Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN on ASA 8.3 against IOS 12

Dear all,

we're setting up two L2L connections, with the first being against a old 803 running 12.2(8)T8, the second against a modern 876W.

The VPN base functionality on the ASA is OK, meaning that a buncha VPN Clients connect just fine.

The ASA has a fixed public adress, the Routers are both dynamic via ISP.

I can't seem to get the tunnel up for the old 803 and keep failing there in Phase 1 with:

Mar 29 09:17:06.181: ISAKMP: received ke message (1/1)

Mar 29 09:17:06.181: ISAKMP: local port 500, remote port 500

Mar 29 09:17:06.189: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Old State = IKE_READY  New State = IKE_I_MM1

Mar 29 09:17:06.189: ISAKMP (0:1): beginning Main Mode exchange

Mar 29 09:17:06.193: ISAKMP (0:1): sending packet to ASA (I) MM_NO_STATE

Mar 29 09:17:06.225: ISAKMP (0:1): received packet from ASA (I) MM_NO_STATE

Mar 29 09:17:06.225: ISAKMP (0:1): Notify has no hash. Rejected.

The ASA is configured as follows:

access-list L2l extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list L2l extended permit ip 172.16.0.0 255.255.0.0 192.168.2.0 255.255.255.0

nat (inside,outside) source static inside_net inside_net destination static jt_net jt_net

nat (inside,outside) source static dmz_net dmz_net destination static jt_net jt_net

crypto ipsec transform-set CHFFM_0 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set CHFFM_1 esp-3des esp-sha-hmac

crypto ipsec transform-set CHFFM_2 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set CHFFM_3 esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map CHFFM_MAP 65535 set pfs

crypto dynamic-map CHFFM_MAP 65535 set transform-set CHFFM_0 CHFFM_1 CHFFM_2 CHFFM_3

crypto dynamic-map CHFFM_MAP 65535 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic CHFFM_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 192.168.2.0 ipsec-attributes

pre-shared-key *****

Here's the 803 config:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

Note: Its hash isn't displayed, but it is there:

#sho crypto isakmp policy

Protection suite of priority 1

        encryption algorithm:   Three key triple DES

        hash algorithm:         Secure Hash Standard

        authentication method:  Pre-Shared Key

        Diffie-Hellman group:   #2 (1024 bit)

        lifetime:               86400 seconds, no volume limit

crypto ipsec transform-set office esp-3des esp-sha-hmac

!

crypto map itax 10 ipsec-isakmp

description CHFFM

set peer [ip adress ASA]

set transform-set office

set pfs group2

match address 199

reverse-route

Can s/o point me in the right direction ?

4 REPLIES
Super Bronze

Re: VPN on ASA 8.3 against IOS 12

EDIT: Think you edited the original post just as I replied

Hi,

I'm pretty rusty with router VPN configurations but....

Do you have the corresponding crypt isakmp policy also configured for Phase1 in the router?

I mean this one

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Super Bronze

Re: VPN on ASA 8.3 against IOS 12

Hi,

I found some bug related to the Phase1 failing but it shouldnt affect your device anymore I think.

Have you tried configuring a different type of Phase1 policy on both ends just to test if it changes anything?

New Member

VPN on ASA 8.3 against IOS 12

Hi,

yes, I did alter the post just after I noticed I forgot to post that  part.

Now, I changed the hash to MD5 on both sides with the same result....I have read about that CSCO bug, too, so as to verify here's a sho ver: IOS (tm) C800 Software (C800-K9OSY6-MW), Version 12.2(8)T8,  RELEASE SOFTWARE (fc1).

I cannot change the 803 ISA enc cipher to DES ( company policy violation ) and to AES ( 803 can't do that ).....

New Member

VPN on ASA 8.3 against IOS 12

OK I think this is it - the ASA says something /w the DH is wrong.....looks like the 803 proposes its default set which gets rejected.

2012-03-29 10:50:03    Local4.Notice    172.16.1.111    %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

2012-03-29 10:50:03    Local4.Notice    172.16.1.111    %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2

455
Views
0
Helpful
4
Replies
CreatePlease to create content