SITE TO SITE VPN ASA 5510 - 2801 ROUTER MM_WAIT_MSG2 ERROR

STYLIANOS DEMETRIOU · ‎07-09-2013

Hi guys,

I am trying to establish a vpn connection witht the above mentioned devices but i receive the below error

IKE Peer: B

Type :user Role : initiator

Rekey : no State : MM_WAIT_MSG2

What am i doing wrong ?

SITE A – Router 2801

ISAKMP Phase 1

crypto isakmp policy 5

hash md5

authentication pre-share

group 2

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp policy 50

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key [key] address PEER B

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

Access-list

ip access-list extended CryptoACL

permit ip 192.168.20.0 0.0.0.255 192.168.3.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 192.168.5.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 192.168.6.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 192.168.12.0 0.0.0.255

permit ip 192.168.21.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip host 192.168.22.1 192.168.5.0 0.0.0.255

permit ip host 192.168.20.1 192.168.5.0 0.0.0.255

permit ip host 192.168.22.1 192.168.6.0 0.0.0.255

ISAKMP Phase 2

crypto ipsec transform-set TRANSET esp-aes esp-sha-hmac

crypto map CryptoCY 1 ipsec-isakmp

set peer PEER B

set transform-set TRANSET

match address CryptoACL

Interface Applied

interface FastEthernet0/0

ip address PEER B

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

crypto map CryptoCY

crypto ipsec df-bit clear

SITE B ASA 5510 (version 9.1.2)

ISAKMP Phase 1

crypto ikev1 policy 5

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 9

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group PEER A type ipsec-l2l

tunnel-group PEER A ipsec-attributes

ikev1 pre-shared-key [key]

crypto isakmp enable outside

Access-list

access-list outside_1_cryptomap extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.21.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host 192.168.22.1

access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host 192.168.20.1

access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 host 192.168.22.1

ISAKMP Phase 2

crypto ipsec ikev1 transform-set TRANSET esp-aes esp-sha-hmac

crypto map outside-map 10 match address outside_1_cryptomap

crypto map outside-map 10 set peer PEER A

crypto map outside-map 10 set ikev1 transform-set TRANSET

crypto map outside-map 10 set security-association lifetime seconds 28800

crypto map outside-map 10 set security-association lifetime kilobytes 4608000

Interface Applied

crypto map outside-map interface outside

Jouni Forss · ‎07-09-2013

Hi,

Try these for starters

ROUTER

crypto isakmp policy 10

hash sha

ASA

crypto ikev1 policy 8

encr aes

authentication pre-share

hash sha

group 2

lifetime 28800

Also check if the ASA has the following configurations

crypto ikev1 enable outside

- Jouni

STYLIANOS DEMETRIOU · ‎07-09-2013

Yes crypto ikev1 is enabled on outside interface

The only configurations changes that i have to make is the one you listed above?

The error

MM_WAIT_MSG2

Is the problem caused in phase 1 and does the error has to do with the policy?

Jouni Forss · ‎07-09-2013

Hi,

MM_WAIT_MSG2 points to a situation where the remote VPN device doesnt answer to the VPN negotiation at all.

In your case it would seem that the Router is not replying to the VPN negotiation.

- Jouni

STYLIANOS DEMETRIOU · ‎07-09-2013

Unfortunately that didn't solve my problem Jouni.

I forgot to mention that i have two ASAs one with 8.2 ios and the other 9.1.

L2L vpn is working properly on 8.2, as soon as i unplug it and plug 9.1 i am receiving the above mentioned error (the router gives the error MM_SA_SETUP)

On 9.1 I have another vpn connection to the cloud (azure) which is working properly.

Is there any place where i can find any configuration between > ASA 8.3 and a router?

guihua xu · ‎08-22-2013

hi,I have met the same problem. one site is asa5520,the other site is a juniper quitment.

could you tell me how i can do to solve it.thanks !

Jhonary

Marius Gunnerud · ‎08-22-2013

From the output of your router... is this a typo? Please look at the set peer command and your ip address configuration on Fa0/0.

crypto map CryptoCY 1 ipsec-isakmp

set peer PEER B

set transform-set TRANSET

match address CryptoACL

Interface Applied

interface FastEthernet0/0

ip address PEER B

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

crypto map CryptoCY

crypto ipsec df-bit clear

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎08-22-2013

On the ASA you are missing the following command

crypto ikev1 enable outside

If that doesn't solve it, try hardcoding the encryption method on the router.

crypto isakmp policy 5

enc des

--
Please remember to select a correct answer and rate helpful posts