I'm trying to set up a Site-to-Site VPN between a ASA and a 1941 Router. The VPN configuration on the ASA seems to be ok because it works without problems with a 1841 router with IOS 12.4 at the other site.The same VPN configuration on the new 1941 router with IOS 15.0(1)M1 doesn't work. It seems, that the access-list for the crypto-map is the problem. The router never starts the VPN connection. When the ASA tries to establish the VPN, the debug log of the router shows:
*May 5 14:37:52.263: ISAKMP:(1007):Checking IPSec proposal 1 *May 5 14:37:52.263: ISAKMP: transform 1, ESP_3DES *May 5 14:37:52.263: ISAKMP: attributes in transform: *May 5 14:37:52.263: ISAKMP: SA life type in seconds *May 5 14:37:52.263: ISAKMP: SA life duration (basic) of 28800 *May 5 14:37:52.263: ISAKMP: SA life type in kilobytes *May 5 14:37:52.263: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *May 5 14:37:52.263: ISAKMP: encaps is 1 (Tunnel) *May 5 14:37:52.263: ISAKMP: authenticator is HMAC-SHA *May 5 14:37:52.263: ISAKMP: group is 2 *May 5 14:37:52.263: ISAKMP:(1007):atts are acceptable. *May 5 14:37:52.263: ISAKMP:(1007): IPSec policy invalidated proposal with error 32 *May 5 14:37:52.263: ISAKMP:(1007): phase 2 SA policy not acceptable! (local ... remote ...)
The configuration of the router:
version 15.0 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Cisco1941 ! no aaa new-model ! no ipv6 cef no ip source-route ip cef ! ip domain name xyz.de ! multilink bundle-name authenticated ! crypto pki trustpoint TP-self-signed-.... ! crypto pki certificate chain TP-self-signed-.... quit license udi pid CISCO1941/K9 sn .... ! username xyz privilege 15 secret 5 $1$.... ! redundancy ! crypto logging session ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key ...... address 126.96.36.199 crypto isakmp invalid-spi-recovery ! crypto ipsec transform-set tsAsa esp-3des esp-sha-hmac ! crypto map asa 10 ipsec-isakmp set peer 188.8.131.52 set transform-set tsAsa set pfs group2 match address 100 ! interface GigabitEthernet0/0 description *** inside *** ip address 10.100.100.1 255.255.255.0 duplex auto speed auto ! ! interface GigabitEthernet0/1 ip address 184.108.40.206 255.255.255.240 ip access-group 111 in no ip route-cache cef no ip route-cache duplex auto speed auto crypto map asa ! ! interface ATM0/0/0 no ip address shutdown no atm ilmi-keepalive ! ! ip forward-protocol nd ! ip route 0.0.0.0 0.0.0.0 220.127.116.11 ! access-list 100 permit ip 10.100.100.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 111 permit esp host 18.104.22.168 host 22.214.171.124 access-list 111 permit udp host 126.96.36.199 host 188.8.131.52 eq isakmp access-list 111 permit ahp host 184.108.40.206 host 220.127.116.11 access-list 111 deny ip any any log
the route to the ASA is the default route (sorry, mistake in the masking of the real ip addresses). The router can ping the ASA and the Router can answer to the initiated VPN from the ASA, but cannot finish phase 2.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...