It has been several years since I last setup a site to site tunnel. Have been trying to set on up today and I must be missing something.
Here is the config for the site to site tunnel on the remote ASA -
access-list nonat extended permit ip 172.16.1.0 255.255.255.0 10.34.155.0 255.255.255.0
access-list nonat extended permit ip 172.16.1.0 255.255.255.0 10.34.150.0 255.255.255.0
access-list 100 extended permit ip 172.16.1.0 255.255.255.0 10.34.155.0 255.255.255.0
access-list 100 extended permit ip 172.16.1.0 255.255.255.0 10.34.150.0 255.255.255.0
global (outside) 1 interface
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer x.x.x.x
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
When I do a debug crypto isakmp 7 and debug crypto ipsec 7, I am seeing this in the debug output -
Mar 05 14:09:04 [IKEv1]: IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping
Mar 05 14:09:04 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed
Mar 05 14:09:12 [IKEv1 DEBUG]: IP = x.x.x.x, IKE MM Initiator FSM error history (struct &0xc960fce8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
I have re-entered the pre-shared-key and still get this message. I think I am missing something else but not having much luck in identifying the problem. I looked at my notes and not having a lot of luck in this area.
The problem may be at the datacenter end. I am trying to set this up where the remote this config is for will be dhcp assigned and the datacenter will be static. It is probably something simple.
Based on the configuration attached everything seems to be properly configured on this site. The most common issue could be related to the pre-shared key as you mentioned. First of all, we need to make sure that both pre-shared key matched exactly the same. Please verify if you have the crypto isakmp identity enable using hostname, auto or ip address, you can see that information with the command show run all isakmp. Please try to get the configuration and debugs from the remote site simultaneously. Do you know if the peer is passing through a NAT device or is it directly connected to the Internet? If the remote site is passing through a NAT device this ASA should have NAT traversal enabled (crypto isakmp nat-traversal) you can check that with the command show run all isakmp. Also, would be good to setup some captures on the outside from peer to peer and see what ports are they using for phase 1 negotiation. Remember, that with or without NAT Traversal the first 4 packets (MM1 - MM4) will always use UDP 500. However, if there is a NAT device on between NAT-T will be negotiated and the rest of the negotiation will use UDP 4500 (remaining phase1 MM5\MM6 (PSK) and also Phase2 in order to encapsulate ESP packets into UDP 4500).
Note: NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary.
Please get as much information as you can in order to help you further with this issue.
The ASA I am connected to at the Datacenter is already handling AnyConnect client connections and I am adding on the site to site tunnel configuration. I have included some of the configuration that is required for the Anyconnect connections since there might be some overlap with that.
Here are all the config lines that I am currently using to establish the connections on the Datacenter ASA -
On the configuration attached for the Data Center I could see that you are trying to use the DefaultL2LGroup tunnel group, which means that the remore site of the VPN tunnel will have a dynamic ip address. If that's the case we do not need to specify any peer on the crypto map since we do not know the ip address were the client will be coming from. Phase 1 and 2 parameters will be offered by the remote site and then we will match those parameters with the ones configured on the DataCenter ASA. Also, you are missing the dynamic crypto map.
Below you will find an example to configure the dynamic crypto map:
crypto dynamic-map dynmap 655 set transform-set esp-3des
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :