08-19-2010 04:31 AM - edited 02-21-2020 04:48 PM
Hello
If I match traffic on the ASA towards the 877 the tunnel comes up 100%
If I match traffic on the 877 towards the ASA the tunnel is not coming up - I get below from a debug
…(lines removed)…
Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, PHASE 1 COMPLETED
...(lines removed)…
Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, Static Crypto Map check, map outside_map, seq = 5 is a successful match
Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, IKE Remote Peer configured for crypto map: outside_map
Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, processing IPSec SA payload
Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, All IPSec SA proposals found unacceptable!
Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, sending notify message
Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, constructing blank hash payload
Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, constructing ipsec notify payload for msg id 3e05497d
Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, constructing qm hash payload
Aug 19 12:48:12 [IKEv1]: IP = 1.1.1.136, IKE_DECODE SENDING Message (msgid=fc4879ef) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, QM FSM error (P2 struct &0xd8c6e6b0, mess id 0x3e05497d)!
Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, IKE QM Responder FSM error history (struct &0xd8c6e6b0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Aug 19 12:48:12 [IKEv1 DEBUG]: Group = 1.1.1.136, IP = 1.1.1.136, sending delete/delete with reason message
Aug 19 12:48:12 [IKEv1]: Group = 1.1.1.136, IP = 1.1.1.136, Removing peer from correlator table failed, no match!
See relevant configuration below
877
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key abc123 address 2.2.2.220
!
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
!
crypto map TUNNEL_2_64 10 ipsec-isakmp
set peer 2.2.2.220
set transform-set TRANS
match address TUNNEL
!
interface Dialer1
crypto map TUNNEL_2_64
!
ip nat inside source list NAT interface Dialer1 overload
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
ip access-list extended TUNNEL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip host 1.1.1.136 host 2.2.2.220
permit ip host 2.2.2.220 host 1.1.1.136
ASA
name 192.168.2.0 sitex
name 192.168.1.0 sitey
!
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.28.220 255.255.255.248
!
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 sitex 255.255.255.0
access-list outside_1_cryptomap extended permit ip sitex 255.255.255.0 192.168.2.0 255.255.255.0
access-list outside_1_cryptomap extended permit icmp host 2.2.2.220 host 1.1.1.136
access-list outside_1_cryptomap extended permit icmp host 1.1.1.136 host 2.2.2.220
access-list outside_1_cryptomap extended permit ip host 2.2.2.220 host 1.1.1.136
access-list outside_1_cryptomap extended permit ip host 1.1.1.136 host 2.2.2.220
!
crypto ipsec transform-set TEST_TRANS esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer 1.1.1.136
crypto map outside_map 1 set transform-set TEST_TRANS
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!
tunnel-group 1.1.1.136 type ipsec-l2l
tunnel-group 1.1.1.136 ipsec-attributes
pre-shared-key *
08-19-2010 05:29 AM
The crypto ACL is incorrect.
Assuming that ASA LAN is 192.168.2.0/24 and router LAN is 192.168.1.0/24, the following ACL should be configured:
On the router:
ip access-list extended TUNNEL
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
On the ASA:
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
The rest of the other ACL lines that have been configured should be removed. Most importantly, the number of ACL line on the router should match the same on the ASA with mirror image ACL for the subnet.
You also need to remove the following on the ASA as the router is not configured to use PFS:
crypto map outside_map 1 set pfs group1
Hope that helps.
08-19-2010 06:06 AM
It is alive... Thanks Halijenn
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: