cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
988
Views
0
Helpful
1
Replies

Site to site VPN ASA to Router

Tormod Macleod
Level 1
Level 1

Hello,

 

I'm trying to learn site to site VPNs. I've got them running between two routers in GNS3 and it works perfectly. The router types are 3745s and the ios version is c3745-adventerprisek9-mz124-25.bin

 

When I replace RouterA with an ASA running 8.4(2) I try to configure the VPN as best I can but simply cannot get it to work. I've attached my configs and debug output from the ASA and RouterB is pasted below.

 

I'd be grateful for any assistance with this. Like I say I'm new to site to site VPNs and am having difficulty debugging it.

 

ciscoasa# debug crypto ikev1
ciscoasa# Jul 30 18:02:27 [IKEv1]Group = 1.1.1.2, IP = 1.1.1.2, QM FSM error (P2 struct &0xbc8dfe20, mess id 0x58a70632)!
Jul 30 18:02:27 [IKEv1]Group = 1.1.1.2, IP = 1.1.1.2, Removing peer from correlator table failed, no match!
Jul 30 18:02:27 [IKEv1]Group = 1.1.1.2, IP = 1.1.1.2, Session is being torn down. Reason: crypto map policy not found

 

RouterB#debug crypto isakmp
Crypto ISAKMP debugging is on
RouterB#
*Mar  1 00:00:56.511: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:00:56.515: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 00:00:56.515: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:00:56.519: ISAKMP:(0:0:N/A:0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
RouterB#
*Mar  1 00:01:06.231: ISAKMP: received ke message (3/1)
*Mar  1 00:01:06.235: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.

*Mar  1 00:01:06.239: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 1.1.1.1)
*Mar  1 00:01:06.259: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 1.1.1.1)
*Mar  1 00:01:06.263: ISAKMP: Unlocking IKE struct 0x65DF15A4 for isadb_mark_sa_deleted(), count 0
*Mar  1 00:01:06.267: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 65DF15A4
*Mar  1 00:01:06.271: ISAKMP:(0:0:N/A:0):deleting node 430995755 error FALSE reason "IKE deleted"
RouterB#
*Mar  1 00:01:06.275: ISAKMP:(0:0:N/A:0):deleting node -447824933 error FALSE reason "IKE deleted"
*Mar  1 00:01:06.275: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 00:01:06.279: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

