cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1308
Views
0
Helpful
1
Replies

IKE Trouble with Peer to Peer VPN

t-andrews
Level 1
Level 1

Got an interesting one here.  We have three flavors of Cradlepoint router.  The early 1200, the 1200b and the 1400.  I am setting up peer tp peer VPNs.  The Cradlepoints sit in a school bus and connect to the ASA in our district office.

The ASA 5510 is running ASA version 7.2(1) and ASDM version 5.2(1).

The following is the relevent config on the ASA:
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.2.0.37 255.255.0.0
!
interface Management0/0
shutdown
nameif Management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpnterm_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map vpnterm_map 20 ipsec-isakmp dynamic vpnterm_dyn_map
crypto map vpnterm_map interface inside
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
no vpn-addr-assign aaa

We have a global address on our main ASA and a static translation to the 10.2.0.37 address. 

This configuration works perfectly with both the 1200b and the 1400.

However, on the older 1200 I see the following on the ASA when the Cradlepoint tries to establish a connection (repeated several times over):

4 Aug 22 2013 14:59:32 713903    Group = DefaultL2LGroup, IP = 75.234.224.136, Freeing previously allocated memory for authorization-dn-attributes
5 Aug 22 2013 14:59:30 713092    Group = DefaultL2LGroup, IP = 75.234.224.136, Failure during phase 1 rekeying attempt due to collision
3 Aug 22 2013 14:59:32 713902    Group = DefaultL2LGroup, IP = 75.234.224.136, Removing peer from peer table failed, no match!
4 Aug 22 2013 14:59:32 713903    Group = DefaultL2LGroup, IP = 75.234.224.136, Error: Unable to remove PeerTblEntry
4 Aug 22 2013 14:59:24 713903    Group = DefaultL2LGroup, IP = 75.234.224.136, Information Exchange processing failed

At the Cradlepoint end I see a couple of related errors:

[INFO] Tue Jan 10 11:29:00 2012 IKE: Sending ISAKMP delete notification to peer 209.191.213.135.
[INFO] Tue Jan 10 11:29:00 2012 IKE: Initiating INFO exchange with peer 209.191.213.135.
[INFO] Tue Jan 10 11:29:00 2012 IKE: Sending INVALID_ID_INFORMATION notification to peer 209.191.213.135.
[INFO] Tue Jan 10 11:29:00 2012 IKE: peer 209.191.213.135 - exchange receive error INVALID_ID_INFORMATION.
[INFO] Tue Jan 10 11:29:00 2012 IKE: Phase 1 negotiation complete with peer 209.191.213.135 (84): fail.
[INFO] Tue Jan 10 11:28:59 2012 IKE: Initiating ID_PROTECT exchange with peer 209.191.213.135.
[INFO] Tue Jan 10 11:28:59 2012 IPSEC: Initiating new session to peer 209.191.213.135 for tunnel ISD31VPN.


It seems that the Cradlepoint isn't getting a response that it likes from the ASA... just can't quite figure out what that response is or how to correct.  The DH group, the key lifetime, etc all match the other two models.  The preshare key is right.  There is a setting on the Cradlepoint ipsec policy setup to provide a "Remote Identity".  This is blank (as it is on the other two models that work fine).  I'm not sure if this is where the problem is or some other setting.

Baffled.  

1 Reply 1

t-andrews
Level 1
Level 1

Just to add a bit more, here is the setup on the Cradlepoint:

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: