cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1368
Views
20
Helpful
8
Replies
Highlighted
Beginner

Site to Site VPN ASA to IOS Router. Notify has no hash. Rejected.

Help

 

I do not understand why the VPN will not work.  I see that it fails IKE phase 1 because of the hash...but everything looks good. 

 

 

Configs on the ASA:

 

access-list outside_cryptomap extended permit ip object ASA object Router

nat (inside,outside) source static ASA ASA destination static Router Router no-proxy-arp route-lookup


crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer XXX.XXX.XXX.73
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

 


access-list outside_cryptomap extended permit ip object ASA object Router

group-policy GroupPolicy_XXX.XXX.XXX.73 internal
group-policy GroupPolicy_XXX.XXX.XXX.73 attributes
vpn-tunnel-protocol ikev1


tunnel-group XXX.XXX.XXX.73 type ipsec-l2l
tunnel-group XXX.XXX.XXX.73 general-attributes
default-group-policy GroupPolicy_XXX.XXX.XXX.73
tunnel-group XXX.XXX.XXX.73 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****


access-list outside_cryptomap extended permit ip object ASA object Router


object network ASA
subnet 192.168.2.0 255.255.255.0

object network Router
subnet 192.168.1.0 255.255.255.0

 

crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400

 

 

 

___________________________________________________


crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ****** address XXX.XXX.XXX.11
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IKE2 esp-aes 256 esp-sha-hmac

!


crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic

ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log


interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly


interface FastEthernet1
description ISP
ip address XXX.XXX.XXX.73 255.255.255.248
nat outside
crypto map VPN
!


ip nat inside source list NAT_Outside interface FastEthernet1 overload


ip access-list extended NAT_Outside
deny ip 192.168.1.0 0.255.255.255 192.168.2.0 0.0.0.255 log
permit ip 192.168.1.0 0.255.255.255 any


____________________________________________________


On Router

#debug crypto isakmp

*Oct 3 17:52:53.617: ISAKMP:(0): SA request profile is (NULL)
*Oct 3 17:52:53.617: ISAKMP: Created a peer struct for XXX.XXX.XXX.2, peer port 500
*Oct 3 17:52:53.617: ISAKMP: New peer created peer = 0x8480B114 peer_handle = 0x8000007F
*Oct 3 17:52:53.617: ISAKMP: Locking peer struct 0x8480B114, refcount 1 for isakmp_initiator
*Oct 3 17:52:53.617: ISAKMP: local port 500, remote port 500
*Oct 3 17:52:53.617: ISAKMP: set new node 0 to QM_IDLE
*Oct 3 17:52:53.617: insert sa successfully sa = 8480A9C0
*Oct 3 17:52:53.617: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Oct 3 17:52:53.617: ISAKMP:(0):found peer pre-shared key matching XXX.XXX.XXX.2
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 3 17:52:53.617: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 3 17:52:53.617: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Oct 3 17:52:53.617: ISAKMP:(0): beginning Main Mode exchange
*Oct 3 17:52:53.617: ISAKMP:(0): sending packet to XXX.XXX.XXX.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 3 17:52:53.617: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 3 17:52:53.649: ISAKMP (0:0): received packet from XXX.XXX.XXX.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 3 17:52:53.649: ISAKMP:(0):Notify has no hash. Rejected. /////////////////////////////////////////////////This is where I see it going wrong//////////////////
*Oct 3 17:52:53.649: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 3 17:52:53.649: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 3 17:52:53.649: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1

*Oct 3 17:52:53 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at XXX.XXX.XXX.2
*Oct 3 17:53:23.617: ISAKMP: set new node 0 to QM_IDLE
*Oct 3 17:53:23.617: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local XXX.XXX.XXX.73, remote XXX.XXX.XXX.2)
*Oct 3 17:53:23.617: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 3 17:53:23.617: ISAKMP: Error while processing KMI message 0, error 2.
**Oct 3 17:54:08.617: ISAKMP: quick mode timer expired.
*Oct 3 17:54:08.617: ISAKMP:(0):src XXX.XXX.XXX.73 dst XXX.XXX.XXX.2, SA is not authenticated
*Oct 3 17:54:08.617: ISAKMP:(0):peer does not do paranoid keepalives.

*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2)
*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2)
*Oct 3 17:54:08.617: ISAKMP: Unlocking peer struct 0x8480B114 for isadb_mark_sa_deleted(), count 0
*Oct 3 17:54:08.617: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.2: 8480B114
*Oct 3 17:54:08.617: ISAKMP:(0):deleting node -763682124 error FALSE reason "IKE deleted"
*Oct 3 17:54:08.617: ISAKMP:(0):deleting node -1337740792 error FALSE reason "IKE deleted"
*Oct 3 17:54:08.617: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 3 17:54:08.617: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

*Oct 3 17:54:58.617: ISAKMP:(0):purging node -763682124
*Oct 3 17:54:58.617: ISAKMP:(0):purging node -1337740792
*Oct 3 17:55:08.617: ISAKMP:(0):purging SA., sa=8480A9C0, delme=8480A9C0

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

UP!!!

 

 

So here is the deal in case someone else finds themselves in the same situation. 

 

Notice how it trying to peer with XXX.XXX.XXX.2

 

*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2) 

 

It was suspost to peer with XXX.XXX.XXX.11

 

See below:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ****** address XXX.XXX.XXX.11
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IKE2 esp-aes 256 esp-sha-hmac

!


crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic

 

ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log

 

Why....well I will tell you....

 

what I did not post was my second crypto map.  (That is why Y'all could not help me.  I did not post the full story.) 

 

crypto map VPN 1 ipsec-isakmp
description ASA2
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic    <------ used the same ACL 

 

I tried to short cut the access-list see below:

 

ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log

permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 log

 

I have no ideal what I was thinking...there is now way it would work that way.  

 

In a way your comments help.  It got me thinking.

 

lesson learned:  do not be so confident you don't look over you configs and assume it something else. 



View solution in original post

8 REPLIES 8
Highlighted
VIP Advisor

can you send the config of the remote end and also check if you configure PFS group (2).

 

cheers

Please remember to rate useful posts, by clicking on the stars below.

Highlighted

I used the VPN wizard to configure it.  I cant share the ASA configs.....too much info and I am not sure what lines you need.  Do you not see any error in the debug I posted...

 

Can you give me a little detail on "PFS group (2)"  I so see PFS on the ASA but under a different crypto map to a different peer.  

 

Thanks for your help ....I need it!

Highlighted

I have updated the original posting I hope I have included everything you need.

 

Highlighted

Hello,

 

there is a typo in the access list on the IOS router. Also, the 'log' keyword at the end of the access list kills your NAT.

 

ip access-list extended NAT_Outside
deny ip 192.168.1.0 0.255.255.255 192.168.2.0 0.0.0.255 log
permit ip 192.168.1.0 0.255.255.255 any

 

This needs to be:

 

ip access-list extended NAT_Outside
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any

 

 

Highlighted

Thanks for your input Georg but I have to disagree with both of your statements.  Although the wild card is larger than a Class C it still covers the range.  

 

The NAT is working perfectly with the log at the end of the access-list.  I have verified with wire shark that is working.  I did remove the log and changed the subnet and I have the exact same debug results...any thing else you can think of?

Highlighted

Hello,

 

Dennis suggested earlier to add the PFS group to the crypto map, did you try that ?

 

crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2

set pfs group2
match address VPN_Traffic

Highlighted

Hello,

 

also try to change the access list and the NAT statement on your IOS router as below:

 

access-list 101 deny ip 192.168.1.0 0.255.255.255 192.168.2.0 0.0.0.255 log
access-list 101 permit ip 192.168.1.0 0.255.255.255 any

!

ip nat inside source route-map NAT_Outside interface FastEthernet1 overload
!
route-map NAT_Outside permit 10
match ip address 101

Highlighted

UP!!!

 

 

So here is the deal in case someone else finds themselves in the same situation. 

 

Notice how it trying to peer with XXX.XXX.XXX.2

 

*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2) 

 

It was suspost to peer with XXX.XXX.XXX.11

 

See below:

crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ****** address XXX.XXX.XXX.11
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IKE2 esp-aes 256 esp-sha-hmac

!


crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic

 

ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log

 

Why....well I will tell you....

 

what I did not post was my second crypto map.  (That is why Y'all could not help me.  I did not post the full story.) 

 

crypto map VPN 1 ipsec-isakmp
description ASA2
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic    <------ used the same ACL 

 

I tried to short cut the access-list see below:

 

ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log

permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 log

 

I have no ideal what I was thinking...there is now way it would work that way.  

 

In a way your comments help.  It got me thinking.

 

lesson learned:  do not be so confident you don't look over you configs and assume it something else. 



View solution in original post