01-09-2012 04:29 PM
I'm looking to get a remote office RV220W connected to my ASA5510. I have several PIX 501 and ASA5505's connected to the ASA5510.
I've setup everthing similar that I can think of though I'm still not connecting.
IKE Policy:
Direction: Initiator
Exchange mode: Aggressive (for using FQDN Ident)
Remotes are all DHCP, so setup Local Identifier on RV220W as FQDN and typed in a FQDN for the remote RV220W. That is the same name I used for the Tunnel-Group on the ASA. Remote is IP, ASA is setup to send IP for Ident.
IKE SA:
3DES, SHA, DH2, 28800
VPN Policy:
Auto Policy, Remote Endpoint IP
SA-Lifetime: 86400, 3DES, SHA-1, PFS Enabled, DH2
Below is the Log from the RV220W. The line that stuck out to me was:
2012-01-10 04:11:44: [rv220w][IKE] WARNING: Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]
Why is Local= and Peer= the same IP?
10.220.1.0/24 = LAN behind RV220W
10.220.255.254 WAN IP of RV220W
10.1.0.0/16 = LAN behind ASA 5510
<PubIP> = Public IP of ASA 5510
2012-01-10 04:11:28: [rv220w][IKE] INFO: Using IPsec SA configuration: 10.220.1.0/24<->10.1.0.0/16
2012-01-10 04:11:28: [rv220w][IKE] INFO: Configuration found for <PubIP>.
2012-01-10 04:11:28: [rv220w][IKE] INFO: Initiating new phase 1 negotiation: 10.220.255.254[500]<=><PubIP>[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO: Beginning Aggressive mode.
2012-01-10 04:11:28: [rv220w][IKE] INFO: NAT-Traversal is Enabled
2012-01-10 04:11:28: [rv220w][IKE] INFO: [agg_i1send:256]: XXX: NUMNATTVENDORIDS: 3
2012-01-10 04:11:28: [rv220w][IKE] INFO: [agg_i1send:260]: XXX: setting vendorid: 4
2012-01-10 04:11:28: [rv220w][IKE] INFO: [agg_i1send:260]: XXX: setting vendorid: 8
2012-01-10 04:11:28: [rv220w][IKE] INFO: [agg_i1send:260]: XXX: setting vendorid: 9
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received Vendor ID: DPD
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:28: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:28: [rv220w][IKE] INFO: NAT-D payload does not match for 10.220.255.254[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO: NAT-D payload matches for <PubIP>[500]
2012-01-10 04:11:28: [rv220w][IKE] INFO: For <PubIP>[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:28: [rv220w][IKE] INFO: NAT detected: ME
2012-01-10 04:11:28: [rv220w][IKE] INFO: for debugging :: changing ports2012-01-10 04:11:28: [rv220w][IKE] INFO: port changed !!
2012-01-10 04:11:28: [rv220w][IKE] ERROR: HASH mismatched
2012-01-10 04:11:28: [rv220w][IKE] INFO: Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]
2012-01-10 04:11:36: [rv220w][IKE] WARNING: Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received Vendor ID: DPD
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:36: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:36: [rv220w][IKE] INFO: NAT-D payload does not match for 10.220.255.254[4500]
2012-01-10 04:11:36: [rv220w][IKE] INFO: NAT-D payload does not match for<PubIP>[4500]
2012-01-10 04:11:36: [rv220w][IKE] INFO: For<PubIP>[4500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:36: [rv220w][IKE] INFO: NAT detected: ME PEER
2012-01-10 04:11:36: [rv220w][IKE] INFO: for debugging :: changing ports2012-01-10 04:11:36: [rv220w][IKE] INFO: port changed !!
2012-01-10 04:11:36: [rv220w][IKE] ERROR: HASH mismatched
2012-01-10 04:11:36: [rv220w][IKE] INFO: Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]
2012-01-10 04:11:44: [rv220w][IKE] WARNING: Remote address mismatched. Local=<PubIP>[4500], Peer=<PubIP>[500]
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received Vendor ID: CISCO-UNITY
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received Vendor ID: DPD
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:44: [rv220w][IKE] INFO: Received unknown Vendor ID
2012-01-10 04:11:44: [rv220w][IKE] INFO: NAT-D payload does not match for 10.220.255.254[4500]
2012-01-10 04:11:44: [rv220w][IKE] INFO: NAT-D payload does not match for<PubIP>[4500]
2012-01-10 04:11:44: [rv220w][IKE] INFO: For<PubIP>[4500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2012-01-10 04:11:44: [rv220w][IKE] INFO: NAT detected: ME PEER
2012-01-10 04:11:44: [rv220w][IKE] INFO: for debugging :: changing ports2012-01-10 04:11:44: [rv220w][IKE] INFO: port changed !!
2012-01-10 04:11:44: [rv220w][IKE] ERROR: HASH mismatched
2012-01-10 04:11:44: [rv220w][IKE] INFO: Sending Informational Exchange: notify payload[INVALID-HASH-INFORMATION]
ASA 5510 Configuration
object network NETWORK-SCHOLEY
subnet 10.220.225.0 255.255.255.0
access-list scholey_split_tunnel extended permit ip object-group LOCAL_NETWORK_REMOTE_VPN object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-HBG object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-SF object NETWORK-SCHOLEY
access-list scholey_split_tunnel extended permit ip object NETWORK-TRAINING object NETWORK-SCHOLEY
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto dynamic-map dynamic-remote-office 65534 set transform-set ESP-3DES-SHA
crypto map hbg-outside-198_map 65534 ipsec-isakmp dynamic dynamic-remote-office
crypto map hbg-outside-198_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto isakmp identity address
crypto isakmp enable hbg-outside-198
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy scholey internal
group-policy scholey attributes
vpn-tunnel-protocol IPSec
ipsec-udp disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value scholey_split_tunnel
tunnel-group scholey type ipsec-l2l
tunnel-group scholey general-attributes
default-group-policy scholey.vpn.haydon-mill.com
tunnel-group scholey ipsec-attributes
pre-shared-key scholeykey
ASA 5510 syslog messages
%ASA-7-713236: IP = 10.220.255.254, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 436%ASA-7-715048: Group = scholey, IP = 10.220.255.254, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing VID payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing Fragmentation VID + extended capabilities payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, computing NAT Discovery hash
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Discovery payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, computing NAT Discovery hash
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Discovery payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing NAT-Traversal VID ver 02 payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing dpd vid payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing xauth V6 VID payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing Cisco Unity VID payload
%ASA-7-715076: Group = scholey, IP = 10.220.255.254, Computing hash for ISAKMP
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing hash payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ID payload
%ASA-7-713906: Group = scholey, IP = 10.220.255.254, Generating keys for Responder...
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing nonce payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ke payload
%ASA-7-715046: Group = scholey, IP = 10.220.255.254, constructing ISAKMP SA payload
%ASA-7-715028: Group = scholey, IP = 10.220.255.254, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2
%ASA-7-715047: Group = scholey, IP = 10.220.255.254, processing IKE SA payload
%ASA-7-713906: IP = 10.220.255.254, Connection landed on tunnel_group scholey
%ASA-7-715049: IP = 10.220.255.254, Received DPD VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715049: IP = 10.220.255.254, Received NAT-Traversal RFC VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715049: IP = 10.220.255.254, Received NAT-Traversal ver 02 VID
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-715047: IP = 10.220.255.254, processing VID payload
%ASA-7-713906: IP = 10.220.255.254, ID_FQDN ID received, len 27#%cLt#%010>0000: 7363686F 6C65792E 76706E2E 68617964 scholey.vpn.hayd#%cLt#%010>0010: 6F6E2D6D 696C6C2E 636F6D on-mill.com
%ASA-7-715047: IP = 10.220.255.254, processing ID payload
%ASA-7-715047: IP = 10.220.255.254, processing nonce payload
%ASA-7-715047: IP = 10.220.255.254, processing ISA_KE payload
%ASA-7-715047: IP = 10.220.255.254, processing ke payload
%ASA-7-715047: IP = 10.220.255.254, processing SA payload
%ASA-7-713236: IP = 10.220.255.254, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 347
01-10-2012 12:49 PM
So It looks like I had a few things against me.
The SA-Lifetimes were reversed. I had the 28800 swapped with the 86400 lifetime.
PFS was Ticked, it should have been unchecked.
Though the most crutial mistake was using GMT-8 Pacific Standard Time for the Timezone setting. I'm running software version 1.0.3.5 and the timezone GMT-8 Pacific Standard Time seems to really be -16, not -8. Switching to GMT -8 Pitcairn Island Time Lead me to the finding the SA Lifetime issues.
Scott<-
01-10-2012 02:12 PM
Scott,
Thanks for re-posting - so do you have the tunnels successful connected now?
Jasbryan
01-10-2012 02:29 PM
Yes, the Tunnels are up. I just wish it was not so Difficult to get everything all sync'd up.
Managing many subnets and exterior gateways makes for changes on several devices when I add a new remote Subnet.
Though the Timezone bug was the real show stopper! that needs to be looked into. Having a clock that is 8 hours off does not play nice with IPSec!
Now if I could find a way to connect to a remote Subnet from a remote subnet via the Head End ASA, that would be Super!
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide