03-29-2012 01:13 AM
Dear all,
we're setting up two L2L connections, with the first being against a old 803 running 12.2(8)T8, the second against a modern 876W.
The VPN base functionality on the ASA is OK, meaning that a buncha VPN Clients connect just fine.
The ASA has a fixed public adress, the Routers are both dynamic via ISP.
I can't seem to get the tunnel up for the old 803 and keep failing there in Phase 1 with:
Mar 29 09:17:06.181: ISAKMP: received ke message (1/1)
Mar 29 09:17:06.181: ISAKMP: local port 500, remote port 500
Mar 29 09:17:06.189: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Old State = IKE_READY New State = IKE_I_MM1
Mar 29 09:17:06.189: ISAKMP (0:1): beginning Main Mode exchange
Mar 29 09:17:06.193: ISAKMP (0:1): sending packet to ASA (I) MM_NO_STATE
Mar 29 09:17:06.225: ISAKMP (0:1): received packet from ASA (I) MM_NO_STATE
Mar 29 09:17:06.225: ISAKMP (0:1): Notify has no hash. Rejected.
The ASA is configured as follows:
access-list L2l extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list L2l extended permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0
nat (inside,outside) source static inside_net inside_net destination static jt_net jt_net
nat (inside,outside) source static dmz_net dmz_net destination static jt_net jt_net
crypto ipsec transform-set CHFFM_0 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set CHFFM_1 esp-3des esp-sha-hmac
crypto ipsec transform-set CHFFM_2 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set CHFFM_3 esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map CHFFM_MAP 65535 set pfs
crypto dynamic-map CHFFM_MAP 65535 set transform-set CHFFM_0 CHFFM_1 CHFFM_2 CHFFM_3
crypto dynamic-map CHFFM_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic CHFFM_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 192.168.2.0 ipsec-attributes
pre-shared-key *****
Here's the 803 config:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
Note: Its hash isn't displayed, but it is there:
#sho crypto isakmp policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
crypto ipsec transform-set office esp-3des esp-sha-hmac
!
crypto map itax 10 ipsec-isakmp
description CHFFM
set peer [ip adress ASA]
set transform-set office
set pfs group2
match address 199
reverse-route
Can s/o point me in the right direction ?
03-29-2012 01:17 AM
EDIT: Think you edited the original post just as I replied
Hi,
I'm pretty rusty with router VPN configurations but....
Do you have the corresponding crypt isakmp policy also configured for Phase1 in the router?
I mean this one
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
03-29-2012 01:22 AM
Hi,
I found some bug related to the Phase1 failing but it shouldnt affect your device anymore I think.
Have you tried configuring a different type of Phase1 policy on both ends just to test if it changes anything?
03-29-2012 01:35 AM
Hi,
yes, I did alter the post just after I noticed I forgot to post that part.
Now, I changed the hash to MD5 on both sides with the same result....I have read about that CSCO bug, too, so as to verify here's a sho ver: IOS (tm) C800 Software (C800-K9OSY6-MW), Version 12.2(8)T8, RELEASE SOFTWARE (fc1).
I cannot change the 803 ISA enc cipher to DES ( company policy violation ) and to AES ( 803 can't do that ).....
03-29-2012 02:06 AM
OK I think this is it - the ASA says something /w the DH is wrong.....looks like the 803 proposes its default set which gets rejected.
2012-03-29 10:50:03 Local4.Notice 172.16.1.111 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
2012-03-29 10:50:03 Local4.Notice 172.16.1.111 %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide