12-06-2010 07:03 PM
Hi Guys,
I've setup a VPN between an ASA 5510 running OS 7.2 (Base) and a Concentrator 3005.
The VPN comes up perfectly if initiated from the ASA but fails at Phase2 when initiated from the 3005 (1.1.1.5). Upon failing, the ASA throughs the following errors:
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, PHASE 1 COMPLETED
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing ID payload
Dec 07 00:54:20 [IKEv1 DECODE]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received--172.19.0.0--255.255.0.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, Received remote IP Proxy Subnet data in ID Payload: Address 172.19.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing ID payload
Dec 07 00:54:20 [IKEv1 DECODE]: Group = 1.1.1.15, IP = 1.1.1.15, ID_IPV4_ADDR_SUBNET ID received--192.168.2.0--255.255.255.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, Received local IP Proxy Subnet data in ID Payload: Address 192.168.2.0, Mask 255.255.255.0, Protocol 0, Port 0
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing notify payload
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, QM IsRekeyed old sa not found by addr
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, Static Crypto Map check, checking map = mymap, seq = 9...
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, Static Crypto Map check, map = mymap, seq = 9, ACL does not match proxy IDs src:172.19.0.0 dst:192.168.2.0
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, IKE Remote Peer configured for crypto map: dynmap
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, processing IPSec SA payload
Dec 07 00:54:20 [IKEv1]: Group = 1.1.1.15, IP = 1.1.1.15, All IPSec SA proposals found unacceptable!
Dec 07 00:54:20 [IKEv1 DEBUG]: Group = 1.1.1.15, IP = 1.1.1.15, sending notify message
What I gather from the above output is that seq 9 of the Crypto Map mymap does not match the proposal offered by the 3005. And guess what, it doesn't - so no suprise there - however Seq 12 does match. SO I'm assuming the ASA isn't checking the proposal from the 3005 against the entie Crypto Map. Fair assumption? And if so, does anyone know why not?
TIA
Cheers
Scott
Solved! Go to Solution.
12-06-2010 10:36 PM
Hi Scott,
We found it.
The dynamic Crypto Map should be attached to the static Crypto Map only after all the static entries have been configured.
The best way is to attach the dynamic map at the last line of the Static Map which is line no 65535.
So, do the following and let me know how it goes
no crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
Please put in the above commands in the configuration prompt in the ASA.
Cheers,
Nash.
12-06-2010 07:09 PM
One thought I just had.... the ACL defining interesting traffic at seq 9 has the usual deny any any at the end... would this "match" stop the ASA from processing the rest of the crypto map for the desired match?
Cheers
Scott
12-06-2010 08:32 PM
Scott,
Could you post a sanitized relevant chunk of the configuration on the ASA and 3005 here ?
We shall have a look and make a few suggestions if necessary.
Cheers,
Nash.
12-06-2010 09:07 PM
Hi Avinash,
Tricky since I cant post the 3005 config without comprimising sensitive data. I've extracted it from the 3005 manually and posted the ASA config (with fake IPs) below.
3005:
P1:
Enc: AES-192
Hash: SHA/HMAC-160
Auth: PSK
DHGrp: 2
Lifetime 86400
Mode: Main
P2:
Enc: AES-192
Hash: SHA/HMAC-160
PFS: None
Mode: Tunnel
Lifetime 28800
Enc Domains
Local:
1.1.2.0/0.0.0.255
172.19.0.0/0.0.255.255
Remote:
192.168.2.0/0.0.0.255
192.168.250.0/0.0.0.255
ASA:
P1:
crypto isakmp policy 14
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
P2:
crypto ipsec transform-set Set3 esp-aes-192 esp-sha-hmac
Encr Domain:
access-list To1.1.1.5 line 1 extended permit ip 192.168.2.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list To1.1.1.5 line 2 extended permit ip 192.168.2.0 255.255.255.0 1.1.2.0 255.255.255.0
access-list To1.1.1.5 line 3 extended permit ip 192.168.250.0 255.255.255.0 172.19.0.0 255.255.0.0
access-list To1.1.1.5 line 4 extended permit ip 192.168.250.0 255.255.255.0 1.1.2.0 255.255.255.0
crypto dynamic-map dynmap 10 set transform-set my-set
crypto dynamic-map dynmap 10 set reverse-route
crypto map mymap 9 match address ToAnotherHost
crypto map mymap 9 set peer x.x.x.x
crypto map mymap 9 set transform-set set1
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 11 match address To1.1.1.5
crypto map mymap 11 set peer 1.1.1.5
crypto map mymap 11 set transform-set Set3
crypto map mymap interface Outside
crypto isakmp identity address
crypto isakmp enable Outside
Any insight would be greatly appreciated.
Cheers
Scott
12-06-2010 10:36 PM
Hi Scott,
We found it.
The dynamic Crypto Map should be attached to the static Crypto Map only after all the static entries have been configured.
The best way is to attach the dynamic map at the last line of the Static Map which is line no 65535.
So, do the following and let me know how it goes
no crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
Please put in the above commands in the configuration prompt in the ASA.
Cheers,
Nash.
12-07-2010 03:04 PM
Thanks Avinash. I'll give this a shot after hours.
Can you explain why this is the root cause of the problem?
Rgds
Scott
12-09-2010 05:14 PM
Worked a treat. Thanks Avinash!
Rgds
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: