12-20-2013 10:49 AM
Hi all
Am trying to get an IPsec remote access VPN working between an Android 4.3 device and Cisco ASA 5505. I have the following phase 1 proposals:
PRM-ASA3(config)# sh run crypto isakm
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Not sure what the Android VPN defaults to as doesn't have any settings that granular.
The ASA is logging this:
PRM-ASA3(config)# Dec 20 18:38:20 [IKEv1]: IP = 2.2.2.123, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 649
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing SA payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ke payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ISA_KE payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing nonce payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received Fragmentation VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received NAT-Traversal RFC VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received NAT-Traversal ver 02 VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received xauth V6 VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received Cisco Unity client VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received DPD VID
Dec 20 18:38:20 [IKEv1]: IP = 2.2.2.123, Connection landed on tunnel_group PRM-IT-access
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, processing IKE SA payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ISAKMP SA payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ke payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing nonce payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Generating keys for Responder...
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing hash payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Computing hash for ISAKMP
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing Cisco Unity VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing xauth V6 VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing dpd vid payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Traversal VID ver 02 payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Discovery payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, computing NAT Discovery hash
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Discovery payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, computing NAT Discovery hash
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing Fragmentation VID + extended capabilities payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 20 18:38:23 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
Dec 20 18:38:23 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM
Dec 20 18:38:26 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
Dec 20 18:38:26 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM
Dec 20 18:38:30 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
Dec 20 18:38:30 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM
Dec 20 18:38:33 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
Dec 20 18:38:33 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE AM Responder FSM error history (struct &0xca280dc8) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_RESEND_MSG-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG-->AM_WAIT_MSG3, EV_RESEND_MSG
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE SA AM:e6f1e3d8 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, sending delete/delete with reason message
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing blank hash payload
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing IKE delete payload
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing qm hash payload
Totally stuck at this point! Please help me save what's left of my hair....
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide