Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec ASA-1841

Hi all,

I am trying to create a site-to-site IPSec tunnel between ASA 5510 and 1841. The ASA has already one with another remote site that it works. Below is the relevant configuration

1841
====
crypto isakmp policy 13
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <KEY> address <ASA TRUE IP>
!
!
crypto ipsec transform-set TEST_SET esp-3des esp-md5-hmac
!
crypto map TEST_MAP 13 ipsec-isakmp
set peer <ASA TRUE IP>
set transform-set TEST_SET
match address 113
!
interface FastEthernet0/0
ip address 10.3.3.100 255.255.255.0
ip nat inside
!
interface Dialer1
ip nat outside
crypto map TEST_MAP
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.0.0 255.0.0.0 <ASA TRUE IP>
!
access-list 110 deny   ip 10.3.3.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 110 permit ip 10.3.3.0 0.0.0.255 any
access-list 113 permit ip 10.3.3.0 0.0.0.255 10.0.0.0 0.255.255.255
!
route-map nonat permit 10
match ip address 110

ASA

====

access-list IPSec_LIST extended permit <WORKING TUNNEL> <WORKING TUNNEL>

access-list IPSec_LIST extended permit ip 10.0.0.0 255.0.0.0 10.3.3.0 255.255.255.0

!

nat (inside,outside) source static <INTERNAL NETWORKS> <INTERNAL NETWORKS> destination static <1841 LAN> <1841 LAN>

!

crypto ipsec ikev1 transform-set IPSec_SET esp-3des esp-md5-hmac

!

crypto map IPSec_MAP 11 match address IPSec_LIST

crypto map IPSec_MAP 11 set peer <WORKING TUNNEL>

crypto map IPSec_MAP 11 set ikev1 transform-set IPSec_SET

crypto map IPSec_MAP 13 match address IPSec_LIST

crypto map IPSec_MAP 13 set peer <1841 TRUE IP>

crypto map IPSec_MAP 13 set ikev1 transform-set IPSec_SET

crypto map IPSec_MAP interface outside

!

crypto isakmp identity address

crypto ikev1 enable outside

!

crypto ikev1 policy 11

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

tunnel-group <1841 TRUE IP> type ipsec-l2l

tunnel-group <1841 TRUE IP> ipsec-attributes

ikev1 pre-shared-key <KEY>

On the 1841 I have the following output:

show crypto isakm sa

dst             src             state          conn-id slot status

<ASA TRUE IP>   <1841 TRUE IP>   MM_NO_STATE          4    0 ACTIVE (deleted)

<ASA TRUE IP>   <1841 TRUE IP>   MM_NO_STATE          3    0 ACTIVE (deleted)

I am attaching the output of the debug crypto isakmp and ipsec of the 1841.

Do you have any idea what is wrong with the configuration?

Everyone's tags (5)
12 REPLIES
Hall of Fame Super Silver

Re: IPSec ASA-1841

The problem is in the crypto access list on the ASA. You have entries for both peers in the same access list. For crypto to work correctly on ASA each peer needs its own unique access list.

HTH

Rick

Sent from Cisco Technical Support iPad App

New Member

IPSec ASA-1841

Thank you for your suggestion, I made the change and the tunnel is up. But, it looks like that traffic should be initiated from the site that ASA resides. If I ping from the LAN of 1841 there is no reply. When a ping is made from ASA everything then works. Should I make any other change?

IPSec ASA-1841

Your NAT rule misses one 255. Perhaps you're trying to ping from a natted host:

access-list 110 deny   ip 10.3.3.0 0.0.0.255 10.0.0.0 0.0.255.255

access-list 110 permit ip 10.3.3.0 0.0.0.255 any

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

IPSec ASA-1841

I believe you are reffering to the first line of my statement of access-list 110. The network that I tried to  ping was on the 10.0.X.X subnet, but I made the change you suggested anyway and it does the same. The traffic should initiate from ASA

Moreover, I did the following changes since I have a couple of issues:

1. The internet should be provided from the HQ, not from the local ADSL.

For this reason I did the following on the 1841:

- remove the nat statements

- change the routing to

      ip route 0.0.0.0 0.0.0.0

      ip route 255.255.255.255 Dialer1

- change the crypto acl to

       access-list 113 permit ip 10.3.3.0 0.0.0.255 any

On the ASA:

- add to the crypto acl the statement

      access-list TEST_LIST extended permit ip any object-group <1841 LAN>

- inserted to a PAT the 1841 LAN

After doing these I have no internet access on tha 1841 LAN and on the ASA I do not see any xlate for that network

2. The LAN of the 1841 should have access to a client that connects to the ASA with AnyConnect with IP 192.168.99.X. Having done the previous changes from (1) and giving now access not only to 10.X.X.X, the client can ping the 1841 LAN, but the host from 1841 cannot ping the AnyConnect client. On the no nat statements of the ASA the client IP is on the of the

nat (inside,outside) source static destination static <1841 LAN> <1841 LAN>

Could anyone provide any hint on these issues as well?

Hall of Fame Super Silver

IPSec ASA-1841

Perhaps if you post current config from both devices we might better identify the issue.

Also can you confirm that the 1841 and the ASA can ping each others peer address?

HTH

Rick

New Member

IPSec ASA-1841

My last config is as follows:

1841
====
crypto isakmp policy 13
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key address
!
crypto ipsec transform-set TEST_SET esp-3des esp-md5-hmac
!
crypto map TEST_MAP 13 ipsec-isakmp
set peer
set transform-set TEST_SET
match address 113
!
interface FastEthernet0/0
ip address 10.3.3.100 255.255.255.0
!
interface Dialer1
crypto map TEST_MAP
!
ip route 0.0.0.0 0.0.0.0
ip route 255.255.255.255 Dialer1
!
access-list 113 permit ip 10.3.3.0 0.0.0.255 any


ASA
===
access-list ATCOM_LIST extended permit
access-list TEST_LIST extended permit ip object-group object-group <1841 LAN>
access-list TEST_LIST extended permit ip any object-group <1841 LAN>
!
nat (inside,outside) source static destination static <1841 LAN> <1841 LAN>
!
crypto ipsec ikev1 transform-set IPSec_SET esp-3des esp-md5-hmac
!
crypto map IPSec_MAP 11 match address ATCOM_LIST
crypto map IPSec_MAP 11 set peer
crypto map IPSec_MAP 11 set ikev1 transform-set IPSec_SET
crypto map IPSec_MAP 13 match address TEST_LIST
crypto map IPSec_MAP 13 set peer <1841 TRUE IP>
crypto map IPSec_MAP 13 set ikev1 transform-set IPSec_SET
crypto map IPSec_MAP interface outside
!
crypto isakmp identity address
crypto ikev1 enable outside
!
crypto ikev1 policy 11
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group <1841 TRUE IP> type ipsec-l2l
tunnel-group <1841 TRUE IP> ipsec-attributes
ikev1 pre-shared-key

!

!
object-group network obj-PAT-8
network-object 10.3.3.0 255.255.255.0
!
object network obj-
host
!
nat (inside,outside) source dynamic obj-PAT-8 obj-

The devices can ping each peer address. The tunnel is up and working but the traffic should initiate from ASA's side first.

The changes that I made were to have internet access not from the local ADSL of 1841, but from HQ. It does not work and I see no xlates on the ASA for this network.

Moreover, the 1841 LAN should have access to a client that connects to the ASA with AnyConnect. It's IP 192.168.99.X is on the group. Although the remote client can ping the 1841 LAN, the 1841 cannot ping the AnyConnect client

Hall of Fame Super Silver

IPSec ASA-1841

I am slightly confused. You tell us "but the traffic should initiate from ASA's side first." and I am not clear whether this really is a problem or not.

You also tell us "I see no xlates on the ASA for this network" and my response is to ask you whether there are translations configured on the ASA for the traffic from the 1841? You have shown us a static translation to handle not translating LAN to LAN traffic, but what about traffic originating from the 1841 that is going to the Internet? Is there a translation configured for it?

Also I am guessing that for the 1841 traffic to get to the Internet it will require the same-priority permit intra-interface to be configured. Is it configured on the ASA? This would also probably be involved in the issue of accessing the VPN client.

HTH

Rick

New Member

IPSec ASA-1841

Regarding your remarks:

1. The tunnel should be up no matter who initiates the traffic, it should be permited the remote site to make a request

2. For the internet traffic I created to the ASA the PAT-8 that I attached. Moreover, I put the any to the crypto acl and the ip route to the 1841. Do I need to do something else?

3. Could you please explain how to fix the priority? Is it similar with the security-level on the inside/outside interface?

Thank you very much for your time . . .

IPSec ASA-1841

For me the discussion goes in too many directions.

First:

interface Dialer1

crypto map TEST_MAP

!

ip route 0.0.0.0 0.0.0.0

ip route 255.255.255.255 Dialer1

!

access-list 113 permit ip 10.3.3.0 0.0.0.255 any

This is not a normal configuration. Default route should always be the dialer (or learned from ipcp). Since your crypto ACL matches any, it will put any traffic through vpn, thats enough. I have a similiar setup with 80 locations and defalt gateways through tunnel.

Second:

You say ASA won't initiate VPN to 1841, but is there interesting traffc to initiate the vpn? Can you clear the vpn und ping behind the ASA, turn on crypto debugging and post the errors?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
New Member

IPSec ASA-1841

Regarding the internet traffic, do you refer that the default route should be to the dialer? I changed it to ASA when I removed the nat of 1841 in order to have access from the HQ. I did put again the dialer but there is no access.

Below is the debug crypto isakm/ipsec from1841 when I made a ping from 1841 LAN to ASA LAN. Although the status is

sh crypto isakmp  sa

dst             src             state          conn-id slot status

   <1841 TRUE IP>   QM_IDLE              1    0 ACTIVE

the pc from 1841 cannot ping behind ASA. When from ASA LAN a ping is initiated, the 1841 can ping as well

*Oct 25 08:18:18.852 UTC: IPSEC(recalculate_mtu): reset sadb_root 632FF8C8 mtu to 1492
*Oct 25 08:18:19.252 UTC: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= <1841 TRUE IP>, remote= ,
    local_proxy= 10.3.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x57369D4B(1463197003), conn_id= 0, keysize= 0, flags= 0x400A
*Oct 25 08:18:19.252 UTC: ISAKMP: received ke message (1/1)
*Oct 25 08:18:19.252 UTC: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Oct 25 08:18:19.252 UTC: ISAKMP: Created a peer struct for , peer port 500
*Oct 25 08:18:19.252 UTC: ISAKMP: New peer created peer = 0x62A60420 peer_handle = 0x8000013A
*Oct 25 08:18:19.252 UTC: ISAKMP: Locking peer struct 0x62A60420, IKE refcount 1 for isakmp_initiator
*Oct 25 08:18:19.252 UTC: ISAKMP: local port 500, remote port 500
*Oct 25 08:18:19.252 UTC: ISAKMP: set new node 0 to QM_IDLE     
*Oct 25 08:18:19.256 UTC: insert sa successfully sa = 63908C3C
*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching
*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Oct 25 08:18:19.256 UTC: ISAKMP:(0:0:N/A:0): sending packet to my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 25 08:18:19.272 UTC: ISAKMP (0:0): received packet from dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 25 08:18:19.272 UTC: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 08:18:19.272 UTC: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Oct 25 08:18:19.272 UTC: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Oct 25 08:18:19.272 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 25 08:18:19.272 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 25 08:18:19.272 UTC: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v3
*Oct 25 08:18:19.272 UTC: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Oct 25 08:18:19.276 UTC: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 25 08:18:19.276 UTC: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching
*Oct 25 08:18:19.276 UTC: ISAKMP:(0:0:N/A:0): local preshared key found
*Oct 25 08:18:19.276 UTC: ISAKMP : Scanning profiles for xauth ...
*Oct 25 08:18:19.276 UTC: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 13 policy
*Oct 25 08:18:19.276 UTC: ISAKMP:      encryption 3DES-CBC
*Oct 25 08:18:19.276 UTC: ISAKMP:      hash MD5
*Oct 25 08:18:19.276 UTC: ISAKMP:      default group 2
*Oct 25 08:18:19.276 UTC: ISAKMP:      auth pre-share
*Oct 25 08:18:19.276 UTC: ISAKMP:      life type in seconds
*Oct 25 08:18:19.276 UTC: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Oct 25 08:18:19.276 UTC: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Oct 25 08:18:19.328 UTC: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 25 08:18:19.328 UTC: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 157 mismatch
*Oct 25 08:18:19.328 UTC: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v3
*Oct 25 08:18:19.328 UTC: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 25 08:18:19.328 UTC: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 194 mismatch
*Oct 25 08:18:19.328 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 25 08:18:19.328 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Oct 25 08:18:19.332 UTC: ISAKMP:(0:1:SW:1): sending packet to my_port 500 peer_port 500 (I) MM_SA_SETUP
*Oct 25 08:18:19.332 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 08:18:19.332 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Oct 25 08:18:19.352 UTC: ISAKMP (0:134217729): received packet from dport 500 sport 500 Global (I) MM_SA_SETUP
*Oct 25 08:18:19.352 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 08:18:19.356 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Oct 25 08:18:19.356 UTC: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Oct 25 08:18:19.420 UTC: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Oct 25 08:18:19.420 UTC: ISAKMP:(0:1:SW:1):found peer pre-shared key matching
*Oct 25 08:18:19.420 UTC: ISAKMP:(0:1:SW:1):SKEYID state generated
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 52 mismatch
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1):vendor ID seems Unity/DPD but hash mismatch
*Oct 25 08:18:19.424 UTC: ISAKMP:received payload type 20
*Oct 25 08:18:19.424 UTC: ISAKMP:received payload type 20
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1):Send initial contact
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Oct 25 08:18:19.424 UTC: ISAKMP (0:134217729): ID payload
next-payload : 8
type         : 1
address      : <1841 TRUE IP>
protocol     : 17
port         : 500
length       : 12
*Oct 25 08:18:19.424 UTC: ISAKMP:(0:1:SW:1):Total payload length: 12
*Oct 25 08:18:19.428 UTC: ISAKMP:(0:1:SW:1): sending packet to my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Oct 25 08:18:19.428 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 08:18:19.428 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Oct 25 08:18:19.444 UTC: ISAKMP (0:134217729): received packet from dport 500 sport 500 Global (I) MM_KEY_EXCH
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Oct 25 08:18:19.444 UTC: ISAKMP (0:134217729): ID payload
next-payload : 8
type         : 1
address      :
protocol     : 17
port         : 0
length       : 12
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1):: peer matches *none* of the profiles
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Oct 25 08:18:19.444 UTC: ISAKMP:received payload type 17
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1): processing vendor id payload
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1):SA authentication status:
authenticated
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1):SA has been authenticated with
*Oct 25 08:18:19.444 UTC: ISAKMP: Trying to insert a peer <1841 TRUE IP>//500/,  and inserted successfully 62A60420.
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Oct 25 08:18:19.444 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Oct 25 08:18:19.448 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Oct 25 08:18:19.448 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Oct 25 08:18:19.448 UTC: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of 324544372
*Oct 25 08:18:19.448 UTC: ISAKMP:(0:1:SW:1): sending packet to my_port 500 peer_port 500 (I) QM_IDLE     
*Oct 25 08:18:19.448 UTC: ISAKMP:(0:1:SW:1):Node 324544372, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Oct 25 08:18:19.452 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Oct 25 08:18:19.452 UTC: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Oct 25 08:18:19.452 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Oct 25 08:18:19.468 UTC: ISAKMP (0:134217729): received packet from dport 500 sport 500 Global (I) QM_IDLE     
*Oct 25 08:18:19.468 UTC: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 324544372
*Oct 25 08:18:19.472 UTC: ISAKMP:(0:1:SW:1): processing SA payload. message ID = 324544372
*Oct 25 08:18:19.472 UTC: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Oct 25 08:18:19.472 UTC: ISAKMP: transform 1, ESP_3DES
*Oct 25 08:18:19.472 UTC: ISAKMP:   attributes in transform:
*Oct 25 08:18:19.472 UTC: ISAKMP:      SA life type in seconds
*Oct 25 08:18:19.472 UTC: ISAKMP:      SA life duration (basic) of 3600
*Oct 25 08:18:19.472 UTC: ISAKMP:      SA life type in kilobytes
*Oct 25 08:18:19.472 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Oct 25 08:18:19.472 UTC: ISAKMP:      encaps is 1 (Tunnel)
*Oct 25 08:18:19.472 UTC: ISAKMP:      authenticator is HMAC-MD5
*Oct 25 08:18:19.472 UTC: ISAKMP:(0:1:SW:1):atts are acceptable.
*Oct 25 08:18:19.472 UTC: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= <1841 TRUE IP>, remote= ,
    local_proxy= 10.3.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Oct 25 08:18:19.472 UTC: Crypto mapdb : proxy_match
src addr     : 10.3.3.0
dst addr     : 0.0.0.0
protocol     : 0
src port     : 0
dst port     : 0
*Oct 25 08:18:19.472 UTC: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 324544372
*Oct 25 08:18:19.472 UTC: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 324544372
*Oct 25 08:18:19.472 UTC: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 324544372
*Oct 25 08:18:19.472 UTC: ISAKMP: Locking peer struct 0x62A60420, IPSEC refcount 1 for for stuff_ke
*Oct 25 08:18:19.472 UTC: ISAKMP:(0:1:SW:1): Creating IPSec SAs
*Oct 25 08:18:19.472 UTC:         inbound SA from to <1841 TRUE IP> (f/i)  0/ 0
        (proxy 0.0.0.0 to 10.3.3.0)
*Oct 25 08:18:19.476 UTC:         has spi 0x57369D4B and conn_id 0 and flags 2
*Oct 25 08:18:19.476 UTC:         lifetime of 3600 seconds
*Oct 25 08:18:19.476 UTC:         lifetime of 4608000 kilobytes
*Oct 25 08:18:19.476 UTC:         has client flags 0x0
*Oct 25 08:18:19.476 UTC:         outbound SA from <1841 TRUE IP> to (f/i) 0/0
        (proxy 10.3.3.0 to 0.0.0.0)
*Oct 25 08:18:19.476 UTC:         has spi 634331303 and conn_id 0 and flags A
*Oct 25 08:18:19.476 UTC:         lifetime of 3600 seconds
*Oct 25 08:18:19.476 UTC:         lifetime of 4608000 kilobytes
*Oct 25 08:18:19.476 UTC:         has client flags 0x0
*Oct 25 08:18:19.476 UTC: ISAKMP:(0:1:SW:1): sending packet to my_port 500 peer_port 500 (I) QM_IDLE     
*Oct 25 08:18:19.476 UTC: ISAKMP:(0:1:SW:1):deleting node 324544372 error FALSE reason "No Error"
*Oct 25 08:18:19.476 UTC: ISAKMP:(0:1:SW:1):Node 324544372, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Oct 25 08:18:19.476 UTC: ISAKMP:(0:1:SW:1):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
*Oct 25 08:18:19.476 UTC: IPSEC(key_engine): got a queue event with 2 kei messages
*Oct 25 08:18:19.476 UTC: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= <1841 TRUE IP>, remote= ,
    local_proxy= 10.3.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x57369D4B(1463197003), conn_id= 0, keysize= 0, flags= 0x2
*Oct 25 08:18:19.476 UTC: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= <1841 TRUE IP>, remote= ,
    local_proxy= 10.3.3.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-md5-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x25CF20A7(634331303), conn_id= 0, keysize= 0, flags= 0xA
*Oct 25 08:18:19.476 UTC: Crypto mapdb : proxy_match
src addr     : 10.3.3.0
dst addr     : 0.0.0.0
protocol     : 0
src port     : 0
dst port     : 0
*Oct 25 08:18:19.476 UTC: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and
*Oct 25 08:18:19.480 UTC: IPSec: Flow_switching Allocated flow for sibling 8000006D
*Oct 25 08:18:19.480 UTC: IPSEC(policy_db_add_ident): src 10.3.3.0, dest 0.0.0.0, dest_port 0

*Oct 25 08:18:19.480 UTC: ISAKMP: Locking peer struct 0x62A60420, IPSEC refcount 2 for from create_transforms
*Oct 25 08:18:19.480 UTC: IPSEC(create_sa): sa created,
  (sa) sa_dest= <1841 TRUE IP>, sa_proto= 50,
    sa_spi= 0x57369D4B(1463197003),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 3005
*Oct 25 08:18:19.480 UTC: IPSEC(create_sa): sa created,
  (sa) sa_dest= , sa_proto= 50,
    sa_spi= 0x25CF20A7(634331303),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 3001
*Oct 25 08:18:19.480 UTC: ISAKMP: Unlocking IPSEC struct 0x62A60420 from create_transforms, count 1
*Oct 25 08:18:19.836 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
*Oct 25 08:19:09.188 UTC: ISAKMP (0:134217729): received packet from dport 500 sport 500 Global (I) QM_IDLE     
*Oct 25 08:19:09.188 UTC: ISAKMP: set new node -1350296869 to QM_IDLE     
*Oct 25 08:19:09.188 UTC: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = -1350296869
*Oct 25 08:19:09.188 UTC: ISAKMP:(0:1:SW:1): processing SA payload. message ID = -1350296869
*Oct 25 08:19:09.188 UTC: ISAKMP:(0:1:SW:1):Checking IPSec proposal 1
*Oct 25 08:19:09.188 UTC: ISAKMP: transform 1, ESP_3DES
*Oct 25 08:19:09.188 UTC: ISAKMP:   attributes in transform:
*Oct 25 08:19:09.188 UTC: ISAKMP:      SA life type in seconds
*Oct 25 08:19:09.188 UTC: ISAKMP:      SA life duration (basic) of 28800
*Oct 25 08:19:09.188 UTC: ISAKMP:      SA life type in kilobytes
*Oct 25 08:19:09.188 UTC: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Oct 25 08:19:09.188 UTC: ISAKMP:      encaps is 1 (Tunnel)
*Oct 25 08:19:09.188 UTC: ISAKMP:      authenticator is HMAC-MD5
*Oct 25 08:19:09.188 UTC: ISAKMP:(0:1:SW:1):atts are acceptable.

Hall of Fame Super Silver

IPSec ASA-1841

This is the command that I was talking about

same-security-traffic permit intra-interface

depending on your configuration you might also want to try this related command

same-security-traffic permit inter-interface

HTH

Rick

New Member

IPSec ASA-1841

Both commands already exist in the configuration

540
Views
0
Helpful
12
Replies
CreatePlease login to create content