Cisco <> MikroTik site-to-site IPsec tunnel

rga-rga-rga · ‎06-19-2013

Cisco ASA 5505, Software 8.0(3)

MikroTik RouterBoard RB493AH, RouterOS 6.0

IPsec site-to-site is set up.

When MikroTik initiates IPsec tunnel to Cisco, it is established, data are encrypted and sent through tunnel as expected.

When Cisco should initiate tunnel, it ends with this error message:

Jun 17 19:22:21 [IKEv1]: Group = < IP>, IP = <IP>, QM FSM error (P2 struct &0xd54e6a00, mess id 0x6dbfce6b)!

Jun 17 19:22:21 [IKEv1]: Group = <IP>, IP = <IP>, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jun 17 19:22:21 [IKEv1]: Group = <IP>, IP = <IP>, Removing peer from correlator table failed, no match!

This is corresponding part of ASA config:

crypto ipsec transform-set ts_esp_aes_256_sha esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map cdm_outside 10 set pfs
crypto dynamic-map cdm_outside 10 set transform-set ts_esp_aes_256_sha
crypto dynamic-map cdm_outside 10 set security-association lifetime kilobytes 262144
crypto map cm_outside 10 match address acl_encrypt_sk
crypto map cm_outside 10 set pfs group5
crypto map cm_outside 10 set peer <MikroTik public IP>
crypto map cm_outside 10 set transform-set ts_esp_aes_256_sha
crypto map cm_outside 10 set security-association lifetime kilobytes 262144

crypto map cm_outside 20 ...

crypto map cm_outside 65535 ipsec-isakmp dynamic cdm_outside
crypto map cm_outside interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600

tunnel-group <remote IP> type ipsec-l2l
tunnel-group <remote IP> ipsec-attributes
pre-shared-key <key>

And this MikroTik config:

/ip ipsec peer print
Flags: X - disabled
0   ;;; IKE Phase 1: Authenticate IPSec peers
     address=<Cisco public IP>/32 passive=no port=500 auth-method=pre-shared-key
     secret="<key>" generate-policy=no exchange-mode=main
     send-initial-contact=yes nat-traversal=no proposal-check=strict
     hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1h
     lifebytes=268435456 dpd-interval=2m dpd-maximum-failures=5

/ip ipsec proposal print
Flags: X - disabled, * - default
0 X* name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024

1 name="aes-256-sha1-dh5" auth-algorithms=sha1 enc-algorithms=aes-256
lifetime=1h pfs-group=modp1536

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0    ;;; IKE Phase 2: negotiate IPSec SAs
      src-address=<MikroTik LAN>/20 src-port=any dst-address=<Cisco LAN>/20
      dst-port=any protocol=all action=encrypt level=unique
      ipsec-protocols=esp tunnel=yes sa-src-address=<MikroTik public IP>

sa-dst-address=<Cisco public IP> proposal=aes-256-sha1-dh5 priority=0

I tried IPsec debugging on both sides but I understand IKE Phase 1 was successfully done but there is an issue with IKE Phase 2 and I don't know why:

Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <IP> local Proxy Address <Cisco LAN>, remote Proxy Address <MikroTik LAN>, Crypto map (cm_outside)
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 192
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 368
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 300
Jun 17 22:08:58 [IKEv1]: IP = <IP>, Connection landed on tunnel_group <IP>
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Jun 17 22:08:58 [IKEv1]: Group = <IP>, IP = <IP>, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 17 22:08:58 [IKEv1]: IP = <IP>, Connection landed on tunnel_group <IP>
Jun 17 22:08:58 [IKEv1]: Group = <IP>, IP = <IP>, Freeing previously allocated memory for authorization-dn-attributes
Jun 17 22:08:59 [IKEv1]: Group = <IP>, IP = <IP>, PHASE 1 COMPLETED
Jun 17 22:08:59 [IKEv1]: IP = <IP>, Keep-alive type for this connection: DPD
Jun 17 22:08:59 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=5e1d666a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 400
Jun 17 22:08:59 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=d1beb252) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:08:59 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:07 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=9a38d4e6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:07 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:11 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=1644b80a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:11 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=f1bacead) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:15 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=cf34797b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:15 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:21 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=a765efb2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:21 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=e9d5b67e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:23 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=8ce4de3a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:23 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, QM FSM error (P2 struct &0xd5976180, mess id 0x5e1d666a)!
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, Removing peer from correlator table failed, no match!
Jun 17 22:09:31 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=5cb3f812) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 17 22:09:31 [IKEv1]: Ignoring msg to mark SA with dsID 6029312 dead because SA deleted

I will appreciate any clue...

czaja0000 · ‎06-20-2013

Hi,

Phase 2

1. Try, change on both devices PFS from "group5" to "group2"

2. Compare ACL on ASA with Mikrotik

acl_encrypt_sk

src-address=/20 src-port=any dst-address=/20 dst-port=any protocol=all

Might mask don't match?

__________________________________________

The message:

Received non-routine Notify message: .........

By Cisco documentation:

This message occurs due to misconfiguration (that is, when the policies or ACLs are not configured to be the same on peers). Once the policies and ACLs are matched the tunnel comes up without any problem.

________________

Best regards,
MB

________________ Best regards, MB

DAVID PICARD · ‎09-24-2013

Hi had this exact same issue when trying to have a Mikrotik in DHCP do a site to site VPN to a Cisco ASA.

The Phase2 is about the " IPsec Proposal " on the Mikrotik Side, so be sure the Auth end Encyption Algorithms checked in winbox are allowed on the ASA.

Also maybe just change the " PFS Group " from "modp1023" ( default ) to "none" and clear the "Installed SAs" on the Mikrotik.

Perfect Forward Secrecy ( PFS ) is probably not activate on your ASA if the IPSec go up after that. On my side wrong PFS Group was the issue.

Alexandr Bondarenko · ‎11-13-2013

Hi David!

Can you show your config of ASA and Mikrotik. How did you made ipsec up? in my case Phase 1 -

successful. Phase 2 didn't esteblished...

DAVID PICARD · ‎11-13-2013

On the ASA you first need to put the NO NAT rule

Exemple:

access-list no-nat-inside line 15 extended permit ip 192.168.128.0 255.255.252.0 192.168.126.0 255.255.255.0

Then I created a tunnel-group with a FQDN an not an IP ( causse Mikrotik side are in DHCP )

tunnel-group exemple.cisco.com type ipsec-l2l
tunnel-group exemple.cisco.com ipsec-attributes
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

SYSTEM_DEFAULT_CRYPTO_MAP could be OK, if not create a CryptoMap

access-list Mkt_splittunnel extended permit ip 192.168.128.0 255.255.252.0 192.168.126.0 255.255.255.0
crypto dynamic-map Mkt-crypto 5 match address Mkt_splittunnel
crypto dynamic-map Mkt-crypto 5 set transform-set ESP-AES-256-SHA
crypto map Outside_map 10 ipsec-isakmp dynamic Mkt-crypto

-------------------------------------------------------------------------------------------

Then on the Mikrotik Side create the Phase2 proposal and the Peer config

I use a script to check the sa-src-address with the DHCP assigned IP.

Important to use Agressive mode to send the FQDN if the Mikrotik are in DHCP

# Phase2 SHA1 / aes-256 / none
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256 lifetime=30m name=default pfs-group=none
#
# PEER ( ASA ) in Agressive Mode for FQDN ( VPN Group on ASA )
/ip ipsec peer
add address=x.x.x.x auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \
    enc-algorithm=aes-256 exchange-mode=aggressive generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn=\
    exemple.cisco.com nat-traversal=no port=500 proposal-check=obey secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXX send-initial-contact=yes
#
# What to put in IPSec
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.128.0/22 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default \
    protocol=all sa-dst-address=X.X.X.X sa-src-address=X.X.X.X src-address=192.168.126.0/24 src-port=any tunnel=yes
#
# Script to fill sa-src-address with the DHCP assigned address
/system scheduler
add disabled=no interval=1m name=dynamic-dns-schedule on-event=dynamic-router-update policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive start-time=startup
/system script
add name=dynamic-router-update policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":local CurrentWanIP [/ip dhcp-clien\
   t get [find where interface=ether1-gateway] address]\r\
   \n:local length [:len \$CurrentWanIP]\r\
   \n:set length (\$length -3)\r\
   \n:local WanIP [:pick \$CurrentWanIP 0 \$length ] \r\
   \n:local SaWanIP [/ip ipsec policy get [find where dst-address=192.168.128.0/22] sa-src-address]\r\
   \n:if (\$WanIP != \$SaWanIP) do={\r\
   \n\t:log info \"SaIpMatic: Wan IP update need DHCP IP \$WanIP and current SA IPsec IP \$SaWanIP\"\r\
   \n\t/ip ipsec policy set [find where dst-address=192.168.128.0/22] sa-src-address=\$WanIP\r\
   \n\t/ip ipsec installed-sa flush\r\
   \n}  else={\r\
   \n\t:log info \"SaIpMatic: Current DHCP IP \$WanIP and current SA IPsec IP \$SaWanIP equal, no update need\"\r\
   \n}"

Alexandr Bondarenko · ‎11-14-2013

Hello, David!

Thanks a lot!

I will try your metod.

I think my ASA config is OK, That do you think about it. My ASA is 8.6

nat- NO NAT:

nat (inside,outside) source static asa-sb asa-sb destination static m1-sb m1-sb

I need more then one connect that's why I use DefaultL2LGroup(I hope its accept conection from 0.0.0.0/0):

tunnel-group DefaultL2LGroup ipsec-attributes

ikev1 pre-shared-key *****

and my crypyo mat policy and access-list:

access-list asa-m1-sb extended permit ip object asa-sb object m1-sb

crypto ipsec ikev1 transform-set 3DES esp-3des esp-md5-hmac

crypto dynamic-map DYNMAP 10 set ikev1 transform-set 3DES

crypto map outside 1000 ipsec-isakmp dynamic DYNMAP

crypto map outside interface outside

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

its strange... I run the comand :

 crypto map outside 1000 match address  asa-m1-sb

But it dosen't appers in config...

Debug crypto ikev1 127 is empty but then i ping from asa-sb(192.168.88.0/24) to m1-sb(10.9.9.0/24) ASDM log show:

Error: %ASA-3-752006: Tunnel Manager failed to dispatch a KEY_ACQUIRE message.

Mikrotik...

David, that you think about do no use a script to check the sa-src-address with the DHCP assigned IP? instead of this in peer config:

generate-policy=yes

DAVID PICARD · ‎11-14-2013

On my side I actually use the

SYSTEM_DEFAULT_CRYPTO_MAP without problem, but I have create a tunnel group just for the Mikrotik.

If the Mikrotik have a static IP try create a Tunnel Group with IP, if not use a tunnel group with FQDN.

tunnel-group exemple.cisco.com type ipsec-l2l
tunnel-group exemple.cisco.com ipsec-attributes
    pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

To debug in SSH you can also try this ...

terminal monitor
debug crypto isa
debug crypto ipsec

And on the Mikrotik Side did you try this value on the IPSec Proposal ?

pfs-group=none

I also recommended you to read the Slide (

http://gregsowell.com/wp-content/uploads/2009/12/GregSowell-mikrotik-vpn1.pdf )

of the Mikrotik VPN class of Greg ( he have a great blog ) at

http://gregsowell.com/?p=1290 you will find interesting config about

IPSec – Mikrotik to Cisco Router

IPSec – Mikrotik to Cisco ASA

IPSec – Mikrotik to Cisco Router Multiple Subnets

IPIP Tunnel w/IPSec – Mikrotik to Mikrotik

IPIP Tunnel w/IPSec – Mikrotik to Cisco Router