 2014|13:34:49|715080|||||Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 82080 seconds.
7|Jun 05 2014|13:34:49|713121|||||IP = 2.2.2.2, Keep-alive type for this connection: DPD
5|Jun 05 2014|13:34:49|713119|||||Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
7|Jun 05 2014|13:34:49|714002|||||Group = 2.2.2.2, IP = 2.2.2.2, IKE Initiator starting QM: msg id = feaa0acd
7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, Oakley begin quick mode
6|Jun 05 2014|13:34:49|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 2.2.2.2
7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
7|Jun 05 2014|13:34:49|715049|||||Group = 2.2.2.2, IP = 2.2.2.2, Received DPD VID
7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing VID payload
7|Jun 05 2014|13:34:49|715034|||||IP = 2.2.2.2, Processing IOS keep alive payload: proposal=32767/32767 sec.
7|Jun 05 2014|13:34:49|715076|||||Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
7|Jun 05 2014|13:34:49|714011|||||Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
7|Jun 05 2014|13:34:49|715047|||||Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
6|Jun 05 2014|13:34:49|713172|||||Group = 2.2.2.2, IP = 2.2.2.2, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
7|Jun 05 2014|13:34:49|715034|||||IP = 2.2.2.2, Constructing IOS keep alive payload: proposal=32767/32767 sec.
7|Jun 05 2014|13:34:49|715076|||||Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
7|Jun 05 2014|13:34:49|715046|||||Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
7|Jun 05 2014|13:34:49|713906|||||Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Initiator...
7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, computing NAT Discovery hash
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing NAT-Discovery payload
7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, computing NAT Discovery hash
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing NAT-Discovery payload
7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload
7|Jun 05 2014|13:34:49|715038|||||IP = 2.2.2.2, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload
7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received xauth V6 VID
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload
7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received Cisco Unity client VID
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing nonce payload
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing ISA_KE payload
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing ke payload
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 368
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (20) + NAT-D (20) + NONE (0) total length : 368
7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, computing NAT Discovery hash
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Discovery payload
7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, computing NAT Discovery hash
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Discovery payload
7|Jun 05 2014|13:34:49|715048|||||IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing VID payload
7|Jun 05 2014|13:34:49|715038|||||IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Jun 05 2014|13:34:49|715048|||||IP = 2.2.2.2, Send IOS VID
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing xauth V6 VID payload
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing Cisco Unity VID payload
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing nonce payload
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing ke payload
7|Jun 05 2014|13:34:49|715064|||||IP = 2.2.2.2, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received Fragmentation VID
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload
7|Jun 05 2014|13:34:49|715049|||||IP = 2.2.2.2, Received NAT-Traversal RFC VID
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing VID payload
7|Jun 05 2014|13:34:49|713906|||||IP = 2.2.2.2, Oakley proposal is acceptable
7|Jun 05 2014|13:34:49|715047|||||IP = 2.2.2.2, processing SA payload
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 132
7|Jun 05 2014|13:34:49|713236|||||IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 248
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Traversal VID ver RFC payload
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Traversal VID ver 03 payload
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing NAT-Traversal VID ver 02 payload
7|Jun 05 2014|13:34:49|715046|||||IP = 2.2.2.2, constructing ISAKMP SA payload
6|Jun 05 2014|13:34:49|713219|||||IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
5|Jun 05 2014|13:34:49|713041|||||IP = 2.2.2.2, IKE Initiator: New Phase 1, Intf LAN, IKE Peer 2.2.2.2  local Proxy Address 192.168.100.0, remote Proxy Address 192.168.200.0,  Crypto map (Internet_map)

SiteA IP is 1.1.1.1 with internet network 192.168.100.0/24....SiteB IP is 2.2.2.2 with internal network 192.168.200.0/24. I am also pasting the conf of both firewalls.

SITE A:

Result of the command: "show conf"

!
ASA Version 8.2(5)
!
hostname ciscositeA
enable password xxx encrypted
passwd xxx encrypted
names
name 2.2.2.2 SiteB-FW
name 192.168.200.0 SiteB-network
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 12
!
interface Ethernet0/2
switchport access vlan 12
!
interface Ethernet0/3
switchport access vlan 12
!
interface Ethernet0/4
switchport access vlan 12
!
interface Ethernet0/5
switchport access vlan 12
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif mgmt
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif Internet
security-level 0
ip address 1.1.1.1 255.255.255.240
!
interface Vlan12
no forward interface Vlan1
nameif LAN
security-level 100
ip address 192.168.100.254 255.255.255.0
!
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup mgmt
dns domain-lookup Internet
dns server-group DefaultDNS
name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DM_INLINE_NETWORK_1
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_0 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_8 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_9 tcp
port-object eq www
port-object eq https
access-list outside_access_in extended permit tcp host 2.2.2.2 host 1.1.1.1 eq www
access-list dmz_access_in extended permit ip any any
access-list LAN-nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list LAN-nat0 extended permit ip 10.250.0.0 255.255.0.0 any
access-list LAN-nat0 extended permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list LAN-nat0 extended permit ip any 192.168.100.0 255.255.255.0
access-list LAN-nat0 extended permit ip 192.168.100.0 255.255.255.0 SiteB-network 255.255.255.0
access-list mgmt-nat0 extended permit ip 192.168.2.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list mgmt-nat0 extended permit ip 10.250.0.0 255.255.0.0 any
access-list Internet_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 SiteB-network 255.255.255.0
pager lines 24
logging enable
logging asdm errors
mtu mgmt 1500
mtu Internet 1500
mtu LAN 1500
ipv6 access-list dmz_access_ipv6_in permit ip any any
ipv6 access-list Atlassian_ipv6 deny ip any any
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Internet) 1 interface
nat (mgmt) 0 access-list mgmt-nat0
nat (mgmt) 1 0.0.0.0 0.0.0.0
nat (LAN) 0 access-list LAN-nat0
nat (LAN) 1 0.0.0.0 0.0.0.0

access-group outside_access_in in interface Internet
route Internet 0.0.0.0 0.0.0.0 1.1.1.1 1
route mgmt 192.168.100.0 255.255.255.0 192.168.100.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.2.0 255.255.255.0 mgmt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Internet_map 1 match address Internet_1_cryptomap
crypto map Internet_map 1 set pfs group5
crypto map Internet_map 1 set peer SiteB-FW
crypto map Internet_map 1 set transform-set ESP-AES-256-SHA
crypto map Internet_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Internet_map interface Internet
crypto isakmp enable Internet
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 mgmt
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 8.8.8.8 192.168.100.11
dhcpd lease 1048575
dhcpd update dns both override
!
dhcpd address 192.168.2.50-192.168.2.136 mgmt
dhcpd dns 192.168.100.11 8.8.8.8 interface mgmt
dhcpd lease 6000 interface mgmt
dhcpd update dns both override interface mgmt
dhcpd enable mgmt
!
dhcpd update dns both override interface LAN
!

threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 85.254.216.1 source Internet
webvpn
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect icmp
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
!
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxx

 

Site B:

Result of the command: "show conf"

!
ASA Version 8.4(5) 
!
hostname ciscositeB
enable password xxx encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
multicast-routing
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
!
interface Vlan1
 nameif mgmt
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 pppoe client vpdn group pp_group
 ip address pppoe setroute 
!
interface Vlan12
 no forward interface Vlan1
 nameif LAN
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
ftp mode passive
clock timezone GMT 2
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network Poland-LAN-Network
 subnet 192.168.200.0 255.255.255.0
object network SiteA-FW
 host 2.2.2.2
object network SiteA-Network
 subnet 192.168.100.0 255.255.255.0
access-list inside_access_in extended permit ip 192.168.3.0 255.255.255.0 any 
access-list outside_access_in extended permit tcp any any eq ssh 
access-list outside_cryptomap extended permit ip object SiteB-Network object SiteA-Network 
pager lines 24
logging enable
logging asdm informational
mtu mgmt 1500
mtu outside 1500
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (mgmt,outside) source static SiteB-Network SiteB-Network destination static SiteA-Network SiteA-Network no-proxy-arp route-lookup
nat (LAN,outside) source static SiteB-Network SiteB-Network destination static SiteA-Network SiteA-Network no-proxy-arp route-lookup
!
object network obj_any
 nat (mgmt,outside) dynamic interface
!
nat (mgmt,outside) after-auto source dynamic any interface
access-group inside_access_in in interface mgmt
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no user-identity enable
user-identity default-domain LOCAL
http server enable
http 192.168.3.0 255.255.255.0 mgmt
http 1.1.1.1 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer 2.2.2.2 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES AES192 AES256
crypto map outside_map interface outside
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh 192.168.3.103 255.255.255.255 mgmt
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd dns 87.204.204.204 62.233.233.233
dhcpd auto_config outside
dhcpd update dns 
!
dhcpd address 192.168.3.101-192.168.3.132 mgmt
dhcpd dns 8.8.8.8 interface mgmt
dhcpd update dns both interface mgmt
dhcpd enable mgmt
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 85.254.216.1 source outside prefer
webvpn
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
 vpn-tunnel-protocol ikev1 
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy GroupPolicy_2.2.2.2
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:abc
Correct Answer by Robert Mogan about 3 years 2 months ago

Hi James

 

In the real time output it shows Phase 1 completed. That means your 2 ends are talking so the tunnel groups good and the isakmp policies found a match.  To get to Phase 2 completed (which is missing) you need the ipsec sections to match.  It looks like you have a mismatch in the pfs value as you state 5 in site A but leave it blank in site B which will default to 2.

Site A: crypto map Internet_map 1 set pfs group5

Site B: crypto map outside_map 1 set pfs

so either redo the wizard or at the command line on B change it to: crypto map outside_map 1 set pfs group5

 

Hope it helps (:
 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
nkarthikeyan Thu, 06/05/2014 - 23:50
User Badges:
  • Gold, 750 points or more

Hi James,

 

I wonder why do you have both l2l and ipsec have the diff tg IP addresses in Site A??

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
!

Regards

Karthik
 

Correct Answer
Robert Mogan Wed, 06/11/2014 - 08:02
User Badges:

Hi James

 

In the real time output it shows Phase 1 completed. That means your 2 ends are talking so the tunnel groups good and the isakmp policies found a match.  To get to Phase 2 completed (which is missing) you need the ipsec sections to match.  It looks like you have a mismatch in the pfs value as you state 5 in site A but leave it blank in site B which will default to 2.

Site A: crypto map Internet_map 1 set pfs group5

Site B: crypto map outside_map 1 set pfs

so either redo the wizard or at the command line on B change it to: crypto map outside_map 1 set pfs group5

 

Hope it helps (:
 

james00010 Wed, 06/11/2014 - 08:32
User Badges:

Hi RobertMogan_2, that was exactly the issue. It just slipped through the cracks! Thanks for your feedback.

Actions

This Discussion