08-11-2009 02:01 AM
Hi, I'm trying to configure a vpn site2site between cisco 5505 and openswan. It seems that the configurations are ok but after the phase 2 succeeded the tunnel goes down... Here is the debug log. Any suggests will be appreciated!
Aug 11 11:58:26 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, PHASE 1 COMPLETED
Aug 11 11:58:26 [IKEv1]: IP = 192.168.0.67, Keep-alive type for this connection: DPD
Aug 11 11:58:26 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Starting P1 rekey timer: 2700 seconds.
Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.132.0, Mask 255.255.255.0, Protocol 0, Port 0
Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Received local IP Proxy Subnet data in ID Payload: Address 192.168.70.0, Mask 255.255.255.0, Protocol 0, Port 0
Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, QM IsRekeyed old sa not found by addr
Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Static Crypto Map check, checking map = IPsec_map, seq = 1...
Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Static Crypto Map check, map IPsec_map, seq = 1 is a successful match
Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE Remote Peer configured for crypto map: IPsec_map
Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, processing IPSec SA payload
Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, IPSec SA Proposal # 0, Transform # 0 acceptable Matches global IPSec SA entry # 1
Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE: requesting SPI!
Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Transmitting Proxy Id:
Remote subnet: 192.168.132.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 192.168.70.0 mask 255.255.255.0 Protocol 0 Port 0
Aug 11 11:58:37 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Security negotiation complete for LAN-to-LAN Group (192.168.0.67) Responder, Inbound SPI = 0xa4313201, Outbound SPI = 0x71309508
Aug 11 11:58:37 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Starting P2 rekey timer: 27355 seconds.
Aug 11 11:58:37 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, PHASE 2 COMPLETED (msgid=f63e5a21)
Aug 11 11:58:43 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Aug 11 11:58:43 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, IKE Deleting SA: Remote Proxy 192.168.132.0, Local Proxy 192.168.70.0
Aug 11 11:58:43 [IKEv1]: Ignoring msg to mark SA with dsID 208896 dead because SA deleted
Aug 11 11:58:45 [IKEv1]: IP = 192.168.0.67, Received encrypted packet with no matching SA, dropping
Aug 11 11:58:50 [IKEv1]: IP = 192.168.0.67, Received encrypted packet with no matching SA, dropping
08-11-2009 08:04 AM
It looks like the ASA is dropping the connection because it is not getting a "Dead Peer Detection" (DPD) response from the Linux box. My feeling is that the Linux box simply does not use DPD.
I would try disabling DPD on the ASA. The following URL has been very helpful to me in diagnosing VPN problems. I hope it is of help to you.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
08-12-2009 02:02 AM
Thanks a lot for the useful link, I'll try that way.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: