01-16-2008 07:07 AM - edited 03-09-2019 07:53 PM
Tried so many things I'm completely lost now and need fresh eyes on the problem. I can post the ASA config and debug log. The other end device can't print out a config (custom Unix box) so ask questions if needed.
here is the relevant info.
access-list Outside_access_in remark NET2NET VPN
access-list Outside_access_in extended permit ip host 24.247.165.41 any inactive
access-list nat0 remark NET2NET INSIDE TO VPN
access-list nat0 extended permit ip 10.0.0.0 255.0.0.0 host 69.128.83.236
access-list BW-VPN_TUNNEL remark VPN TUNNEL TRAFFIC
access-list BW-VPN_TUNNEL standard permit 10.0.0.0 255.0.0.0
access-list BW-VPN_TUNNEL standard permit 192.168.1.0 255.255.255.0
access-list Outside_30_cryptomap remark NET2NET VPN IPSEC
access-list Outside_30_cryptomap extended permit ip host 192.168.5.0 10.0.0.0 255.0.0.0
ip local pool BW-VPN 10.125.1.97-10.125.1.126 mask 255.255.255.224
global (Outside) 1 63.11.111.1 netmask 255.255.255.255
global (DMZ) 1 interface
nat (Inside) 0 access-list nat0
nat (Inside) 1 0.0.0.0 0.0.0.0
nat (DMZ) 0 access-list nonat_dmz
nat (DMZ) 1 0.0.0.0 0.0.0.0
nat (management) 0 access-list management_nat0_outbound
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group DMZ_access_in in interface DMZ
route Outside 0.0.0.0 0.0.0.0 63.11.111.1 1
route Inside 10.0.0.0 255.0.0.0 10.1.7.50 1
group-policy Cyberoam internal
group-policy Cyberoam attributes
wins-server value 10.90.6.10 10.90.6.20
dns-server value 10.90.6.10 10.90.6.20
vpn-tunnel-protocol IPSec
group-lock value 69.128.83.236
split-tunnel-policy tunnelspecified
split-tunnel-network-list value BW-VPN_TUNNEL
default-domain value our-domain.com
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map Inside_dyn_map 20 set transform-set ESP-AES-256-SHA ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 200 set transform-set ESP-AES-256-MD5
crypto dynamic-map Outside_dyn_map 400 set transform-set ESP-3DES-SHA
crypto map Inside_map 20 ipsec-isakmp dynamic Inside_dyn_map
crypto map Inside_map interface Inside
crypto map Outside_map 30 match address Outside_30_cryptomap
crypto map Outside_map 30 set peer 69.128.83.236
crypto map Outside_map 30 set transform-set ESP-3DES-MD5 ESP-AES-256-SHA
crypto map Outside_map 200 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
tunnel-group 69.128.83.236 type ipsec-l2l
tunnel-group 69.128.83.236 general-attributes
default-group-policy Cyberoam
tunnel-group 69.128.83.236 ipsec-attributes
pre-shared-key **********
01-16-2008 07:11 AM
Here is the debug log to go along with that.
Group = 69.128.83.236 , IP = 69.128.83.236 , PHASE 1 COMPLETED
Group = 69.128.83.236 , IP = 69.128.83.236 , processing SA payload
Group = 69.128.83.236 , IP = 69.128.83.236 , processing ID payload
Group = 69.128.83.236 , IP = 69.128.83.236 , ID_IPV4_ADDR_SUBNET ID received--192.168.5.0 (unresolved) --255.255.255.0
Group = 69.128.83.236 , IP = 69.128.83.236 , Received remote IP Proxy Subnet data in ID Payload: Address 192.168.5.0 (unresolved) , Mask 255.255.255.0, Protocol 0, Port 0
Group = 69.128.83.236 , IP = 69.128.83.236 , processing ID payload
Group = 69.128.83.236 , IP = 69.128.83.236 , ID_IPV4_ADDR_SUBNET ID received--10.0.0.0 (unresolved) --255.0.0.0
Group = 69.128.83.236 , IP = 69.128.83.236 , Received local IP Proxy Subnet data in ID Payload: Address 10.0.0.0 (unresolved) , Mask 255.0.0.0, Protocol 0, Port 0
Group = 69.128.83.236 , IP = 69.128.83.236 , QM IsRekeyed old sa not found by addr
Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, checking map = Outside_map, seq = 20...
Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, map = Outside_map, seq = 20, no ACL configured
Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, checking map = Outside_map, seq = 30...
Group = 69.128.83.236 , IP = 69.128.83.236 , Static Crypto Map check, map = Outside_map, seq = 30, ACL does not match proxy IDs src:192.168.5.0 (unresolved) dst:10.0.0.0 (unresolved)
oup = 69.128.83.236 , IP = 69.128.83.236 , IKE Remote Peer configured for crypto map: Outside_dyn_map
Group = 69.128.83.236 , IP = 69.128.83.236 , processing IPSec SA payload
Group = 69.128.83.236 , IP = 69.128.83.236 , All IPSec SA proposals found unacceptable!
Group = 69.128.83.236 , IP = 69.128.83.236 , sending notify message
Group = 69.128.83.236 , IP = 69.128.83.236 , constructing ipsec notify payload for msg id 2b78aaf7
IP = 69.128.83.236 , IKE_DECODE SENDING Message (msgid=931bde05) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Group = 69.128.83.236 , IP = 69.128.83.236 , QM FSM error (P2 struct &0x4d83228, mess id 0x2b78aaf7)!
Group = 69.128.83.236 , IP = 69.128.83.236 , IKE QM Responder FSM error history (struct &0x4d83228) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Group = 69.128.83.236 , IP = 69.128.83.236 , sending delete/delete with reason message
Group = 69.128.83.236 , IP = 69.128.83.236 , sending delete/delete with reason message
Group = 69.128.83.236 , Username = 69.128.83.236 , IP = 69.128.83.236 , Session disconnected. Session Type: IPSecLAN2LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
IP = 69.128.83.236 , Received encrypted packet with no matching SA, dropping
01-17-2008 11:47 AM
No help here?
01-17-2008 11:55 AM
What is your Local LAN and the remote LAN subnets. I think, the Crypto ACL's are configured incorrectly. The source and destination are reversed.
access-list Outside_30_cryptomap extended permit ip host 192.168.5.0 10.0.0.0 255.0.0.0
Also, check the mask on the 192.168.5.0. Is this a host IP Address?
Make sure to make the changes to the NAT 0 command as well and try bringing up the tunnel.
I hope it helps.
Regards,
Arul
01-18-2008 06:17 AM
Also can you check if ipsec transform sets are same on both the devices
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide