Hi there,

I try to establish a site to site VPN connection between ASA5510 and Westermo DR250.

The setup for the westermo is supposed to work as I have got 20 of thoses deply on the field running ipsec-l2l with a Cisco 1812.

But anyway as a test I opened all ports from the westermo to the ASA. 

I used ASDM to set up the rules for tha ASA.

Permit the following rules:

OUTSIDE interface

permit from ASA_outside_interface to westermo_outside_interface port UDP 500, ESP, AH, UDP 4500.

permit from westermo_outside_interface to ASA_outside_interface port UDP 500, ESP, AH, UDP 4500.

This is the sh ru crypto:

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev2 ipsec-proposal ARC

protocol esp encryption 3des

protocol esp integrity md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap

crypto map OUTSIDE_map 1 set peer 125.236.X.X

crypto map OUTSIDE_map 1 set ikev1 phase1-mode aggressive

crypto map OUTSIDE_map 1 set ikev1 transform-set ESP-3DES-MD5

crypto map OUTSIDE_map 1 set ikev2 ipsec-proposal ARC

crypto map OUTSIDE_map interface OUTSIDE

crypto ikev2 policy 1

encryption 3des

integrity md5

group 2

prf md5

lifetime seconds 86400

crypto ikev2 enable OUTSIDE

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

Debug crypto isakmp

Jan 29 2012 10:10:05: %ASA-7-713236: IP = 125.236.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 344

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing SA payload

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing ke payload

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing ISA_KE payload

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing nonce payload

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236..X.X, processing ID payload

Jan 29 2012 10:10:05: %ASA-7-714011: IP = 125.236.X.X, ID_IPV4_ADDR ID received 125.236.X.X

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload

Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received DPD VID

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload

Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received NAT-Traversal ver 03 VID

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload

Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received NAT-Traversal ver 02 VID

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload

Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received NAT-Traversal RFC VID

Jan 29 2012 10:10:05: %ASA-7-715047: IP = 125.236.X.X, processing VID payload

Jan 29 2012 10:10:05: %ASA-7-715049: IP = 125.236.X.X, Received Cisco Unity client VID

Jan 29 2012 10:10:05: %ASA-7-713906: IP = 125.236.X.X, Connection landed on tunnel_group 125.236.X.X

Jan 29 2012 10:10:05: %ASA-7-715047: Group = 125.236.X.X, IP = 125.236.X.X, processing IKE SA payload

Jan 29 2012 10:10:05: %ASA-7-715028: Group = 125.236.X.X, IP = 125.236.X.X, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1

Jan 29 2012 10:10:05: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,, constructing ISAKMP SA payload

Jan 29 2012 10:10:09: %ASA-7-715046: Group = 125.236.X.X, IP = 125.236.X.X,, constructing ke payload

Jan 29 2012 10:10:09: %ASA-7-715046: Group = 125.236.X.X, IP = 125.236.X.X,constructing nonce payload

Jan 29 2012 10:10:09: %ASA-7-713906: Group = 125.236.X.X, IP = 125.236.X.X,, Generating keys for Responder...

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing ID payload

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,, constructing hash payload

Jan 29 2012 10:10:09: %ASA-7-715076:Group = 125.236.X.X, IP = 125.236.X.X,, Computing hash for ISAKMP

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,, constructing Cisco Unity VID payload

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,, constructing xauth V6 VID payload

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing dpd vid payload

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing NAT-Traversal VID ver 02 payload

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing NAT-Discovery payload

Jan 29 2012 10:10:09: %ASA-7-713906:Group = 125.236.X.X, IP = 125.236.X.X,computing NAT Discovery hash

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing NAT-Discovery payload

Jan 29 2012 10:10:09: %ASA-7-713906: GGroup = 125.236.X.X, IP = 125.236.X.X,computing NAT Discovery hash

Jan 29 2012 10:10:09: %ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing Fragmentation VID + extended capabilities payload

%ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing VID payload

%ASA-7-715048:Group = 125.236.X.X, IP = 125.236.X.X,Send Altiga/Cisco VPN3000/Cisco ASA GW VID

%ASA-7-713236: IP = 125.236.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 424

%ASA-7-713906:Group = 125.236.X.X, IP = 125.236.X.X,IKE SA AM:d6b4a88d terminating:  flags 0x01004001, refcnt 0, tuncnt 0

%ASA-7-713906:Group = 125.236.X.X, IP = 125.236.X.X,sending delete/delete with reason message

%ASA-7-715046:Group = 125.236.X.X, IP = 125.236.X.X,constructing blank hash payload

%ASA-7-715046: Group = 125.236.X.X, IP = 125.236.X.X,constructing IKE delete payload

%ASA-7-715046: Group = 125.236.X.X, IP = 125.236.X.X,constructing qm hash payload

%ASA-7-713236: IP = 125.236.X.X, IKE_DECODE SENDING Message (msgid=15cfffe3) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

I can ping both Router/ASA outside interfaces from the respective Boxes, but VPN doesn't come up. It seems that ASA doesn't received any answer.

Amy help would really appreciated.

Yoan