Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site-to-Site VPN ASA 5510 <-> RV220W

I'm looking to get a remote office RV220W connected to my ASA5510.  I have several PIX 501 and ASA5505's connected to the ASA5510.

I've setup everthing similar that I can think of though I'm still not connecting.

IKE Policy:

Direction: Initiator

Exchange mode: Aggressive  (for using FQDN Ident)

Remotes are all DHCP, so setup Local Identifier on RV220W as FQDN and typed in a FQDN for the remote RV220W. That is the same name I used for the Tunnel-Group on the ASA.  Remote is IP, ASA is setup to send IP for Ident.

IKE SA: 

3DES, SHA, DH2, 28800

VPN Policy:

Auto Policy, Remote Endpoint IP

SA-Lifetime: 86400, 3DES, SHA-1, PFS Enabled, DH2

Below is the Log from the RV220W.  The line that stuck out to me was:

2012-01-10 04:11:44: [rv220w][IKE] WARNING:  Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]

Why is Local= and Peer= the same IP?

10.220.1.0/24 = LAN behind RV220W

10.220.255.254 WAN IP of RV220W

10.1.0.0/16 = LAN behind ASA 5510

<PubIP> = Public IP of ASA 5510

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Using IPsec SA configuration: 10.220.1.0/24<->10.1.0.0/16

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Configuration found for <PubIP>.

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Initiating new phase 1 negotiation: 10.220.255.254[500]<=><PubIP>[500]

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Beginning Aggressive mode.

2012-01-10 04:11:28: [rv220w][IKE] INFO:  NAT-Traversal is Enabled

2012-01-10 04:11:28: [rv220w][IKE] INFO:   [agg_i1send:256]: XXX: NUMNATTVENDORIDS: 3

2012-01-10 04:11:28: [rv220w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 4

2012-01-10 04:11:28: [rv220w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 8

2012-01-10 04:11:28: [rv220w][IKE] INFO:   [agg_i1send:260]: XXX: setting vendorid: 9

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received Vendor ID: CISCO-UNITY

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received Vendor ID: DPD

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received unknown Vendor ID

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Received unknown Vendor ID

2012-01-10 04:11:28: [rv220w][IKE] INFO:  NAT-D payload does not match for 10.220.255.254[500]

2012-01-10 04:11:28: [rv220w][IKE] INFO:  NAT-D payload matches for <PubIP>[500]

2012-01-10 04:11:28: [rv220w][IKE] INFO:  For <PubIP>[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

2012-01-10 04:11:28: [rv220w][IKE] INFO:  NAT detected: ME

2012-01-10 04:11:28: [rv220w][IKE] INFO:  for debugging :: changing ports2012-01-10 04:11:28: [rv220w][IKE] INFO:  port changed !!

2012-01-10 04:11:28: [rv220w][IKE] ERROR:  HASH mismatched

2012-01-10 04:11:28: [rv220w][IKE] INFO:  Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]

2012-01-10 04:11:36: [rv220w][IKE] WARNING:  Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]

2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received Vendor ID: CISCO-UNITY

2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received Vendor ID: DPD

2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received unknown Vendor ID

2012-01-10 04:11:36: [rv220w][IKE] INFO:  Received unknown Vendor ID

2012-01-10 04:11:36: [rv220w][IKE] INFO:  NAT-D payload does not match for 10.220.255.254[4500]

2012-01-10 04:11:36: [rv220w][IKE] INFO:  NAT-D payload does not match for<PubIP>[4500]

2012-01-10 04:11:36: [rv220w][IKE] INFO:  For<PubIP>[4500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

2012-01-10 04:11:36: [rv220w][IKE] INFO:  NAT detected: ME PEER

2012-01-10 04:11:36: [rv220w][IKE] INFO:  for debugging :: changing ports2012-01-10 04:11:36: [rv220w][IKE] INFO:  port changed !!

2012-01-10 04:11:36: [rv220w][IKE] ERROR:  HASH mismatched

2012-01-10 04:11:36: [rv220w][IKE] INFO:  Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]

2012-01-10 04:11:44: [rv220w][IKE] WARNING:  Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]

2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received Vendor ID: CISCO-UNITY

2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt

2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received Vendor ID: DPD

2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received unknown Vendor ID

2012-01-10 04:11:44: [rv220w][IKE] INFO:  Received unknown Vendor ID

2012-01-10 04:11:44: [rv220w][IKE] INFO:  NAT-D payload does not match for 10.220.255.254[4500]

2012-01-10 04:11:44: [rv220w][IKE] INFO:  NAT-D payload does not match for<PubIP>[4500]

2012-01-10 04:11:44: [rv220w][IKE] INFO:  For<PubIP>[4500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02

2012-01-10 04:11:44: [rv220w][IKE] INFO:  NAT detected: ME PEER

2012-01-10 04:11:44: [rv220w][IKE] INFO:  for debugging :: changing ports2012-01-10 04:11:44: [rv220w][IKE] INFO:  port changed !!

2012-01-10 04:11:44: [rv220w][IKE] ERROR:  HASH mismatched

2012-01-10 04:11:44: [rv220w][IKE] INFO:  Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]

ASA 5510 Configuration

object network NETWORK-SCHOLEY
subnet 10.220.225.0 255.255.255.0


access-list scholey_split_tunnel extended permit ip object-group LOCAL_NETWORK_REMOTE_VPN object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-HBG object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-SF object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-TRAINING object NETWORK-SCHOLEY


crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto dynamic-map dynamic-remote-office 65534 set transform-set ESP-3DES-SHA
crypto map hbg-outside-198_map 65534 ipsec-isakmp dynamic dynamic-remote-office
crypto map hbg-outside-198_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto isakmp identity address
crypto isakmp enable hbg-outside-198
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


group-policy scholey internal
group-policy scholey attributes
vpn-tunnel-protocol IPSec
ipsec-udp disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value scholey_split_tunnel


tunnel-group scholey type ipsec-l2l
tunnel-group scholey general-attributes
default-group-policy scholey.vpn.haydon-mill.com
tunnel-group scholey ipsec-attributes
pre-shared-key scholeykey

ASA 5510 syslog messages

%ASA-7-713236: IP = 10.220.255.254, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436

%ASA-7-715048: Group = scholey, IP = 10.220.255.254, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing VID payload

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing Fragmentation VID + extended capabilities payload

%ASA-7-713906: Group = scholey, IP = 10.220.255.254, computing NAT Discovery hash

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Discovery payload

%ASA-7-713906: Group = scholey, IP = 10.220.255.254, computing NAT Discovery hash

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Discovery payload

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Traversal VID ver 02 payload

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing dpd vid payload

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing xauth V6 VID payload

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing Cisco Unity VID payload

%ASA-7-715076: Group = scholey, IP = 10.220.255.254, Computing hash for ISAKMP

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing hash payload

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ID payload

%ASA-7-713906: Group = scholey, IP = 10.220.255.254, Generating keys for Responder...

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing nonce payload

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ke payload

%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ISAKMP SA payload

%ASA-7-715028: Group = scholey, IP = 10.220.255.254, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2

%ASA-7-715047: Group = scholey, IP = 10.220.255.254, processing IKE SA payload

%ASA-7-713906: IP = 10.220.255.254, Connection landed on tunnel_group scholey

%ASA-7-715049: IP = 10.220.255.254, Received DPD VID

%ASA-7-715047: IP = 10.220.255.254, processing VID payload

%ASA-7-715049: IP = 10.220.255.254, Received NAT-Traversal RFC VID

%ASA-7-715047: IP = 10.220.255.254, processing VID payload

%ASA-7-715049: IP = 10.220.255.254, Received NAT-Traversal ver 02 VID

%ASA-7-715047: IP = 10.220.255.254, processing VID payload

%ASA-7-715047: IP = 10.220.255.254, processing VID payload

%ASA-7-713906: IP = 10.220.255.254, ID_FQDN ID received, len 27#%cLt#%010>0000: 7363686F 6C65792E 76706E2E 68617964 scholey.vpn.hayd#%cLt#%010>0010: 6F6E2D6D 696C6C2E 636F6D on-mill.com

%ASA-7-715047: IP = 10.220.255.254, processing ID payload

%ASA-7-715047: IP = 10.220.255.254, processing nonce payload

%ASA-7-715047: IP = 10.220.255.254, processing ISA_KE payload

%ASA-7-715047: IP = 10.220.255.254, processing ke payload

%ASA-7-715047: IP = 10.220.255.254, processing SA payload

%ASA-7-713236: IP = 10.220.255.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 347

Everyone's tags (4)
3 REPLIES
New Member

Site-to-Site VPN ASA 5510 <-> RV220W

So It looks like I had a few things against me.

The SA-Lifetimes were reversed. I had the 28800 swapped with the 86400 lifetime.

PFS was Ticked, it should have been unchecked.

Though the most crutial mistake was using GMT-8 Pacific Standard Time for the Timezone setting.   I'm running software version 1.0.3.5 and the timezone GMT-8 Pacific Standard Time seems to really be -16, not -8.  Switching to GMT -8 Pitcairn Island Time Lead me to the finding the SA Lifetime issues.

Scott<-

Silver

Site-to-Site VPN ASA 5510 <-> RV220W

Scott,

Thanks for re-posting - so do you have the tunnels successful connected now? 

Jasbryan

New Member

Site-to-Site VPN ASA 5510 <-> RV220W

Yes, the Tunnels are up.  I just wish it was not so Difficult to get everything all sync'd up.

Managing many subnets and exterior gateways makes for changes on several devices when I add a new remote Subnet.

Though the Timezone bug was the real show stopper!  that needs to be looked into. Having a clock that is 8 hours off does not play nice with IPSec!

Now if I could find a way to connect to a remote Subnet from a remote subnet via the Head End ASA, that would be Super!

Thanks!

8591
Views
0
Helpful
3
Replies