03-20-2014 10:01 AM
Hi,
We are configuring a CISCO ASA to connect a VPN tunnel over IPSEC.
on both side, we can see initation frame,
but then, nothing happens.
vyatta is allready connected to other site using IPSEC.
CISCO ASA is only trying to connect to this Vyatta, no other connexion existing.
both Peer XXX.XXX.XX (vyatta) and YYY.YYY.YY. (ASA) can ping each other.
could you please help us to find out what is wrong on the CISCO ASA config, as we think the vyatta one is correct, working with many other sites.
we have tried to change the PSK on both side, nothing better, we have tried to change encryption and authentication rules from 3DES to aes128, but still same behaviour,
we have changed multiple config on vyatta side, but nothing change (initiate or respond mode, fps enable/disable, change lifetime, compression enable, disable...) because we know better vyatta than the cisco conf.
we want to connect 192.168.20.150/32 to 172.19.1.0/24
192 is on vyatta side, and is nat to another internal IP using vyatta nat, as all other ip in this network, and this usualy works perfect with other Ipsec VPN.
cisco log sample: what it means ? we guess a timeout wiating for key exchange/validation from vyatta.
Mar 18 01:39:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:16 [IKEv1]: IP = XX.XXX.XX.XXX, IKE Initiator: New Phase 1, Intf in
side, IKE Peer XX.XXX.XX.XXX local Proxy Address 172.19.1.0, remote Proxy Addre
ss 192.168.20.150, Crypto map (outside-map)
Mar 18 01:39:16 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, constructing ISAKMP SA payloa
d
Mar 18 01:39:16 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, constructing Fragmentation VI
D + extended capabilities payload
Mar 18 01:39:16 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:39:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:20 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:24 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:24 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:39:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:28 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:32 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:32 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:39:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:36 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:40 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:40 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:39:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:44 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:48 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:48 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, IKE MM Initiator FSM error hi
story (struct &0x392d8c0) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2,
EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_
SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,
EV_RETRY
Mar 18 01:39:48 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, IKE SA MM:5a074820 terminatin
g: flags 0x01000022, refcnt 0, tuncnt 0
Mar 18 01:39:48 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, sending delete/delete with re
ason message
Mar 18 01:39:48 [IKEv1]: IP = XX.XXX.XX.XXX, Removing peer from peer table faile
d, no match!
Mar 18 01:39:48 [IKEv1]: IP = XX.XXX.XX.XXX, Error: Unable to remove PeerTblEntr
y
Mar 18 01:39:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:52 [IKEv1]: IP = XX.XXX.XX.XXX, IKE Initiator: New Phase 1, Intf in
side, IKE Peer XX.XXX.XX.XXX local Proxy Address 172.19.1.0, remote Proxy Addre
ss 192.168.20.150, Crypto map (outside-map)
Mar 18 01:39:52 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, constructing ISAKMP SA payloa
d
Mar 18 01:39:52 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, constructing Fragmentation VI
D + extended capabilities payload
Mar 18 01:39:52 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:40:00 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:40:08 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
hostname ciscoasa
enable password 8Ry2Yjxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
description connexion vers Rter Internet
nameif outside
security-level 0
ip address YYY.YYY.YYY.110 255.255.255.252
!
interface Ethernet0/1
description Connexion LAN
nameif inside
security-level 100
ip address 172.19.1.251 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
passwd 6Iby0Jaxxxxxxx encrypted
ftp mode passive
access-list nonat extended permit ip 172.19.1.0 255.255.255.0 host 192.168.20.10
access-list encrypt extended permit ip 172.19.1.0 255.255.255.0 host 192.168.20.150
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 YYY.YYY.YYY.109 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set passwordset esp-3des esp-sha-hmac
crypto map outside-map 10 match address encrypt
crypto map outside-map 10 set peer 46.105.37.153
crypto map outside-map 10 set transform-set passwordset
crypto map outside-map interface outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 46.105.37.153 type ipsec-l2l
tunnel-group 46.105.37.153 ipsec-attributes
pre-shared-key *
telnet 172.19.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:d039f8b71fexxx
: end
peer YYY.YYY.YY.YY
authentication {
mode pre-shared-secret
pre-shared-secret password123
}
connection-type initiate
description "VPN "
ike-group IKE_3DES_SHA1
local-address XX.XXX.XXX.XXX.XXX
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group ESP_3DES_SHA1_28800
local {
prefix 192.168.20.150/32
}
remote {
prefix 172.19.1.0/24
}
}
esp-group ESP_3DES_SHA1_28800 {
compression disable
lifetime 28800
mode tunnel
pfs disable
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group IKE_3DES_SHA1 {
dead-peer-detection {
action restart
interval 30
timeout 60
}
lifetime 86400
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
when checking wyatta logs, we can see
Mar 20 16:54:50 vyatta pluto[15187]: loaded PSK secret for XXX.XXX.XXX.XXX. YYY.YYY.YY.YYY
Mar 20 16:54:50 vyatta pluto[15187]: added connection description "peer-YYY.YYY.YYY.YY-tunnel-1"
Mar 20 16:54:50 vyatta pluto[15187]: "peer-YYY.YYY.YYY.YY-tunnel-1" #243442: initiating Main Mode
then
#243442: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
sometime, we could get:
Mar 18 11:38:34 vyatta pluto[15187]: packet from YYY.YYY.YYY.YYY:1645: initial Main Mode message received on XX.XXX.XXX.XXX:500 but no connection has been authorized with policy=PSK
Do we miss somehting important?
thanks
vincent
03-21-2014 09:33 AM
Vincent
I am looking in your Cisco config for something like this
crypto isakmp enable outside
and I am not seeing it. Please add it to your config and let us know if the behavior changes.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide