10-01-2018 03:25 PM - edited 10-03-2018 10:19 AM
Help
I do not understand why the VPN will not work. I see that it fails IKE phase 1 because of the hash...but everything looks good.
Configs on the ASA:
access-list outside_cryptomap extended permit ip object ASA object Router
nat (inside,outside) source static ASA ASA destination static Router Router no-proxy-arp route-lookup
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer XXX.XXX.XXX.73
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
access-list outside_cryptomap extended permit ip object ASA object Router
group-policy GroupPolicy_XXX.XXX.XXX.73 internal
group-policy GroupPolicy_XXX.XXX.XXX.73 attributes
vpn-tunnel-protocol ikev1
tunnel-group XXX.XXX.XXX.73 type ipsec-l2l
tunnel-group XXX.XXX.XXX.73 general-attributes
default-group-policy GroupPolicy_XXX.XXX.XXX.73
tunnel-group XXX.XXX.XXX.73 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
access-list outside_cryptomap extended permit ip object ASA object Router
object network ASA
subnet 192.168.2.0 255.255.255.0
object network Router
subnet 192.168.1.0 255.255.255.0
crypto ikev1 policy 2
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
___________________________________________________
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ****** address XXX.XXX.XXX.11
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IKE2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic
ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log
interface Vlan2
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface FastEthernet1
description ISP
ip address XXX.XXX.XXX.73 255.255.255.248
nat outside
crypto map VPN
!
ip nat inside source list NAT_Outside interface FastEthernet1 overload
ip access-list extended NAT_Outside
deny ip 192.168.1.0 0.255.255.255 192.168.2.0 0.0.0.255 log
permit ip 192.168.1.0 0.255.255.255 any
____________________________________________________
On Router
#debug crypto isakmp
*Oct 3 17:52:53.617: ISAKMP:(0): SA request profile is (NULL)
*Oct 3 17:52:53.617: ISAKMP: Created a peer struct for XXX.XXX.XXX.2, peer port 500
*Oct 3 17:52:53.617: ISAKMP: New peer created peer = 0x8480B114 peer_handle = 0x8000007F
*Oct 3 17:52:53.617: ISAKMP: Locking peer struct 0x8480B114, refcount 1 for isakmp_initiator
*Oct 3 17:52:53.617: ISAKMP: local port 500, remote port 500
*Oct 3 17:52:53.617: ISAKMP: set new node 0 to QM_IDLE
*Oct 3 17:52:53.617: insert sa successfully sa = 8480A9C0
*Oct 3 17:52:53.617: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Oct 3 17:52:53.617: ISAKMP:(0):found peer pre-shared key matching XXX.XXX.XXX.2
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Oct 3 17:52:53.617: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Oct 3 17:52:53.617: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Oct 3 17:52:53.617: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Oct 3 17:52:53.617: ISAKMP:(0): beginning Main Mode exchange
*Oct 3 17:52:53.617: ISAKMP:(0): sending packet to XXX.XXX.XXX.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Oct 3 17:52:53.617: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Oct 3 17:52:53.649: ISAKMP (0:0): received packet from XXX.XXX.XXX.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Oct 3 17:52:53.649: ISAKMP:(0):Notify has no hash. Rejected. /////////////////////////////////////////////////This is where I see it going wrong//////////////////
*Oct 3 17:52:53.649: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Oct 3 17:52:53.649: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Oct 3 17:52:53.649: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Oct 3 17:52:53 UTC: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at XXX.XXX.XXX.2
*Oct 3 17:53:23.617: ISAKMP: set new node 0 to QM_IDLE
*Oct 3 17:53:23.617: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local XXX.XXX.XXX.73, remote XXX.XXX.XXX.2)
*Oct 3 17:53:23.617: ISAKMP: Error while processing SA request: Failed to initialize SA
*Oct 3 17:53:23.617: ISAKMP: Error while processing KMI message 0, error 2.
**Oct 3 17:54:08.617: ISAKMP: quick mode timer expired.
*Oct 3 17:54:08.617: ISAKMP:(0):src XXX.XXX.XXX.73 dst XXX.XXX.XXX.2, SA is not authenticated
*Oct 3 17:54:08.617: ISAKMP:(0):peer does not do paranoid keepalives.
*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2)
*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2)
*Oct 3 17:54:08.617: ISAKMP: Unlocking peer struct 0x8480B114 for isadb_mark_sa_deleted(), count 0
*Oct 3 17:54:08.617: ISAKMP: Deleting peer node by peer_reap for XXX.XXX.XXX.2: 8480B114
*Oct 3 17:54:08.617: ISAKMP:(0):deleting node -763682124 error FALSE reason "IKE deleted"
*Oct 3 17:54:08.617: ISAKMP:(0):deleting node -1337740792 error FALSE reason "IKE deleted"
*Oct 3 17:54:08.617: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Oct 3 17:54:08.617: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Oct 3 17:54:58.617: ISAKMP:(0):purging node -763682124
*Oct 3 17:54:58.617: ISAKMP:(0):purging node -1337740792
*Oct 3 17:55:08.617: ISAKMP:(0):purging SA., sa=8480A9C0, delme=8480A9C0
Solved! Go to Solution.
10-04-2018 01:41 PM
UP!!!
So here is the deal in case someone else finds themselves in the same situation.
Notice how it trying to peer with XXX.XXX.XXX.2
*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2)
It was suspost to peer with XXX.XXX.XXX.11
See below:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ****** address XXX.XXX.XXX.11
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IKE2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic
ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log
Why....well I will tell you....
what I did not post was my second crypto map. (That is why Y'all could not help me. I did not post the full story.)
crypto map VPN 1 ipsec-isakmp
description ASA2
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic <------ used the same ACL
I tried to short cut the access-list see below:
ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 log
I have no ideal what I was thinking...there is now way it would work that way.
In a way your comments help. It got me thinking.
lesson learned: do not be so confident you don't look over you configs and assume it something else.
10-01-2018 05:02 PM
can you send the config of the remote end and also check if you configure PFS group (2).
cheers
10-02-2018 01:31 PM
I used the VPN wizard to configure it. I cant share the ASA configs.....too much info and I am not sure what lines you need. Do you not see any error in the debug I posted...
Can you give me a little detail on "PFS group (2)" I so see PFS on the ASA but under a different crypto map to a different peer.
Thanks for your help ....I need it!
10-03-2018 10:20 AM
I have updated the original posting I hope I have included everything you need.
10-03-2018 11:23 AM - edited 10-03-2018 11:26 AM
Hello,
there is a typo in the access list on the IOS router. Also, the 'log' keyword at the end of the access list kills your NAT.
ip access-list extended NAT_Outside
deny ip 192.168.1.0 0.255.255.255 192.168.2.0 0.0.0.255 log
permit ip 192.168.1.0 0.255.255.255 any
This needs to be:
ip access-list extended NAT_Outside
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
10-03-2018 12:13 PM
Thanks for your input Georg but I have to disagree with both of your statements. Although the wild card is larger than a Class C it still covers the range.
The NAT is working perfectly with the log at the end of the access-list. I have verified with wire shark that is working. I did remove the log and changed the subnet and I have the exact same debug results...any thing else you can think of?
10-03-2018 12:50 PM
Hello,
Dennis suggested earlier to add the PFS group to the crypto map, did you try that ?
crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2
set pfs group2
match address VPN_Traffic
10-03-2018 01:06 PM
Hello,
also try to change the access list and the NAT statement on your IOS router as below:
access-list 101 deny ip 192.168.1.0 0.255.255.255 192.168.2.0 0.0.0.255 log
access-list 101 permit ip 192.168.1.0 0.255.255.255 any
!
ip nat inside source route-map NAT_Outside interface FastEthernet1 overload
!
route-map NAT_Outside permit 10
match ip address 101
10-04-2018 01:41 PM
UP!!!
So here is the deal in case someone else finds themselves in the same situation.
Notice how it trying to peer with XXX.XXX.XXX.2
*Oct 3 17:54:08.617: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_NO_STATE (peer XXX.XXX.XXX.2)
It was suspost to peer with XXX.XXX.XXX.11
See below:
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
crypto isakmp key ****** address XXX.XXX.XXX.11
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set IKE2 esp-aes 256 esp-sha-hmac
!
crypto map VPN 2 ipsec-isakmp
description ASA
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic
ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log
Why....well I will tell you....
what I did not post was my second crypto map. (That is why Y'all could not help me. I did not post the full story.)
crypto map VPN 1 ipsec-isakmp
description ASA2
set peer XXX.XXX.XXX.11
set transform-set IKE2
match address VPN_Traffic <------ used the same ACL
I tried to short cut the access-list see below:
ip access-list extended VPN_Traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255 log
I have no ideal what I was thinking...there is now way it would work that way.
In a way your comments help. It got me thinking.
lesson learned: do not be so confident you don't look over you configs and assume it something else.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide