Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
656
Views
0
Helpful
4
Replies

VPN on ASA 8.3 against IOS 12

Dan Jay
Level 1
Level 1

‎03-29-2012 01:13 AM

Dear all,

we're setting up two L2L connections, with the first being against a old 803 running 12.2(8)T8, the second against a modern 876W.

The VPN base functionality on the ASA is OK, meaning that a buncha VPN Clients connect just fine.

The ASA has a fixed public adress, the Routers are both dynamic via ISP.

I can't seem to get the tunnel up for the old 803 and keep failing there in Phase 1 with:

Mar 29 09:17:06.181: ISAKMP: received ke message (1/1)

Mar 29 09:17:06.181: ISAKMP: local port 500, remote port 500

Mar 29 09:17:06.189: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Old State = IKE_READY  New State = IKE_I_MM1

Mar 29 09:17:06.189: ISAKMP (0:1): beginning Main Mode exchange

Mar 29 09:17:06.193: ISAKMP (0:1): sending packet to ASA (I) MM_NO_STATE

Mar 29 09:17:06.225: ISAKMP (0:1): received packet from ASA (I) MM_NO_STATE

Mar 29 09:17:06.225: ISAKMP (0:1): Notify has no hash. Rejected.

The ASA is configured as follows:

access-list L2l extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list L2l extended permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0

nat (inside,outside) source static inside_net inside_net destination static jt_net jt_net

nat (inside,outside) source static dmz_net dmz_net destination static jt_net jt_net

crypto ipsec transform-set CHFFM_0 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set CHFFM_1 esp-3des esp-sha-hmac

crypto ipsec transform-set CHFFM_2 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set CHFFM_3 esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map CHFFM_MAP 65535 set pfs

crypto dynamic-map CHFFM_MAP 65535 set transform-set CHFFM_0 CHFFM_1 CHFFM_2 CHFFM_3

crypto dynamic-map CHFFM_MAP 65535 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic CHFFM_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 192.168.2.0 ipsec-attributes

pre-shared-key *****

Here's the 803 config:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

Note: Its hash isn't displayed, but it is there:

#sho crypto isakmp policy

Protection suite of priority 1

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

crypto ipsec transform-set office esp-3des esp-sha-hmac

!

crypto map itax 10 ipsec-isakmp

description CHFFM

set peer [ip adress ASA]

set transform-set office

set pfs group2

match address 199

reverse-route

Can s/o point me in the right direction ?

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎03-29-2012 01:17 AM

EDIT: Think you edited the original post just as I replied

Hi,

I'm pretty rusty with router VPN configurations but....

Do you have the corresponding crypt isakmp policy also configured for Phase1 in the router?

I mean this one

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎03-29-2012 01:22 AM

Hi,

I found some bug related to the Phase1 failing but it shouldnt affect your device anymore I think.

Have you tried configuring a different type of Phase1 policy on both ends just to test if it changes anything?

0 Helpful

Dan Jay
Level 1
Level 1
In response to Jouni Forss

‎03-29-2012 01:35 AM

Hi,

yes, I did alter the post just after I noticed I forgot to post that  part.

Now, I changed the hash to MD5 on both sides with the same result....I have read about that CSCO bug, too, so as to verify here's a sho ver: IOS (tm) C800 Software (C800-K9OSY6-MW), Version 12.2(8)T8,  RELEASE SOFTWARE (fc1).

I cannot change the 803 ISA enc cipher to DES ( company policy violation ) and to AES ( 803 can't do that ).....

0 Helpful

Dan Jay
Level 1
Level 1
In response to Dan Jay

‎03-29-2012 02:06 AM

OK I think this is it - the ASA says something /w the DH is wrong.....looks like the 803 proposes its default set which gets rejected.

2012-03-29 10:50:03    Local4.Notice    172.16.1.111    %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

2012-03-29 10:50:03    Local4.Notice    172.16.1.111    %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

0 Helpful
Customers Also Viewed These Support Documents