Configure a site-to-site IPSec VPN tunnel between Router1 and Firewall

mujahirabbasi · ‎10-17-2022

I am trying to Configure a site-to-site IPSec VPN tunnel between Router1 and the ASA5505 firewall but I am getting MM_NO_STATE error.

Router Configuration :

Current configuration : 1190 bytes

!

version 15.1

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

ip cef

no ipv6 cef

!

license udi pid CISCO1941/K9 sn FTX1524SDA3-

license boot module c1900 technology-package securityk9

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 70000

!

crypto isakmp key cisco address 192.168.2.1

!

crypto ipsec transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 ipsec-isakmp

set peer 192.168.2.1

set transform-set VPN-SET

match address VPN-ACL

!

spanning-tree mode pvst

!

interface GigabitEthernet0/0

ip address 192.168.4.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.3.2 255.255.255.0

duplex auto

speed auto

crypto map VPN-MAP

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.3.1

!

ip flow-export version 9

!

ip access-list extended VPN-ACL

permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

end

Firewall Configuration :

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 10

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 10

ip address 192.168.2.1 255.255.255.0

!

object network LOCAL-NET

subnet 192.168.1.0 255.255.255.0

object network REMOTE-NET

subnet 192.168.4.0 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 192.168.2.2 1

!

access-list VPN-ACL extended permit ip object LOCAL-NET object REMOTE-NET

!

telnet timeout 5

ssh timeout 5

!

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.36 inside

dhcpd enable inside

!

crypto ipsec ikev1 transform-set VPN-SET esp-aes esp-sha-hmac

!

crypto map VPN-MAP 10 match address VPN-ACL

crypto map VPN-MAP 10 set peer 192.168.3.2

crypto map VPN-MAP 10 set ikev1 transform-set VPN-SET

crypto map VPN-MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

encr aes

authentication pre-share

group 2

lifetime 70000

!

tunnel-group 192.168.3.2 type ipsec-l2l

tunnel-group 192.168.3.2 ipsec-attributes

ikev1 pre-shared-key cisco

!

when I executed debug crypto isakmp :

ISAKMP:(0): SA request profile is (NULL)

ISAKMP: Created a peer struct for 192.168.2.1, peer port 500

ISAKMP: New peer created peer = 0x47CA9F80 peer_handle = 0x80000003

ISAKMP: Locking peer struct 0x47CA9F80, refcount 1 for isakmp_initiator

ISAKMP: local port 500, remote port 500

ISAKMP: set new node 0 to QM_IDLE

insert sa successfully sa = 495ADE20

ISAKMP:(0):Can not start Aggressive mode, trying Main mode.

ISAKMP:(0):found peer pre-shared key matching 192.168.2.1

constructed NAT-T vendor-rfc3947 ID

ISAKMP:(0): constructed NAT-T vendor-07 ID

ISAKMP:(0): constructed NAT-T vendor-03 ID

ISAKMP:(0): constructed NAT-T vendor-02 ID

ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

ISAKMP:(0): beginning Main Mode exchange

ISAKMP:(0): sending packet to 192.168.2.1 my_port 500 peer_port 500 (I) MM_NO_STATE

ISAKMP:(0):Sending an IKE IPv4 Packet.