RouterB#ping 1.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
RouterB#ping 1.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
..
*Mar  1 00:01:56.295: ISAKMP:(0:0:N/A:0):purging node 430995755
*Mar  1 00:01:56.299: ISAKMP:(0:0:N/A:0):purging node -447824933...
Success rate is 0 percent (0/5)
RouterB#
*Mar  1 00:02:03.635: ISAKMP: received ke message (1/1)
*Mar  1 00:02:03.639: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 00:02:03.639: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Mar  1 00:02:03.643: ISAKMP: New peer created peer = 0x65DF15A4 peer_handle = 0x80000003
*Mar  1 00:02:03.643: ISAKMP: Locking peer struct 0x65DF15A4, IKE refcount 1 for isakmp_initiator
*Mar  1 00:02:03.647: ISAKMP: local port 500, remote port 500
*Mar  1 00:02:03.647: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 00:02:03.651: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 65D35280
*Mar  1 00:02:03.655: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 00:02:03.659: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 1.1.1.1
*Mar  1 00:02:03.663: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 00:02:03.667: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 00:02:03.667: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 00:02:03.667: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 00:02:03.667: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 00:02:03.667: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar  1 00:02:03.667: ISAKMP:(0:0:N/A:0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
RouterB#
RouterB#
*Mar  1 00:02:06.275: ISAKMP:(0:0:N/A:0):purging SA., sa=65854E0C, delme=65854E0C
RouterB#
*Mar  1 00:02:13.671: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 00:02:13.675: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 00:02:13.675: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 00:02:13.679: ISAKMP:(0:0:N/A:0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:02:13.771: ISAKMP (0:0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  1 00:02:13.779: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:13.779: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 00:02:13.787: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 00:02:13.787: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:02:13.787: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:02:13.791: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 00:02:13.791: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:02:13.791: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar  1 00:02:13.791: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 1.1.1.1
*Mar  1 00:02:13.791: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 00:02:13.791: ISAKMP : Scanning profiles for xauth ... test-isakmp-profile
*Mar  1 00:02:13.791: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 200 policy
*Mar  1 00:02:13.791: ISAKMP:      encryption AES-CBC
*Mar  1 00:02:13.791: ISAKMP:      keylength of 128
*Mar  1 00:02:13.791: ISAKMP:      hash SHA
*Mar  1 00:02:13.791: ISAKMP:      default group 2
*Mar  1 00:02:13.791: ISAKMP:      auth pre-share
*Mar  1 00:02:13.791: ISAKMP:      life type in seconds
*Mar  1 00:02:13.791: ISAKMP:      life duration (basic) of 28800
*Mar  1 00:02:13.791: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar  1 00:02:13.807: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:13.807: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:02:13.807: ISAKMP:(0:1:SW:1): vendor ID is NAT-T v2
*Mar  1 00:02:13.807: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:13.807: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 194 mismatch
*Mar  1 00:02:13.807: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:13.807: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 00:02:13.807: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  1 00:02:13.811: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:13.815: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 00:02:13.871: ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 00:02:13.875: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:13.879: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 00:02:13.887: ISAKMP:(0:1:SW:1): processing KE payload. message ID = 0
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): processing NONCE payload. message ID = 0
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1):found peer pre-shared key matching 1.1.1.1
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1):SKEYID state generated
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): vendor ID is Unity
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): vendor ID seems Unity/DPD but major 95 mismatch
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): vendor ID is XAUTH
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): speaking to another IOS box!
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1):vendor ID seems Unity/DPD but hash mismatch
*Mar  1 00:02:13.931: ISAKMP:received payload type 20
*Mar  1 00:02:13.931: ISAKMP:received payload type 20
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:13.931: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 00:02:13.935: ISAKMP:(0:1:SW:1):Send initial contact
*Mar  1 00:02:13.939: ISAKMP:(0:1:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 00:02:13.939: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 1.1.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 00:02:13.939: ISAKMP:(0:1:SW:1):Total payload length: 12
*Mar  1 00:02:13.939: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 00:02:13.939: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:13.939: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 00:02:13.963: ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 00:02:13.971: ISAKMP:(0:1:SW:1): processing ID payload. message ID = 0
*Mar  1 00:02:13.971: ISAKMP (0:134217729): ID payload
        next-payload : 8
        type         : 1
        address      : 1.1.1.1
        protocol     : 17
        port         : 0
        length       : 12
*Mar  1 00:02:13.979: ISAKMP:(0:1:SW:1):: peer matches test-isakmp-profile profile
*Mar  1 00:02:13.979: ISAKMP:(0:1:SW:1):Found ADDRESS key in keyring test-keyring
*Mar  1 00:02:13.979: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 0
*Mar  1 00:02:13.979: ISAKMP:received payload type 17
*Mar  1 00:02:13.979: ISAKMP:(0:1:SW:1): processing keep alive: proposal=32767/32767 sec., actual=10/10 sec.
*Mar  1 00:02:13.979: ISAKMP:(0:1:SW:1): processing vendor id payload
*Mar  1 00:02:13.979: ISAKMP:(0:1:SW:1): vendor ID is DPD
*Mar  1 00:02:13.983: ISAKMP:(0:1:SW:1):SA authentication status:
        authenticated
*Mar  1 00:02:13.983: ISAKMP:(0:1:SW:1):SA has been authenticated with 1.1.1.1
*Mar  1 00:02:13.983: ISAKMP:(0:1:SW:1):IKE_DPD is enabled, initializing timers
*Mar  1 00:02:13.983: ISAKMP: Trying to insert a peer 1.1.1.2/1.1.1.1/500/,  and inserted successfully 65DF15A4.
*Mar  1 00:02:13.983: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:13.987: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 00:02:13.999: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:13.999: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 00:02:13.999: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:14.003: ISAKMP:(0:1:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 00:02:14.003: ISAKMP:(0:1:SW:1):beginning Quick Mode exchange, M-ID of -803037057
*Mar  1 00:02:14.023: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 00:02:14.023: ISAKMP:(0:1:SW:1):Node -803037057, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 00:02:14.027: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 00:02:14.027: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 00:02:14.027: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:02:14.043: ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 00:02:14.047: ISAKMP: set new node 353123304 to QM_IDLE
*Mar  1 00:02:14.059: ISAKMP:(0:1:SW:1): processing HASH payload. message ID = 353123304
*Mar  1 00:02:14.063: ISAKMP:(0:1:SW:1): processing NOTIFY INVALID_ID_INFO protocol 1
        spi 0, message ID = 353123304, sa = 65D35280
*Mar  1 00:02:14.063: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

*Mar  1 00:02:14.063: ISAKMP:(0:1:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 1.1.1.1)
*Mar  1 00:02:14.063: ISAKMP:(0:1:SW:1):deleting node 353123304 error FALSE reason "Informational (in) state 1"
*Mar  1 00:02:14.063: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 00:02:14.063: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:02:14.063: ISAKMP (0:134217729): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 00:02:14.063: ISAKMP: set new node -481166658 to QM_IDLE
*Mar  1 00:02:14.063: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 00:02:14.067: ISAKMP:(0:1:SW:1):purging node -481166658
*Mar  1 00:02:14.071: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 00:02:14.071: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar  1 00:02:14.083: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 1.1.1.1)
*Mar  1 00:02:14.083: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.
*Mar  1 00:02:14.083: ISAKMP: Unlocking IKE struct 0x65DF15A4 for isadb_mark_sa_deleted(), count 0
*Mar  1 00:02:14.087: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 65DF15A4
*Mar  1 00:02:14.087: ISAKMP:(0:1:SW:1):deleting node -803037057 error FALSE reason "IKE deleted"
*Mar  1 00:02:14.087: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:14.087: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

RouterB#
RouterB#
*Mar  1 00:02:33.631: ISAKMP: received ke message (1/1)
*Mar  1 00:02:33.635: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 00:02:33.639: ISAKMP: Created a peer struct for 1.1.1.1, peer port 500
*Mar  1 00:02:33.639: ISAKMP: New peer created peer = 0x65DF15A4 peer_handle = 0x80000004
*Mar  1 00:02:33.643: ISAKMP: Locking peer struct 0x65DF15A4, IKE refcount 1 for isakmp_initiator
*Mar  1 00:02:33.643: ISAKMP: local port 500, remote port 500
*Mar  1 00:02:33.643: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 00:02:33.647: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6506709C
*Mar  1 00:02:33.647: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 00:02:33.651: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 1.1.1.1
*Mar  1 00:02:33.651: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 00:02:33.651: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 00:02:33.651: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 00:02:33.651: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 00:02:33.651: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  1 00:02:33.651: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar  1 00:02:33.651: ISAKMP:(0:0:N/A:0): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 00:02:33.671: ISAKMP (0:0): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  1 00:02:33.679: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:33.679: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  1 00:02:33.687: ISAKMP:(0:0:N/A:0): processing SA payload. message ID = 0
*Mar  1 00:02:33.691: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:02:33.691: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:02:33.695: ISAKMP:(0:0:N/A:0): vendor ID is NAT-T v2
*Mar  1 00:02:33.695: ISAKMP:(0:0:N/A:0): processing vendor id payload
*Mar  1 00:02:33.695: ISAKMP:(0:0:N/A:0): vendor ID seems Unity/DPD but major 194 mismatch
*Mar  1 00:02:33.695: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 1.1.1.1
*Mar  1 00:02:33.699: ISAKMP:(0:0:N/A:0): local preshared key found
*Mar  1 00:02:33.699: ISAKMP : Scanning profiles for xauth ... test-isakmp-profile
*Mar  1 00:02:33.699: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 200 policy
*Mar  1 00:02:33.699: ISAKMP:      encryption AES-CBC
*Mar  1 00:02:33.699: ISAKMP:      keylength of 128
*Mar  1 00:02:33.699: ISAKMP:      hash SHA
*Mar  1 00:02:33.699: ISAKMP:      default group 2
*Mar  1 00:02:33.699: ISAKMP:      auth pre-share
*Mar  1 00:02:33.699: ISAKMP:      life type in seconds
*Mar  1 00:02:33.699: ISAKMP:      life duration (basic) of 28800
*Mar  1 00:02:33.699: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
*Mar  1 00:02:33.711: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar  1 00:02:33.711: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  1 00:02:33.711: ISAKMP:(0:2:SW:1): vendor ID is NAT-T v2
*Mar  1 00:02:33.711: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar  1 00:02:33.711: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 194 mismatch
*Mar  1 00:02:33.711: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:33.715: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  1 00:02:33.715: ISAKMP:(0:2:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  1 00:02:33.715: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:33.719: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  1 00:02:33.775: ISAKMP (0:134217730): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  1 00:02:33.779: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:33.783: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  1 00:02:33.791: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 1.1.1.1
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1):SKEYID state generated
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): vendor ID is Unity
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): vendor ID seems Unity/DPD but major 119 mismatch
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): vendor ID is XAUTH
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): speaking to another IOS box!
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1):vendor ID seems Unity/DPD but hash mismatch
*Mar  1 00:02:33.811: ISAKMP:received payload type 20
*Mar  1 00:02:33.811: ISAKMP:received payload type 20
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:33.811: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  1 00:02:33.815: ISAKMP:(0:2:SW:1):Send initial contact
*Mar  1 00:02:33.815: ISAKMP:(0:2:SW:1):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  1 00:02:33.819: ISAKMP (0:134217730): ID payload
        next-payload : 8
        type         : 1
        address      : 1.1.1.2
        protocol     : 17
        port         : 500
        length       : 12
*Mar  1 00:02:33.819: ISAKMP:(0:2:SW:1):Total payload length: 12
*Mar  1 00:02:33.827: ISAKMP:(0:2:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  1 00:02:33.831: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:33.831: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  1 00:02:33.843: ISAKMP (0:134217730): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  1 00:02:33.851: ISAKMP:(0:2:SW:1): processing ID payload. message ID = 0
*Mar  1 00:02:33.855: ISAKMP (0:134217730): ID payload
        next-payload : 8
        type         : 1
        address      : 1.1.1.1
        protocol     : 17
        port         : 0
        length       : 12
*Mar  1 00:02:33.855: ISAKMP:(0:2:SW:1):: peer matches test-isakmp-profile profile
*Mar  1 00:02:33.855: ISAKMP:(0:2:SW:1):Found ADDRESS key in keyring test-keyring
*Mar  1 00:02:33.855: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 0
*Mar  1 00:02:33.859: ISAKMP:received payload type 17
*Mar  1 00:02:33.859: ISAKMP:(0:2:SW:1): processing keep alive: proposal=32767/32767 sec., actual=10/10 sec.
*Mar  1 00:02:33.859: ISAKMP:(0:2:SW:1): processing vendor id payload
*Mar  1 00:02:33.859: ISAKMP:(0:2:SW:1): vendor ID is DPD
*Mar  1 00:02:33.859: ISAKMP:(0:2:SW:1):SA authentication status:
        authenticated
*Mar  1 00:02:33.859: ISAKMP:(0:2:SW:1):SA has been authenticated with 1.1.1.1
*Mar  1 00:02:33.859: ISAKMP:(0:2:SW:1):IKE_DPD is enabled, initializing timers
*Mar  1 00:02:33.859: ISAKMP: Trying to insert a peer 1.1.1.2/1.1.1.1/500/,  and inserted successfully 65DF15A4.
*Mar  1 00:02:33.859: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:33.859: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  1 00:02:33.863: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  1 00:02:33.863: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  1 00:02:33.863: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  1 00:02:33.863: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  1 00:02:33.867: ISAKMP:(0:2:SW:1):beginning Quick Mode exchange, M-ID of 1487341106
*Mar  1 00:02:33.879: ISAKMP:(0:2:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 00:02:33.883: ISAKMP:(0:2:SW:1):Node 1487341106, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  1 00:02:33.883: ISAKMP:(0:2:SW:1):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  1 00:02:33.887: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  1 00:02:33.887: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:02:33.907: ISAKMP (0:134217730): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 00:02:33.911: ISAKMP: set new node 887174867 to QM_IDLE
*Mar  1 00:02:33.919: ISAKMP:(0:2:SW:1): processing HASH payload. message ID = 887174867
*Mar  1 00:02:33.923: ISAKMP:(0:2:SW:1): processing NOTIFY INVALID_ID_INFO protocol 1
        spi 0, message ID = 887174867, sa = 6506709C
*Mar  1 00:02:33.927: ISAKMP:(0:2:SW:1):peer does not do paranoid keepalives.

*Mar  1 00:02:33.927: ISAKMP:(0:2:SW:1):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE       (peer 1.1.1.1)
*Mar  1 00:02:33.927: ISAKMP:(0:2:SW:1):deleting node 887174867 error FALSE reason "Informational (in) state 1"
*Mar  1 00:02:33.927: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar  1 00:02:33.927: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  1 00:02:33.927: ISAKMP (0:134217730): received packet from 1.1.1.1 dport 500 sport 500 Global (I) QM_IDLE
*Mar  1 00:02:33.927: ISAKMP: set new node -1034921962 to QM_IDLE
*Mar  1 00:02:33.931: ISAKMP:(0:2:SW:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) QM_IDLE
*Mar  1 00:02:33.931: ISAKMP:(0:2:SW:1):purging node -1034921962
*Mar  1 00:02:33.935: ISAKMP:(0:2:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 00:02:33.939: ISAKMP:(0:2:SW:1):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Mar  1 00:02:33.947: ISAKMP:(0:2:SW:1):deleting SA reason "No reason" state (I) QM_IDLE       (peer 1.1.1.1)
*Mar  1 00:02:33.947: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat outgoing_active since it's already 0.
*Mar  1 00:02:33.947: ISAKMP: Unlocking IKE struct 0x65DF15A4 for isadb_mark_sa_deleted(), count 0
*Mar  1 00:02:33.947: ISAKMP: Deleting peer node by peer_reap for 1.1.1.1: 65DF15A4
*Mar  1 00:02:33.951: ISAKMP:(0:2:SW:1):deleting node 1487341106 error FALSE reason "IKE deleted"
*Mar  1 00:02:33.951: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  1 00:02:33.951: ISAKMP:(0:2:SW:1):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

RouterB#
RouterB#

 

1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Can't say I have configured VPNs with Cisco Routers that often. We mostly use ASAs even for L2L VPN Connections. I do configure some VPNs on Cisco ASR routers.

 

It seems to me that you have configure a Tunnel interface on the Router that is forming the connection with the ASA. I would presume that this is a GRE/IPsec connection between the routers. The thing is though that the ASA does not support configuring GRE Tunnel interfaces.

 

Also just taking into account the ASA L2L VPN configuration it seems to lack the "crypto map <map name> <seq> match address <acl name>" configuration which would tell it what traffic to tunnel. It needs to know the local and remote networks between which the traffic is tunneled.

 

You could refer to this document to configure a L2L VPN between a Cisco Router and Cisco ASA

http://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/110198-sdm-vpn-asa-router-config.html

 

Hope this helps

 

- Jouni

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: