All proposals found unacceptable with ESP-AES-128-SHA on ASA 8.3
I want to configure a L2L VPN using X.509 certificates between an ASA 5505 8.3(1) and an OpenBSD 4.9 peer. The ASA has a static IP the OpenBSD peer has a dynamic public IP and is NATed.
I have configured the tunnel successfully using PSK aggressive mode, but as OpenBSD seems to have a problem with NAT-T detection using agressive mode, I have to use main mode. As I cannot use main mode using dynamic IPs with PSK (as far as I know) I want to use X.509 certificates. I simply have changed the "pre-shared-key" ipsec-attribute of the tunnel-group to the "trust-point" and added a certificate map and a tunnel-group-mapping. Since this I get following error message:
Nov 27 16:50:13 [IKEv1]: Group = brno, IP = 220.127.116.11, Mismatch: P1 Authentication algorithm in the crypto map entry different from negotiated algorithm for the L2L connection
Nov 27 16:50:13 [IKEv1]: Group = brno, IP = 18.104.22.168, All IPSec SA proposals found unacceptable!
I have not changed any IPSec nor ISAKMP proposals since the tunnel worked with PSK. I have changed the dynamic map to a static crypto map, but this did not resolve the problem.
I have configured my ASA to accept "ESP-AES-128-SHA" (beyond others) and this is the proposal my OpenBSD sends and the ASA receives (according to debug isakmp 254), but the ASA reports, that it cannot accept the proposal. I have also tried to use other combinations like 3DES-MD5.
Here is the configuration of my ASA:
tunnel-group brno type ipsec-l2l
tunnel-group brno general-attributes
tunnel-group brno ipsec-attributes
crypto map outside_map 2 match address vpn_brno
crypto map outside_map 2 set peer 22.214.171.124
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-3DES-MD5
tunnel-group-map enable rules
tunnel-group-map brno 10 brno
crypto ca certificate map brno 10
subject-name attr cn eq brno.private.lan
crypto isakmp enable outside
crypto isakmp policy 80
And here is the configuration of my OpenBSD peer:
ike esp from 10.1.0.0/16 to 10.4.0.0/22 peer 126.96.36.199 \
main auth hmac-sha enc aes group modp1024 \
quick auth hmac-sha enc aes group none \
srcid brno.private.lan dstid vienna.private.lan
With this configuration both gateways support at least the proposal "ESP-AES-128-SHA" in both phases. But the ASA does not accept the proposal from the OpenBSD peer (see debug messages above). The group selection is being done correctly (as can be seen in the debug messages).
I cannot imagin any misconfiguration, but I also have no more idea to resolve this problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...