Solved: Re: unable to establish IPSec site to site vpn

jomoca1990 · ‎06-06-2019

Hello guys

I styuding for the ccna securiy and I tried to establish a site to site vpn between an ASA 5506 and a 2911. I followed the configuration guide from the documentation and from INE but phase 2 of is not coming up.

Please find the logs I got from ASA and hope you can help me out with this.

%ASA-5-713119: Group = 20.0.0.1, IP = 20.0.0.1, PHASE 1 COMPLETED
%ASA-7-713121: IP = 20.0.0.1, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 20.0.0.1, IP = 20.0.0.1, Starting P1 rekey timer: 64800 seconds.
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 32768
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, Add to IKEv1 MIB Table succeeded for SA with logical ID 32768
%ASA-7-713906: IKE Receiver: Packet received on 20.0.0.254:500 from 20.0.0.1:500
%ASA-7-714003: IP = 20.0.0.1, IKE Responder starting QM: msg id = 46012aa5
%ASA-7-713236: IP = 20.0.0.1, IKE_DECODE RECEIVED Message (msgid=46012aa5) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
%ASA-7-715047: Group = 20.0.0.1, IP = 20.0.0.1, processing hash payload
%ASA-7-715047: Group = 20.0.0.1, IP = 20.0.0.1, processing SA payload
%ASA-7-715047: Group = 20.0.0.1, IP = 20.0.0.1, processing nonce payload
%ASA-7-715047: Group = 20.0.0.1, IP = 20.0.0.1, processing ID payload
%ASA-7-714011: Group = 20.0.0.1, IP = 20.0.0.1, ID_IPV4_ADDR ID received
2.2.2.2
%ASA-7-713025: Group = 20.0.0.1, IP = 20.0.0.1, Received remote Proxy Host data in ID Payload: Address 2.2.2.2, Protocol 0, Port 0
%ASA-7-715047: Group = 20.0.0.1, IP = 20.0.0.1, processing ID payload
%ASA-7-714011: Group = 20.0.0.1, IP = 20.0.0.1, ID_IPV4_ADDR_SUBNET ID received--10.0.0.0--255.255.255.0
%ASA-7-713034: Group = 20.0.0.1, IP = 20.0.0.1, Received local IP Proxy Subnet data in ID Payload: Address 10.0.0.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 20.0.0.1, IP = 20.0.0.1, Static Crypto Map check, checking map = outside_map0, seq = 1...
%ASA-7-713223: Group = 20.0.0.1, IP = 20.0.0.1, Static Crypto Map check, map = outside_map0, seq = 1, no ACL configured
%ASA-3-713061: Group = 20.0.0.1, IP = 20.0.0.1, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 2.2.2.2/255.255.255.255/0/0 local proxy 10.0.0.0/255.255.255.0/0/0 on interface outside
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, sending notify message
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, Sending p2 'Invalid ID info' notify message with SPI zero.
%ASA-7-715046: Group = 20.0.0.1, IP = 20.0.0.1, constructing blank hash payload
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, constructing ipsec notify payload for msg id 46012aa5
%ASA-7-715046: Group = 20.0.0.1, IP = 20.0.0.1, constructing qm hash payload
%ASA-7-713236: IP = 20.0.0.1, IKE_DECODE SENDING Message (msgid=7f86d5ba) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 212
%ASA-3-713902: Group = 20.0.0.1, IP = 20.0.0.1, QM FSM error (P2 struct &0x00002aaac0cba570, mess id 0x46012aa5)!
%ASA-7-715065: Group = 20.0.0.1, IP = 20.0.0.1, IKE QM Responder FSM error history (struct &0x00002aaac0cba570) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, sending delete/delete with reason message
%ASA-3-713902: Group = 20.0.0.1, IP = 20.0.0.1, Removing peer from correlator table failed, no match!
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, IKE SA MM:cf91e172 rcv'd Terminate: state MM_ACTIVE flags 0x00018042, refcnt 1, tuncnt 0
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 32768
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, Remove from IKEv1 MIB Table succeeded for SA with logical ID 32768
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, IKE SA MM:cf91e172 terminating: flags 0x01018002, refcnt 0, tuncnt 0
%ASA-7-713906: Group = 20.0.0.1, IP = 20.0.0.1, sending delete/delete with reason message
%ASA-7-715046: Group = 20.0.0.1, IP = 20.0.0.1, constructing blank hash payload
%ASA-7-715046: Group = 20.0.0.1, IP = 20.0.0.1, constructing IKE delete payload
%ASA-7-715046: Group = 20.0.0.1, IP = 20.0.0.1, constructing qm hash payload
%ASA-7-713236: IP = 20.0.0.1, IKE_DECODE SENDING Message (msgid=cb126761) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
%ASA-5-713259: Group = 20.0.0.1, IP = 20.0.0.1, Session is being torn down. Reason: crypto map policy not found
%ASA-4-113019: Group = 20.0.0.1, Username = 20.0.0.1, IP = 20.0.0.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
%ASA-7-713906: Ignoring msg to mark SA with dsID 32768 dead because SA deleted
%ASA-7-713906: IKE Receiver: Packet received on 20.0.0.254:500 from 20.0.0.1:500
%ASA-5-713904: IP = 20.0.0.1, Received encrypted packet with no matching SA, dropping
%ASA-6-302016: Teardown UDP connection 8 for outside:20.0.0.1/500 to identity:20.0.0.254/500 duration 0:03:40 bytes 6720
%ASA-7-609002: Teardown local-host outside:20.0.0.1 duration 0:03:40
%ASA-7-609002: Teardown local-host identity:20.0.0.254 duration 0:03:40

Sheraz.Salim · ‎06-10-2019

now taking a step back and let consider the route "ip route 20.0.0.0 255.255.255.0 10.0.0.254".
this route say if destination is 20.0.0.0 255.255.255.0 than use next hop 10.0.0.254.

at R1(outside) you have configured ip route 0.0.0.0 0.0.0.0 20.0.0.254

FROM R2 perspective,
Step.1 (A packet is manufactured in R2 Engine) example below -------------------------------------------------------------------
|Dest Add 2.2.2.2|Dest port 80|Source Add 10.0.0.1 Source|Port 12345|
-------------------------------------------------------------------

Step 2.

R2 check its routing table and it has a OSPF configured but does not have route for 2.2.2.2 so R2 has no idea how to
forward traffic destin to 2.2.2.2. at the same time R2 have a static route 20.0.0.0/24. but your destin traffic is 2.2.2.2
not 20.0.0.0/24. to fix this you have to tell any destination address with next hope (ip route 0.0.0.0 0.0.0.0 10.0.0.254)

however, at the same time you have configured a ip address 2.2.2.2 and 10.0.0.0/24 on the ASA for the VPN purpose. now with
having a static route on R2 (ip route 20.0.0.0/24 10.0.0.1) if you issue a command on ASA "show crypto ipsec sa detail" you
will notice that there are not decapsulation. At the same time you issue command on R1 "show crypto ipsec sa detail" you will
notice that there are encapsulation. which point that there is a issue with routing.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎06-06-2019

The logs show there is no crypto map entry and no ACL configuration.

Make sure your acl mirror both sides.

could you share both router and Asa config.

please do not forget to rate.

jomoca1990 · ‎06-07-2019

Hello

This is the configuration I have for the extenal router and the ASA. Thanks for the quick response.

Router#show run | section isakmp
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 20.0.0.254
crypto map MAP1 10 ipsec-isakmp
set peer 20.0.0.254
set transform-set ESP-AES-256-MD5
match address CRYPTO
Router#show ru
Router#show run
Router#show running-config | sec
Router#show running-config | section acc
Router#show running-config | section access-list
ip access-list extended CRYPTO
permit ip host 2.2.2.2 10.0.0.0 0.0.0.255
Router#show running-config | section transform
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac
mode tunnel
set transform-set ESP-AES-256-MD5

ciscoasa(config)# show running-config crypto
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 20.0.0.1
crypto map outside_map0 1 set ikev1 transform-set ESP-AES-256-MD5
crypto map outside_map0 interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 2.2.2.2

Sheraz.Salim · ‎06-08-2019

curious if you doing nat on the ASA as you have not mentioned in your post. if nat is in place than you have to apply identity nat on the ASA to exempt the interesting traffic.

please do not forget to rate.

jomoca1990 · ‎06-08-2019

Hello Sheraz

This is a basic setup just to get familiar with the concept. NAT is not being implemented.

I'm attaching the network diagram and the configuration for the routers.

OUTSIDE ROUTER

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 20.0.0.254
!
!
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac
mode tunnel
!
!
!
crypto map MAP1 10 ipsec-isakmp
set peer 20.0.0.254
set transform-set ESP-AES-256-MD5
match address CRYPTO
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 20.0.0.1 255.255.255.0
duplex auto
speed auto
crypto map MAP1
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0/0:0
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 20.0.0.254
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr
!
ip access-list extended CRYPTO
permit ip host 2.2.2.2 10.0.0.0 0.0.0.255

---------------------------------------------------------------

INSIDE Router

interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip ospf 1 area 0
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 20.0.0.0 255.255.255.0 10.0.0.254
ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr
ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr

-------------------------------------------------------------------------

ASA 5506

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 20.0.0.254 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.0.0.254 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif Management
security-level 0
ip address 1.1.1.1 255.255.255.0
!
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 host 2.2.2.2
pager lines 24
logging console debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
router ospf 1
network 10.0.0.0 255.255.255.0 area 0
log-adj-changes
!
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 1.1.1.0 255.255.255.0 Management
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map0 1 match address outside_cryptomap
crypto map outside_map0 1 set peer 20.0.0.1
crypto map outside_map0 1 set ikev1 transform-set ESP-AES-256-MD5
crypto map outside_map0 interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config inside
!
group-policy L2L internal
group-policy L2L attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username Hokage password LImfc4qf/4kWPos8 encrypted privilege 15
tunnel-group 20.0.0.1 type ipsec-l2l
tunnel-group 20.0.0.1 general-attributes
default-group-policy L2L
tunnel-group 20.0.0.1 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:590240c9eed298d57c795e5995562fcb
: end
ciscoasa#

Sheraz.Salim · ‎06-09-2019

could you please share the output of these commands.

on routers

!

show crypto isakmp sa

!

show crypto ipsec sa

!

ASA

!

show crypto ikev1 sa

!

show crypto ipsec sa

!

I think you have an issue with R2 (Inside) router. why you having a route

ip route 20.0.0.0 255.255.255.0 10.0.0.254

change this to

ip route 0.0.0.0 0.0.0.0 10.0.0.254

please do not forget to rate.

jomoca1990 · ‎06-10-2019

Hello Sheraz

Thanks you were right, the issue was on the internal router. I changed the static route and it worked, but I;m curious about the issue because the log I was getting from the ASA was saying that there was no policy. Why do you consider the static route was causing the conflict.

Thanks for help

Sheraz.Salim · ‎06-10-2019

now taking a step back and let consider the route "ip route 20.0.0.0 255.255.255.0 10.0.0.254".
this route say if destination is 20.0.0.0 255.255.255.0 than use next hop 10.0.0.254.

at R1(outside) you have configured ip route 0.0.0.0 0.0.0.0 20.0.0.254

FROM R2 perspective,
Step.1 (A packet is manufactured in R2 Engine) example below -------------------------------------------------------------------
|Dest Add 2.2.2.2|Dest port 80|Source Add 10.0.0.1 Source|Port 12345|
-------------------------------------------------------------------

Step 2.

R2 check its routing table and it has a OSPF configured but does not have route for 2.2.2.2 so R2 has no idea how to
forward traffic destin to 2.2.2.2. at the same time R2 have a static route 20.0.0.0/24. but your destin traffic is 2.2.2.2
not 20.0.0.0/24. to fix this you have to tell any destination address with next hope (ip route 0.0.0.0 0.0.0.0 10.0.0.254)

however, at the same time you have configured a ip address 2.2.2.2 and 10.0.0.0/24 on the ASA for the VPN purpose. now with
having a static route on R2 (ip route 20.0.0.0/24 10.0.0.1) if you issue a command on ASA "show crypto ipsec sa detail" you
will notice that there are not decapsulation. At the same time you issue command on R1 "show crypto ipsec sa detail" you will
notice that there are encapsulation. which point that there is a issue with routing.

please do not forget to rate.

jomoca1990 · ‎06-10-2019

Thanks for the help and the explanation Sheraz