Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ipSec VPN between 3825 and ASA

I’ve followed the configuration guidelines, but I’m getting some rather strange behavior.  I’m not sure why.

Network looks like this:

10.16.1.1/24 (Loopback 0) = Cisco 3825 =  2.2.2.1 (Gig 0/0) çè2.2.2.2 WAN ROUTER 1.1.1.2çè  1.1.1.1 (outside) ASA 5520  10.17.1.2 (inside)çè 10.17.1.1  Cisco 3725

NAT is configured on ASA. 

The 3725 can ping each device on the public network. 

NAT is not configured on the 3825 (yet).

I am attempting to get the ipSec tunnel up using the outside interfaces on the 3825 and the ASA as the tunnel endpoints.  I followed the configuration guidelines here (http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml#CLI ).  It isn’t working…and I’m not sure why.

I’ve noticed the following when I debug on the router.  The router is complaining about not having a matching pre shared key for 10.17.1.2…but that’s the INSIDE interface on the ASA.  If I add that in, it gets past that, but still won’t come up.  See highlighted below.  I’m attaching the configs, and if any of you guys could help shed some light on this, I’d REALLY be appreciative. 

I'm really not understanding why it's trying to negotiate against the inside interface instead of the outside interface. 

*Mar  8 22:59:56.131: ISAKMP (0:0): received packet from 10.17.1.2 dport 500 sport 1024 Global (N) NEW SA

*Mar  8 22:59:56.131: ISAKMP: Created a peer struct for 10.17.1.2, peer port 1024

*Mar  8 22:59:56.131: ISAKMP: New peer created peer = 0x65310D30 peer_handle = 0x80000016

*Mar  8 22:59:56.131: ISAKMP: Locking peer struct 0x65310D30, refcount 1 for crypto_isakmp_process_block

*Mar  8 22:59:56.131: ISAKMP: local port 500, remote port 1024

*Mar  8 22:59:56.131: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 646B48D0

*Mar  8 22:59:56.131: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

*Mar  8 22:59:56.131: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

*Mar  8 22:59:56.135: ISAKMP:(0): processing SA payload. message ID = 0

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID is NAT-T v2

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID is NAT-T v3

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): processing IKE frag vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar  8 22:59:56.135: ISAKMP:(0):found peer pre-shared key matching 10.17.1.2   (this seems WRONG to me)

*Mar  8 22:59:56.135: ISAKMP:(0): local preshared key found

*Mar  8 22:59:56.135: ISAKMP : Scanning profiles for xauth ...

*Mar  8 22:59:56.135: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy

*Mar  8 22:59:56.135: ISAKMP:      default group 2

*Mar  8 22:59:56.135: ISAKMP:      encryption 3DES-CBC

*Mar  8 22:59:56.135: ISAKMP:      hash MD5

*Mar  8 22:59:56.135: ISAKMP:      auth pre-share

*Mar  8 22:59:56.135: ISAKMP:      life type in seconds

*Mar  8 22:59:56.135: ISAKMP:      life duration (VPI) of  0x0 0x0 0xA8 0xC0

*Mar  8 22:59:56.135: ISAKMP:(0):atts are acceptable. Next payload is 0

*Mar  8 22:59:56.135: ISAKMP:(0):Acceptable atts:actual life: 0

*Mar  8 22:59:56.135: ISAKMP:(0):Acceptable atts:life: 0

*Mar  8 22:59:56.135: ISAKMP:(0):Fill atts in sa vpi_length:4

*Mar  8 22:59:56.135: ISAKMP:(0):Fill atts in sa life_in_seconds:43200

*Mar  8 22:59:56.135: ISAKMP:(0):Returning Actual lifetime: 43200

*Mar  8 22:59:56.135: ISAKMP:(0)::Started lifetime timer: 43200.

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch   (not sure what this is)

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID is NAT-T v2

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch   (not sure what this is)

*Mar  8 22:59:56.135: ISAKMP:(0): vendor ID is NAT-T v3

*Mar  8 22:59:56.135: ISAKMP:(0): processing vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0): processing IKE frag vendor id payload

*Mar  8 22:59:56.135: ISAKMP:(0):Support for IKE Fragmentation not enabled

*Mar  8 22:59:56.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

*Mar  8 22:59:56.135: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

*Mar  8 22:59:56.135: ISAKMP:(0): constructed NAT-T vendor-03 ID

*Mar  8 22:59:56.135: ISAKMP:(0): sending packet to 10.17.1.2 my_port 500 peer_port 1024 (R) MM_SA_SETUP

*Mar  8 22:59:56.135: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  8 22:59:56.135: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

*Mar  8 22:59:56.135: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

*Mar  8 23:00:04.131: ISAKMP (0:0): received packet from 10.17.1.2 dport 500 sport 1024 Global (R) MM_SA_SETUP

*Mar  8 23:00:04.131: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

*Mar  8 23:00:04.131: ISAKMP:(0): retransmitting due to retransmit phase 1

*Mar  8 23:00:04.631: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

*Mar  8 23:00:04.631: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

*Mar  8 23:00:04.631: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP

*Mar  8 23:00:04.631: ISAKMP:(0): sending packet to 10.17.1.2 my_port 500 peer_port 1024 (R) MM_SA_SETUP

*Mar  8 23:00:04.631: ISAKMP:(0):Sending an IKE IPv4 Packet.

*Mar  8 23:00:12.131: ISAKMP (0:0): received packet from 10.17.1.2 dport 500 sport 1024 Global (R) MM_SA_SETUP

*Mar  8 23:00:12.131: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.

*Mar  8 23:00:12.131: ISAKMP:(0): retransmitting due to retransmit phase 1

*Mar  8 23:00:12.631: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ipSec VPN between 3825 and ASA

I don't see the statement on the ASA:  crypto isakmp enable outside

2 REPLIES
Silver

Re: ipSec VPN between 3825 and ASA

I don't see the statement on the ASA:  crypto isakmp enable outside

Re: ipSec VPN between 3825 and ASA

Dude....you rock!!!

6 of us have been looking at this for 12 hours, and no one caught that!  Dropped that command in and it came up immediately!!!    

2915
Views
10
Helpful
2
Replies
CreatePlease to create content