Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5538
Views
0
Helpful
4
Replies

ASA 9.1 - Site-to-Site VPN Issue

nigel doe
Level 1
Level 1

‎02-17-2014 04:08 AM - edited ‎03-11-2019 08:46 PM

Hi guys,

I have an ASA 5512-X running ASA software 9.1. The configuration was built by copying a config from another ASA (8.2) so it's pretty much done a number on the config! I have removed a number of invalid lines from the old config and tried to create a site-to-site vpn from scratch (this has not worked). Using the ASDM VPN wizard did also not work. I've now been through the config around 20 times but still can't see the problem. I would appreciate any suggestions before I have to wipe the device and start from scratch!

interface GigabitEthernet0/0

nameif Outside

security-level 0

ip address 146.97.x.x 255.255.255.240

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.200.1 255.255.255.0

!

access-list uksbs-vpn remark Temporary encryption domain

access-list uksbs-vpn extended permit ip 172.19.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

access-list uksbs-vpn remark Encryption domain

!

access-list nat-exempt extended permit ip any4 10.202.38.0 255.255.255.0

access-list nat-exempt extended permit ip any4 10.1.0.0 255.255.0.0

access-list nat-exempt extended permit ip any4 object vmissflexi

access-list nat-exempt extended permit ip any4 object zenworks

access-list nat-exempt extended permit ip any 10.202.38.0 255.255.255.0

access-list nat-exempt extended permit ip any 10.1.0.0 255.255.0.0

!

access-list Outside_cryptomap extended permit ip object Inside-Network any

access-list Outside_access_in extended permit tcp any object Inside-Network eq domain

access-list Outside_access_in extended permit ip 10.202.38.0 255.255.255.0 object Inside-Network

access-list Outside_access_in extended permit ip 10.1.0.0 255.255.0.0 object Inside-Network

access-list Outside_access_in extended permit ip object vmissflexi object Inside-Network

access-list Outside_access_in extended deny object-group TCPUDP any object Inside-Network object-group Blocked_Ports

access-list Outside_access_in extended deny ip any any

!

crypto ipsec ikev1 transform-set AES_256 esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set esp-3des-sha esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

!

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

!

crypto ipsec security-association pmtu-aging infinite

crypto map Outside_map 1 match address Outside_cryptomap

crypto map Outside_map 1 set peer 192.171.x.x

crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

crypto map Outside_map interface Outside

crypto ca trustpool policy

!

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable Outside

crypto ikev1 enable Outside

crypto ikev1 am-disable

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

group-policy GroupPolicy_192.171.x.x internal

group-policy GroupPolicy_192.171.x.x attributes

vpn-tunnel-protocol ikev1 ikev2

!

tunnel-group 192.171.x.x type ipsec-l2l

tunnel-group 192.171.x.x general-attributes

default-group-policy GroupPolicy_192.171.x.x

!

tunnel-group 192.171.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

Thanks.

Labels:
0 Helpful
4 Replies 4

Marius Gunnerud
VIP
VIP

‎02-17-2014 05:24 AM

Would it be possible to see the remote site configuration also?  Please also specify what source and destination subnets are to be encrypted and sent over the site-2-site tunnel.

But the first thing I would suggest is to change the crypto ACL to be more specific:

access-list Outside_cryptomap extended permit ip object Inside-Network any

I will just assume that the Inside-Network object is the correct source subnet but you are sending all traffic over the VPN tunnel...even internet.  Is this what you want to do?

tunnel-group 192.171.x.x ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

You have both ikev1 and  ikev2 configured.  I suggest removing one of them.  If you are going to use ikev2 are the passwords for both remote and local authentication the same?  If so then there is no reason to use ikev2.  Ikev2 allows you to use different methods of authentication and even asynchronous authentication, meaning you can have different passwords for local and remote.  If you are only using preshared key and the same preshared key for local and remote then there is no reason to use ikev2.

also make sure that you have the same passwords configured at both sides of the tunnel.

Could you also try initiating some traffic over the VPN tunnel and then issue the following commands and post the output here:

if you are using ikev1

show crypto ikev1 isakmp

show crypto ikev1 ipsec sa

If you are using ikev2:

show crypto ikev2 isakmp

show crypto ikev2 ipsec sa

Also you can debug the tunnel building process which can give more info on what is going wrong.  Though I have never had any issues when using this command, use all debug commands with caution as they can  affect performance.  I suggest performing these tasks in a planned maintenance window.:

debug crypto ikev1

or

debug crypto ikev2

and

debug crypto ipsec

Please post the results here for further analysis.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

nigel doe
Level 1
Level 1
In response to Marius Gunnerud

‎02-17-2014 06:23 AM

Hi Marius,

Thank you for the reply.

I have re-configured the ASA, new config is attached. I am sending all traffic over the VPN tunnel at the moment, I just want to get the the thing working before I make any further changes!

Local subnet is 192.168.200.0/24 (inside interface configured as .1), testing the tunnel with packet tracer with a source of 192.168.200.2 (although I am waiting for a user on site to connect to the asa and ping from that), destination is remote subnet of 10.202.38.0/24.

Remote endpoint is a Juniper SG3550 and is configured exactly as the old ASA (which works). Brief config is as follows:

Peer: 146.97.x.x

IKE:   pre-3des-sha1-g2-86400

IPSec: 3des-sha1-nopfs-28800

Debug output (lifetime shows as 240 seconds in Phase1, which does not seem correct and not configured):

IPSEC: New embryonic SA created @ 0x00007fff999485d0,

    SCB: 0x9AB24CB0,

    Direction: inbound

    SPI      : 0xD5543404

    Session ID: 0x0000A000

    VPIF num  : 0x00000002

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: New embryonic SA created @ 0x00007fffa167f100,

    SCB: 0x99948BD0,

    Direction: inbound

    SPI      : 0x64CF65D2

    Session ID: 0x0000A000

    VPIF num  : 0x00000002

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: New embryonic SA created @ 0x00007fff99ccc540,

    SCB: 0x99CC91F0,

    Direction: inbound

    SPI      : 0xD2AEE6E7

    Session ID: 0x0000A000

    VPIF num  : 0x00000002

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: New embryonic SA created @ 0x00007fff99949a60,

    SCB: 0xA167F700,

    Direction: inbound

    SPI      : 0xF95618E5

    Session ID: 0x0000A000

    VPIF num  : 0x00000002

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IPSEC: New embryonic SA created @ 0x00007fff9994c730,

    SCB: 0x99947360,

    Direction: inbound

    SPI      : 0x347575C9

    Session ID: 0x0000A000

    VPIF num  : 0x00000002

    Tunnel type: l2l

    Protocol   : esp

    Lifetime   : 240 seconds

IKEv1?:

IPSEC(crypto_map_check)-3: Checking crypto map Outside_map 1: matched.

Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.171.x.x  local Proxy Address 192.168.200.0, remote Proxy Address 10.202.38.0,  Crypto map (Outside_map)

Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing ISAKMP SA payload

Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver 02 payload

Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver 03 payload

Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver RFC payload

Feb 17 14:09:29 [IKEv1 DEBUG]IP = 192.171.x.x, constructing Fragmentation VID + extended capabilities payload

Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, IKE_DECODE RECEIVED Message (msgid=61c650a3) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102

Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, IKE_DECODE RECEIVED Message (msgid=61c650a3) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102

Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Feb 17 14:09:29 [IKEv1]IP = 192.171.x.x, Information Exchange processing failed                               Feb 17 14:09:37 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 17 14:09:45 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 17 14:09:53 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 17 14:10:01 [IKEv1 DEBUG]IP = 192.171.x.x, IKE MM Initiator FSM error history (struct &0x00007fff999477d0)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Feb 17 14:10:01 [IKEv1 DEBUG]IP = 192.171.x.x, IKE SA MM:af61310d terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Feb 17 14:10:01 [IKEv1 DEBUG]IP = 192.171.x.x, sending delete/delete with reason message

IKEv2:

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, saddr=192.168.200.2, sport=0, daddr=10.202.38.2, dport=0

IPSEC(crypto_map_check)-3: Checking crypto map Outside_map 1: matched.

Feb 17 14:14:30 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=0, saddr=192.168.200.2, sport=0, daddr=10.202.38.2, dport=0

IPSEC(crypto_map_check)-3: Checking crypto map Outside_map 1: matched.

Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, IKE Initiator: New Phase 1, Intf inside, IKE Peer 192.171.x.x  local Proxy Address 192.168.200.0, remote Proxy Address 10.202.38.0,  Crypto map (Outside_map)

Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing ISAKMP SA payload

Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver 02 payload

Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver 03 payload

Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing NAT-Traversal VID ver RFC payload

Feb 17 14:14:30 [IKEv1 DEBUG]IP = 192.171.x.x, constructing Fragmentation VID + extended capabilities payload

Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, IKE_DECODE RECEIVED Message (msgid=e0f0c861) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102

Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, IKE_DECODE RECEIVED Message (msgid=e0f0c861) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 102

Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping

Feb 17 14:14:30 [IKEv1]IP = 192.171.x.x, Information Exchange processing failed

Feb 17 14:14:38 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 17 14:14:46 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 17 14:14:54 [IKEv1]IP = 192.171.x.x, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168

Feb 17 14:15:02 [IKEv1 DEBUG]IP = 192.171.x.x, IKE MM Initiator FSM error history (struct &0x00007fffa167fd70)  , :  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Feb 17 14:15:02 [IKEv1 DEBUG]IP = 192.171.x.x, IKE SA MM:cfae46c1 terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Feb 17 14:15:02 [IKEv1 DEBUG]IP = 192.171.x.x, sending delete/delete with reason message

15375979-fw-confg.txt.zip
0 Helpful

nigel doe
Level 1
Level 1
In response to nigel doe

‎02-17-2014 07:00 AM

I found the answer to my problems!

For some (unknown) reason, having multiple transform sets in the phase 1 ike proposal caused a problem, although I would have expected it to negotiate based on one matching transform set? Specifying only 1 transform set (3des-sha) worked brilliantly.

Thanks for your assistance though Marius, it was appreciated.

0 Helpful

rubenbarbosa87
Level 1
Level 1
In response to nigel doe

‎02-17-2014 08:57 AM

I will suggest to check Priority that you have in VPN Site To Site because if you have more, you need to take a look for that detail .

The best commands you could use when you have this kind of problems are:

show crypto  isakmp

show crypto ipsec sa

show running-config access-list

thanks,

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card