02-17-2014 04:08 AM - edited 03-11-2019 08:46 PM
Hi guys,
I have an ASA 5512-X running ASA software 9.1. The configuration was built by copying a config from another ASA (8.2) so it's pretty much done a number on the config! I have removed a number of invalid lines from the old config and tried to create a site-to-site vpn from scratch (this has not worked). Using the ASDM VPN wizard did also not work. I've now been through the config around 20 times but still can't see the problem. I would appreciate any suggestions before I have to wipe the device and start from scratch!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 146.97.x.x 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.200.1 255.255.255.0
!
access-list uksbs-vpn remark Temporary encryption domain
access-list uksbs-vpn extended permit ip 172.19.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list uksbs-vpn remark Encryption domain
!
access-list nat-exempt extended permit ip any4 10.202.38.0 255.255.255.0
access-list nat-exempt extended permit ip any4 10.1.0.0 255.255.0.0
access-list nat-exempt extended permit ip any4 object vmissflexi
access-list nat-exempt extended permit ip any4 object zenworks
access-list nat-exempt extended permit ip any 10.202.38.0 255.255.255.0
access-list nat-exempt extended permit ip any 10.1.0.0 255.255.0.0
!
access-list Outside_cryptomap extended permit ip object Inside-Network any
access-list Outside_access_in extended permit tcp any object Inside-Network eq domain
access-list Outside_access_in extended permit ip 10.202.38.0 255.255.255.0 object Inside-Network
access-list Outside_access_in extended permit ip 10.1.0.0 255.255.0.0 object Inside-Network
access-list Outside_access_in extended permit ip object vmissflexi object Inside-Network
access-list Outside_access_in extended deny object-group TCPUDP any object Inside-Network object-group Blocked_Ports
access-list Outside_access_in extended deny ip any any
!
crypto ipsec ikev1 transform-set AES_256 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
!
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
!
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 192.171.x.x
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map interface Outside
crypto ca trustpool policy
!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 am-disable
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy GroupPolicy_192.171.x.x internal
group-policy GroupPolicy_192.171.x.x attributes
vpn-tunnel-protocol ikev1 ikev2
!
tunnel-group 192.171.x.x type ipsec-l2l
tunnel-group 192.171.x.x general-attributes
default-group-policy GroupPolicy_192.171.x.x
!
tunnel-group 192.171.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Thanks.
02-17-2014 05:24 AM
Would it be possible to see the remote site configuration also? Please also specify what source and destination subnets are to be encrypted and sent over the site-2-site tunnel.
But the first thing I would suggest is to change the crypto ACL to be more specific:
access-list Outside_cryptomap extended permit ip object Inside-Network any
I will just assume that the Inside-Network object is the correct source subnet but you are sending all traffic over the VPN tunnel...even internet. Is this what you want to do?
tunnel-group 192.171.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
You have both ikev1 and ikev2 configured. I suggest removing one of them. If you are going to use ikev2 are the passwords for both remote and local authentication the same? If so then there is no reason to use ikev2. Ikev2 allows you to use different methods of authentication and even asynchronous authentication, meaning you can have different passwords for local and remote. If you are only using preshared key and the same preshared key for local and remote then there is no reason to use ikev2.
also make sure that you have the same passwords configured at both sides of the tunnel.
Could you also try initiating some traffic over the VPN tunnel and then issue the following commands and post the output here:
if you are using ikev1
show crypto ikev1 isakmp
show crypto ikev1 ipsec sa
If you are using ikev2:
show crypto ikev2 isakmp
show crypto ikev2 ipsec sa
Also you can debug the tunnel building process which can give more info on what is going wrong. Though I have never had any issues when using this command, use all debug commands with caution as they can affect performance. I suggest performing these tasks in a planned maintenance window.:
debug crypto ikev1
or
debug crypto ikev2
and
debug crypto ipsec
Please post the results here for further analysis.
--
Please remember to rate and select a correct answer
02-17-2014 06:23 AM
Hi Marius,
Thank you for the reply.
I have re-configured the ASA, new config is attached. I am sending all traffic over the VPN tunnel at the moment, I just want to get the the thing working before I make any further changes!
Local subnet is 192.168.200.0/24 (inside interface configured as .1), testing the tunnel with packet tracer with a source of 192.168.200.2 (although I am waiting for a user on site to connect to the asa and ping from that), destination is remote subnet of 10.202.38.0/24.
Remote endpoint is a Juniper SG3550 and is configured exactly as the old ASA (which works). Brief config is as follows:
Peer: 146.97.x.x
IKE: pre-3des-sha1-g2-86400
IPSec: 3des-sha1-nopfs-28800
Debug output (lifetime shows as 240 seconds in Phase1, which does not seem correct and not configured):
IPSEC: New embryonic SA created @ 0x00007fff999485d0,
SCB: 0x9AB24CB0,
Direction: inbound
SPI : 0xD5543404
Session ID: 0x0000A000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0x00007fffa167f100,
SCB: 0x99948BD0,
Direction: inbound
SPI : 0x64CF65D2
Session ID: 0x0000A000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0x00007fff99ccc540,
SCB: 0x99CC91F0,
Direction: inbound
SPI : 0xD2AEE6E7
Session ID: 0x0000A000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0x00007fff99949a60,
SCB: 0xA167F700,
Direction: inbound
SPI : 0xF95618E5
Session ID: 0x0000A000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0x00007fff9994c730,
SCB: 0x99947360,
Direction: inbound
SPI : 0x347575C9
Session ID: 0x0000A000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IKEv1?:
IPSEC(crypto_map_check)-3: Checking crypto map Outside_map 1: matched.
Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.171.x.x local Proxy Address 192.168.200.0, remote Proxy Address 10.202.38.0, Crypto map (Outside_map)
Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing ISAKMP SA payload
Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver 02 payload
Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver 03 payload
Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver RFC payload
Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing Fragmentation VID + extended capabilities payload
Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, IKE_DECODE RECEIVED Message (msgid=61c650a3) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102
Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, IKE_DECODE RECEIVED Message (msgid=61c650a3) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102
Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, Information Exchange processing failed Feb 17 14:09:37 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 17 14:09:45 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 17 14:09:53 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 17 14:10:01 [IKEv1 DEBUG]IP = 192.171.x.x, IKE MM Initiator FSM error history (struct &0x00007fff999477d0)
Feb 17 14:10:01 [IKEv1 DEBUG]IP = 192.171.x.x, IKE SA MM:af61310d terminating: flags 0x01000022, refcnt 0, tuncnt 0
Feb 17 14:10:01 [IKEv1 DEBUG]IP = 192.171.x.x, sending delete/delete with reason message
IKEv2:
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, saddr=192.168.200.2, sport=0, daddr=10.202.38.2, dport=0
IPSEC(crypto_map_check)-3: Checking crypto map Outside_map 1: matched.
Feb 17 14:14:30 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, saddr=192.168.200.2, sport=0, daddr=10.202.38.2, dport=0
IPSEC(crypto_map_check)-3: Checking crypto map Outside_map 1: matched.
Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.171.x.x local Proxy Address 192.168.200.0, remote Proxy Address 10.202.38.0, Crypto map (Outside_map)
Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing ISAKMP SA payload
Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver 02 payload
Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver 03 payload
Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver RFC payload
Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing Fragmentation VID + extended capabilities payload
Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, IKE_DECODE RECEIVED Message (msgid=e0f0c861) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102
Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, IKE_DECODE RECEIVED Message (msgid=e0f0c861) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102
Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, Information Exchange processing failed
Feb 17 14:14:38 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 17 14:14:46 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 17 14:14:54 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
Feb 17 14:15:02 [IKEv1 DEBUG]IP = 192.171.x.x, IKE MM Initiator FSM error history (struct &0x00007fffa167fd70)
Feb 17 14:15:02 [IKEv1 DEBUG]IP = 192.171.x.x, IKE SA MM:cfae46c1 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Feb 17 14:15:02 [IKEv1 DEBUG]IP = 192.171.x.x, sending delete/delete with reason message
02-17-2014 07:00 AM
I found the answer to my problems!
For some (unknown) reason, having multiple transform sets in the phase 1 ike proposal caused a problem, although I would have expected it to negotiate based on one matching transform set? Specifying only 1 transform set (3des-sha) worked brilliantly.
Thanks for your assistance though Marius, it was appreciated.
02-17-2014 08:57 AM
I will suggest to check Priority that you have in VPN Site To Site because if you have more, you need to take a look for that detail .
The best commands you could use when you have this kind of problems are:
show crypto isakmp
show crypto ipsec sa
show running-config access-list
thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide