07-19-2012 01:40 PM
I have an ASA which has a few static vpn sessions setup on it already from PIX boxes. I need a 2621 router to be able to setup a vpn connection to this
ASA. I have not been able to get it working.
Out from debugs on router:
*Mar 1 01:19:38.979: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 74.80.56.70, remote= ASA-IP,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x7348980A(1934137354), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 01:19:38.979: ISAKMP: received ke message (1/1)
*Mar 1 01:19:38.979: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 01:19:38.983: ISAKMP: local port 500, remote port 500
*Mar 1 01:19:38.983: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:19:38.983: ISAKMP: insert sa successfully sa = 830CF4BC
*Mar 1 01:19:38.983: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.
*Mar 1 01:19:38.983: ISAKMP: Looking for a matching key for ASA-IP in default : success
*Mar 1 01:19:38.983: ISAKMP (0:1): found peer pre-shared key matching ASA-IP
*Mar 1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 01:19:38.987: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 01:19:38.987: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 01:19:38.987: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 01:19:38.987: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 01:19:38.987: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:19:48.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:19:48.991: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 01:19:48.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:19:48.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:19:58.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:19:58.991: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 01:19:58.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:19:58.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:20:08.979: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 74.80.56.70, remote= ASA-IP,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar 1 01:20:08.979: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 74.80.56.70, remote= ASA-IP,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xCB8582CD(3414524621), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 01:20:08.983: ISAKMP: received ke message (1/1)
*Mar 1 01:20:08.983: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 01:20:08.983: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 74.80.56.70, remote ASA-IP)
*Mar 1 01:20:08.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:20:08.991: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 1 01:20:08.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:20:08.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:20:18.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:20:18.991: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 1 01:20:18.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:20:18.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:20:28.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 01:20:28.991: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 1 01:20:28.991: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 01:20:28.991: ISAKMP (0:1): sending packet to ASA-IP my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 01:20:38.979: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 74.80.56.70, remote= ASA-IP,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar 1 01:20:38.979: ISAKMP: received ke message (3/1)
*Mar 1 01:20:38.979: ISAKMP (0:1): peer does not do paranoid keepalives.
*Mar 1 01:20:38.979: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer ASA-IP) input queue 0
*Mar 1 01:20:38.983: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer ASA-IP) input queue 0
*Mar 1 01:20:38.983: ISAKMP (0:1): deleting node 1094787083 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 01:20:38.983: ISAKMP (0:1): deleting node -1121124209 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 01:20:38.983: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 01:20:38.983: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Mar 1 01:21:28.983: ISAKMP (0:1): purging node 1094787083
*Mar 1 01:21:28.983: ISAKMP (0:1): purging node -1121124209
*Mar 1 01:21:38.983: ISAKMP (0:1): purging SA., sa=830CF4BC, delme=830CF4BC
*Mar 1 01:21:38.983: CryptoEngine0: delete connection 1
ncollege#
Output from ASA:
Jul 19 14:17:57 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!
Jul 19 14:17:57 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry
Jul 19 14:18:27 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!
Jul 19 14:18:27 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry
I will note that I am doing some PAT the router location... at that location, I can not seem to ping the outside interface
of the ASA from the router. From the internal hosts that are not going through the vpn I can ping the outside interface
of the ASA.
Relevant config of router:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key MYKEY address ASA-IP no-xauth
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
!
crypto map mymap 1 ipsec-isakmp
set peer ASA-IP
set transform-set myset2
match address 101
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1.108
description intRAnetVLAN
encapsulation dot1Q 108
ip address 192.168.8.1 255.255.255.0
!
interface FastEthernet0/1.109
description intERnetVLAN
encapsulation dot1Q 109
ip address 192.168.9.1 255.255.255.0
ip nat inside
ip nat pool overit 74.80.56.70 74.80.56.70 netmask 255.255.255.0
ip nat inside source route-map nonat pool overit overload
ip route 192.168.1.0 255.255.255.0 ASA-IP
ip route 192.168.3.0 255.255.255.0 ASA-IP
ip route 192.168.5.0 255.255.255.0 ASA-IP
!
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 120 permit ip 192.168.8.0 0.0.0.255 any
access-list 120 permit ip 192.168.9.0 0.0.0.255 any
!
route-map sip_nat permit 10
match ip address udp_rtp
!
route-map nonat permit 10
match ip address 120
07-23-2012 07:44 PM
After the reboot, I can not ping to the inside of the remote ASA, but now I see:
ncollege# sh crypto isakmp sa
dst src state conn-id slot
174.79.16.121 74.80.56.70 MM_NO_STATE 1 0
ncollege# sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: mymap, local addr. 74.80.56.70
protected vrf:
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 174.79.16.121:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 74.80.56.70, remote crypto endpt.: 174.79.16.121
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
current_peer: 174.79.16.121:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 10, #recv errors 0
local crypto endpt.: 74.80.56.70, remote crypto endpt.: 174.79.16.121
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (192.168.8.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
current_peer: 174.79.16.121:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 74.80.56.70, remote crypto endpt.: 174.79.16.121
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
and debug on the 2621:
*Mar 1 00:46:00.923: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 74.80.56.70, remote= 174.79.16.121,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x7E29DEBB(2116673211), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:46:00.927: ISAKMP: received ke message (1/1)
*Mar 1 00:46:00.927: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 00:46:00.931: ISAKMP: local port 500, remote port 500
*Mar 1 00:46:00.931: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:46:00.931: ISAKMP: insert sa successfully sa = 82ACEE04
*Mar 1 00:46:00.931: ISAKMP (0:1): Can not start Aggressive mode, trying Main m
ode.
*Mar 1 00:46:00.931: ISAKMP: Looking for a matching key for 174.79.16.121 in de
fault : success
*Mar 1 00:46:00.931: ISAKMP (0:1): found peer pre-shared key matching 174.79.16
.121
*Mar 1 00:46:00.935: ISAKMP (0:1): constructed NAT-T vendor-07 ID
*Mar 1 00:46:00.935: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 00:46:00.935: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 00:46:00.935: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 00:46:00.935: ISAKMP (0:1): Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 00:46:00.935: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 00:46:00.935: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500
peer_port 500 (I) MM_NO_STATE...
*Mar 1 00:46:10.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:46:10.939: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 1 00:46:10.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:46:10.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:46:20.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:46:20.939: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar 1 00:46:20.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:46:20.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:46:30.923: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 74.80.56.70, remote= 174.79.16.121,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar 1 00:46:30.923: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 74.80.56.70, remote= 174.79.16.121,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xB34E87CE(3008268238), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:46:30.927: ISAKMP: received ke message (1/1)
*Mar 1 00:46:30.927: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:46:30.927: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 74.80.56.70, remote 174.79.16.121)
*Mar 1 00:46:30.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:46:30.939: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar 1 00:46:30.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:46:30.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:46:40.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:46:40.939: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar 1 00:46:40.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:46:40.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:46:50.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:46:50.939: ISAKMP (0:1): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar 1 00:46:50.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:46:50.939: ISAKMP (0:1): sending packet to 174.79.16.121 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 00:47:00.923: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 74.80.56.70, remote= 174.79.16.121,
local_proxy= 192.168.8.0/255.255.255.0/0/0 (type=4),
remote_proxy= 192.168.3.0/255.255.255.0/0/0 (type=4)
*Mar 1 00:47:00.923: ISAKMP: received ke message (3/1)
*Mar 1 00:47:00.923: ISAKMP (0:1): peer does not do paranoid keepalives.
*Mar 1 00:47:00.923: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 174.79.16.121) input queue 0
*Mar 1 00:47:00.927: ISAKMP (0:1): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_NO_STATE (peer 174.79.16.121) input queue 0
*Mar 1 00:47:00.927: ISAKMP (0:1): deleting node 674391746 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 00:47:00.927: ISAKMP (0:1): deleting node -609125903 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 00:47:00.927: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 00:47:00.927: ISAKMP (0:1): Old State = IKE_I_MM1 New State = IKE_DEST_SA
07-24-2012 06:07 AM
I still only see this in the debugs on the ASA side...
Jul 24 07:00:20 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!
Jul 24 07:00:20 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry
It sure seems like the entire process is not showing up on the ASA, even though on the 2621 I see all of the debug output that I posted in my last post.
07-24-2012 10:55 AM
Really odd, the only response I can see on the ASA is th
IKE Peer: 74.80.56.70
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
from sh isakmp sa
and also in the deubgs on the ASA all I see is:
Jul 24 12:35:25 [IKEv1]: IP = 74.80.56.70, Removing peer from peer table failed, no match!
Jul 24 12:35:25 [IKEv1]: IP = 74.80.56.70, Error: Unable to remove PeerTblEntry
07-25-2012 08:44 AM
Ok, I have this all working now (at least the VPN). As it turns out you can not do the loopback (or at least it was not working in that capacity). What I did was the following:
Set the NAT/PAT to go out the IP address of the loopback interface.
Reapply the crypto map on the ASA to use the dynamically (static) assigned IP from the ISP that goes to fa0/0 on the 2621.
Reload the router.
It came up first try.
07-26-2012 10:27 AM
Great work, and thanks for sharing..
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: