Got an interesting one here. We have three flavors of Cradlepoint router. The early 1200, the 1200b and the 1400. I am setting up peer tp peer VPNs. The Cradlepoints sit in a school bus and connect to the ASA in our district office.
The ASA 5510 is running ASA version 7.2(1) and ASDM version 5.2(1).
The following is the relevent config on the ASA: ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.2.0.37 255.255.0.0 ! interface Management0/0 shutdown nameif Management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only
We have a global address on our main ASA and a static translation to the 10.2.0.37 address.
This configuration works perfectly with both the 1200b and the 1400.
However, on the older 1200 I see the following on the ASA when the Cradlepoint tries to establish a connection (repeated several times over):
4 Aug 22 2013 14:59:32 713903 Group = DefaultL2LGroup, IP = 18.104.22.168, Freeing previously allocated memory for authorization-dn-attributes 5 Aug 22 2013 14:59:30 713092 Group = DefaultL2LGroup, IP = 22.214.171.124, Failure during phase 1 rekeying attempt due to collision 3 Aug 22 2013 14:59:32 713902 Group = DefaultL2LGroup, IP = 126.96.36.199, Removing peer from peer table failed, no match! 4 Aug 22 2013 14:59:32 713903 Group = DefaultL2LGroup, IP = 188.8.131.52, Error: Unable to remove PeerTblEntry 4 Aug 22 2013 14:59:24 713903 Group = DefaultL2LGroup, IP = 184.108.40.206, Information Exchange processing failed
At the Cradlepoint end I see a couple of related errors:
[INFO] Tue Jan 10 11:29:00 2012 IKE: Sending ISAKMP delete notification to peer 220.127.116.11. [INFO] Tue Jan 10 11:29:00 2012 IKE: Initiating INFO exchange with peer 18.104.22.168. [INFO] Tue Jan 10 11:29:00 2012 IKE: Sending INVALID_ID_INFORMATION notification to peer 22.214.171.124. [INFO] Tue Jan 10 11:29:00 2012 IKE: peer 126.96.36.199 - exchange receive error INVALID_ID_INFORMATION. [INFO] Tue Jan 10 11:29:00 2012 IKE: Phase 1 negotiation complete with peer 188.8.131.52 (84): fail. [INFO] Tue Jan 10 11:28:59 2012 IKE: Initiating ID_PROTECT exchange with peer 184.108.40.206. [INFO] Tue Jan 10 11:28:59 2012 IPSEC: Initiating new session to peer 220.127.116.11 for tunnel ISD31VPN.
It seems that the Cradlepoint isn't getting a response that it likes from the ASA... just can't quite figure out what that response is or how to correct. The DH group, the key lifetime, etc all match the other two models. The preshare key is right. There is a setting on the Cradlepoint ipsec policy setup to provide a "Remote Identity". This is blank (as it is on the other two models that work fine). I'm not sure if this is where the problem is or some other setting.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...