cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3471
Views
0
Helpful
5
Replies

Cant get Remote tunnel to establish

ronald.nutter
Level 1
Level 1

It has been several years since I last setup a site to site tunnel.  Have been trying to set on up today and I must be missing something.

Here is the config for the site to site tunnel on the remote ASA -

access-list nonat extended permit ip 172.16.1.0 255.255.255.0 10.34.155.0 255.255.255.0

access-list nonat extended permit ip 172.16.1.0 255.255.255.0 10.34.150.0 255.255.255.0

access-list 100 extended permit ip 172.16.1.0 255.255.255.0 10.34.155.0 255.255.255.0

access-list 100 extended permit ip 172.16.1.0 255.255.255.0 10.34.150.0 255.255.255.0

!

global (outside) 1 interface

nat (Inside) 0 access-list nonat

nat (Inside) 1 0.0.0.0 0.0.0.0

!

crypto map outside_map 20 match address 100

crypto map outside_map 20 set peer x.x.x.x

crypto map outside_map 20 set transform-set myset

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

!

When I do a debug crypto isakmp 7 and debug crypto ipsec 7, I am seeing this in the debug output -

Mar 05 14:09:04 [IKEv1]: IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

Mar 05 14:09:04 [IKEv1]: IP = x.x.x.x, Information Exchange processing failed

Mar 05 14:09:12 [IKEv1 DEBUG]: IP = x.x.x.x, IKE MM Initiator FSM error history (struct &0xc960fce8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent

I have re-entered the pre-shared-key and still get this message.  I think I am missing something else but not having much luck in identifying the problem.  I looked at my notes and not having a lot of luck in this area. 

The problem may be at the datacenter end.  I am trying to set this up where the remote this config is for will be dhcp assigned and the datacenter will be static.  It is probably something simple.

Would appreciate any suggestions

5 Replies 5

laramire2
Level 1
Level 1

Hello Ronald,

Based on the configuration attached everything seems to be properly configured on this site. The most common issue could be related to the pre-shared key as you mentioned. First of all, we need to make sure that both pre-shared key matched exactly the same. Please verify if you have the crypto isakmp identity enable using hostname, auto or ip address, you can see that information with the command show run all isakmp. Please try to get the configuration and debugs from the remote site simultaneously. Do you know if the peer is passing through a NAT device or is it directly connected to the Internet? If the remote site is passing through a NAT device this ASA should have NAT traversal enabled (crypto isakmp nat-traversal) you can check that with the command show run all isakmp. Also, would be good to setup some captures on the outside from peer to peer and see what ports are they using for phase 1 negotiation. Remember, that with or without NAT Traversal the first 4 packets (MM1 - MM4) will always use UDP 500. However, if there is a NAT device on between NAT-T will be negotiated and the rest of the negotiation will use UDP 4500 (remaining phase1 MM5\MM6 (PSK) and also Phase2 in order to encapsulate ESP packets into UDP 4500).

Note: NAT-T lets IPsec peers establish a connection through a NAT device. It does this by encapsulating IPsec traffic in UDP datagrams, using port 4500, thereby providing NAT devices with port information. NAT-T auto-detects any NAT devices, and only encapsulates IPsec traffic when necessary.

Please get as much information as you can in order to help you further with this issue.

Luis.

Based especially on this message

IP = x.x.x.x, Received an un-encrypted INVALID_COOKIE notify message, dropping

I am wondering if the problem is something on the other end. Can you give us some detail about what is configured on the other end?

HTH

Rick

HTH

Rick

Luis:

The ASA I am connected to at the Datacenter is already handling AnyConnect client connections and I am adding on the site to site tunnel configuration.  I have included some of the configuration that is required for the Anyconnect connections since there might be some overlap with that.

Here are all the config lines that I am currently using to establish the connections on the Datacenter ASA -

crypto isakmp identity address

crypto isakmp enable Outside1

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *****

!

crypto ipsec transform-set esp-3des esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address 100

crypto map outside_map 20 set transform-set esp-3des

crypto map outside_map interface Outside1

!

access-list 100 extended permit ip 10.34.150.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list 100 extended permit ip 10.34.155.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat extended permit ip 10.34.150.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list nonat extended permit ip 10.34.155.0 255.255.255.0 172.16.1.0 255.255.255.0

!

webvpn

enable Outside1

anyconnect-essentials

svc image disk0:/anyconnect-win-3.1.04059-k9.pkg 1

svc image disk0:/anyconnect-macosx-i386-3.1.04059-k9.pkg 2

svc enable

tunnel-group-list enable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

Here is the sh run all isakmp from the ASA (5510) at the datacenter -

crypto isakmp identity address

crypto isakmp enable Outside1

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

Here is the same command from the remote ASA (5505)

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

Both ASA are directly attached to the internet.  I have re-entered the preshared key. 

After I entered the identity address command, I am now getting phase 1 to complete but it never establishes phase 2 and then the whole connection is torn down.

Ron

Hello Ronald,

Thanks for the information!

On the configuration attached for the Data Center I could see that you are trying to use the DefaultL2LGroup tunnel group, which means that the remore site of the VPN tunnel will have a dynamic ip address. If that's the case we do not need to specify any peer on the crypto map since we do not know the ip address  were the client will be coming from. Phase 1 and 2 parameters will be offered by the remote site and then we will match those parameters with the ones configured on the DataCenter ASA. Also, you are missing the dynamic crypto map.

Below you will find an example to configure the dynamic crypto map:

crypto dynamic-map dynmap 655 set transform-set esp-3des

crypto map outside_map 655 ipsec-isakmp dynamic dynmap

You should be able to remove the commands applied previously:

no crypto map outside_map 20 match address 100

no crypto map outside_map 20 set transform-set esp-3des

Now, if both peers have static IP address you would need to following configuration on the DataCenter:

crypto map outside_map 20 match address 100

crypto map outside_map 20 set transform-set esp-3des

crypto map outside_map 20 set peer x.x.x.x (remote peer IP address)

!

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *****

AnyConnect should not cause any problems.

Hope this help you out,

Luis.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: