Solved: Using same transform-set on multiple VPN site-to-site tunnels

IgorHamzic · ‎12-21-2007

Hi all.I have a rather strange situation regarding site-to-site VPN tunnel.

On one end I have a PIX 501 and on the other end an ASA5505 and a tunnel set up between them.

The problem is that from the side of the PIX I cannot establish a tunnel but when the traffic start from the ASA's side the tunnel establishes as normal.

I have checked the configurations on both ends and keys, passwords, mirror ACLs seem OK. The only thing that springs to attention is that I have the same transform set used for 2 different tunnels on the PIX side.

Can I use the same transform set on multiple tunnels or should I define a different transform set for every tunnel? Could this be the source of the problem?

kaachary · ‎12-27-2007

Use this on PIX

crypto map set pfs group2

Or on ASA, use :

crypto map set pfs group1

View solution in original post

Jon Marshall · ‎12-21-2007

Hi

No that won't be an issue. I have used the same transform set on a pix for over 60 site-to-site VPN tunnels.

What does the debugging show ?

Jon

IgorHamzic · ‎12-24-2007

Here are the results of the debugging on both sides of the tunnel. I was out of action for a couple of days so sorry for the late reply.

ASA side:

Dec 20 12:24:27 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, QM FSM error (P2 struct &0x3a81b50, mess id 0x4bf27953)!

Dec 20 12:24:27 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from correlator table failed, no match!

PIX side:

ISAKMP (0): beginning Main Mode exchange

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 1

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (basic) of 7200

ISAKMP (0): atts are acceptable. Next payload is 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a VPN3000 concentrator

ISAKMP (0): ID payload

next-payload : 8

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): SA has been authenticated

ISAKMP (0): beginning Quick Mode exchange, M-ID of -245075964:f1647004

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

ISAKMP (0): processing NOTIFY payload 14 protocol 3

spi 0, message ID = 1293387221

return status is IKMP_NO_ERR_NO_TRANS

crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500

ISAKMP (0): processing DELETE payload. message ID = 3694378254, spi size = 16

ISAKMP (0): deleting SA: src y.y.y.y, dst x.x.x.x

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0xad3ac4, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for x.x.x.x/500 not found - peers:2

ISADB: reaper checking SA 0xaec8dc, conn_id = 0

ISADB: reaper checking SA 0xaebd5c, conn_id = 0

ISADB: reaper checking SA 0xae6f2c, conn_id = 0

I can also post the related parts of configs from both sides.

kaachary · ‎12-25-2007

Can you please post the relevant part of the config and the debugs for ipsec as well.

deb cry ipsec

IgorHamzic · ‎12-27-2007

Here are the relevant parts of the configs from both devices.

ASA side:

crypto ipsec transform-set cp esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map vpn 20 match address 120

crypto map vpn 20 set pfs

crypto map vpn 20 set peer x.x.x.x

crypto map vpn 20 set transform-set cp

crypto map vpn interface outside

isakmp identity address

isakmp enable outside

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption aes-256

isakmp policy 2 hash sha

isakmp policy 2 group 5

isakmp policy 2 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 7200

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key xxxxxxxxxxxxxxxxx

access-list 120 extended permit ip 172.20.8.0 255.255.255.0 172.20.9.0 255.255.255.0

access-list 120 extended permit ip 10.100.8.0 255.255.255.0 172.20.9.0 255.255.255.0

access-list 120 extended permit ip 10.100.16.0 255.255.255.0 172.20.9.0 255.255.255.0

PIX side:

crypto ipsec transform-set cp esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600

crypto map vpn 20 ipsec-isakmp

crypto map vpn 20 match address 120

crypto map vpn 20 set pfs

crypto map vpn 20 set peer x.x.x.x

crypto map vpn 20 set transform-set cp

crypto map vpn interface outside

isakmp enable outside

isakmp key xxxxxxxxxxxx address x.x.x.x netmask 255.255.255.255

isakmp identity address

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 7200

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

access-list 120 permit ip 172.20.9.0 255.255.255.0 172.20.8.0 255.255.255.0

access-list 120 permit ip 172.20.9.0 255.255.255.0 10.100.8.0 255.255.255.0

access-list 120 permit ip 172.20.9.0 255.255.255.0 10.100.16.0 255.255.255.0

IgorHamzic · ‎12-27-2007

Forgot the debug of ipsec.

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x9b7d0784(2608662404) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0x79d3f3bf(2043933631) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xaa3f5dbd(2856279485) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xa22a0c10(2720664592) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xef2ba5c0(4012615104) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xe9030f5b(3909291867) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xf86c4794(4167845780) for SA

from y.y.y.y to x.x.x.x for prot 3

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with y.y.y.y

IPSEC(key_engine): request timer fired: count = 2,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 172.20.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): request timer fired: count = 1,

(identity) local= x.x.x.x, remote= y.y.y.y,

local_proxy= 172.20.9.0/255.255.255.0/0/0 (type=4),

remote_proxy= 10.100.8.0/255.255.255.0/0/0 (type=4)

IPSEC(key_engine): got a queue event...

IPSEC(spi_response): getting spi 0xdc627d36(3697442102) for SA

from y.y.y.y to x.x.x.x for prot 3

kaachary · ‎12-27-2007

ASA, by default, uses PFS group 2 if group is not specified. Whereas PIX 6.X uses PFS group 1 if group is not specified.

So, you need to change the PFS group on any of the devices to match the other.

Hope that helps.

kaachary · ‎12-27-2007

Use this on PIX

crypto map set pfs group2

Or on ASA, use :

crypto map set pfs group1

IgorHamzic · ‎12-27-2007

I didn't know that ASA uses PFS group 2 as default. I guess you learn something new every day. I'll change that and let you know how it went and if the problem persists.

IgorHamzic · ‎01-11-2008

The changing of PFS values on ASA solved the problem. There are no more dropped tunnels.

Thanks for all your help.