cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3438
Views
0
Helpful
7
Replies

IPSEC VTI VPN Phase 2 issue between ASA5506 & Cisco c3945.

Drew1815
Level 1
Level 1

Good Afternoon All,

 

I'm attempting to establish an IPSEC VTI VPN tunnel connection between a Cisco ASA 5506 F/W and a Cisco c3945 router.

Let me state that I have already numerous successful IPSEC VTI VPN connections on the c3945 between a number a different devices including Cisco ISR routers and non-Cisco devices (i.e. Sophos UTM) etc...…….this is the first attempt with a Cisco ASA F/W device.

 

Summary:

=======

 Public IP                                                                           Public IP

10.100.10.1                                                                      20.200.20.2

             ASA ==========IPSEC VTI VPN============c3945

  Tunnel1                                                                              Tunnel2

  192.168.10.14 /30                                                             192.168.10.13 /30

 

Note: Using IKE v1

Phase 1 completes the ISAKMP negotiations and establishes a SA, however Phase 2 IPSEC seems to be unable to "match" on the proposed IPSEC Transform-set (TS) and Phase 2 negotiations fails. I have both "google" and searched on the CCO Community  - although there are a few hits /examples which relate to the above symptoms, some are simple mis-match of the defined IPSEC TS and another indicate that the issue was fixed using certs rather than a pre-share key...………….

 

I have also "heard" on the grapevine that there may be an incompatibility issue (software bug aka Cisco enhanced feature) when using ASA IPSEC Virtual Tunnel Interfaces (VTIs) - has anyone successfully established a IPSEC VTI VPN (i.e. not the standard typical site-2-site IPSEC VPN) between an ASA  and other Cisco platform? (i.e hopefully a c3900 series device) I'm looking forwards to thoughts on this...…….

 

I have posted the scrubbed device configs further below, so please no comments about inappropriate IP addressing as they are far removed from the actual IPs etc.

 

I'm hoping that it may be just a simple configuration error, however please bear in mind the c3945 is running stable but old software and this may be a "known" and fixed issue.

 

All thoughts welcome.

 

Thanking you.

 

Regards,

Drew

 

The following are debugs from the c3945 side

 

Phase 1 (ISAKMP) SA is established successfully:

May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 7 policy
May 31 2019 23:43:15.946 AEST: ISAKMP:      default group 5
May 31 2019 23:43:15.946 AEST: ISAKMP:      encryption AES-CBC
May 31 2019 23:43:15.946 AEST: ISAKMP:      keylength of 256
May 31 2019 23:43:15.946 AEST: ISAKMP:      hash SHA
May 31 2019 23:43:15.946 AEST: ISAKMP:      auth pre-share
May 31 2019 23:43:15.946 AEST: ISAKMP:      life type in seconds
May 31 2019 23:43:15.946 AEST: ISAKMP:      life duration (VPI) of  0x0 0x0 0x70 0x80
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):atts are acceptable. Next payload is 3
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Acceptable atts:actual life: 28800
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Acceptable atts:life: 0
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Fill atts in sa vpi_length:4
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Returning Actual lifetime: 28800
May 31 2019 23:43:15.946 AEST: ISAKMP:(0)::Started lifetime timer: 28800.

May 31 2019 23:43:15.948 AEST: ISAKMP:(0): processing vendor id payload
May 31 2019 23:43:15.948 AEST: ISAKMP:(0): processing IKE frag vendor id payload
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Support for IKE Fragmentation not enabled
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

May 31 2019 23:43:15.948 AEST: ISAKMP:(0): sending packet to 10.100.10.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Sending an IKE IPv4 Packet.
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

May 31 2019 23:43:15.986 AEST: ISAKMP (0): received packet from 10.100.10.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 31 2019 23:43:15.986 AEST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 31 2019 23:43:15.986 AEST: ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

May 31 2019 23:43:15.986 AEST: ISAKMP:(0): processing KE payload. message ID = 0
May 31 2019 23:43:15.986 AEST: ISAKMP:(0): processing NONCE payload. message ID = 0
May 31 2019 23:43:15.986 AEST: ISAKMP:(0):found peer pre-shared key matching 10.100.10.1
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): processing vendor id payload
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): vendor ID is Unity
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): processing vendor id payload
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): vendor ID seems Unity/DPD but major 167 mismatch
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): vendor ID is XAUTH
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): processing vendor id payload
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): speaking to another IOS box!
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): processing vendor id payload
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678):vendor ID seems Unity/DPD but hash mismatch
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678):Old State = IKE_R_MM3  New State = IKE_R_MM3

May 31 2019 23:43:15.988 AEST: ISAKMP:(14678): sending packet to 10.100.10.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 31 2019 23:43:15.988 AEST: ISAKMP:(14678):Sending an IKE IPv4 Packet.
May 31 2019 23:43:15.988 AEST: ISAKMP:(14678):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 31 2019 23:43:15.988 AEST: ISAKMP:(14678):Old State = IKE_R_MM3  New State = IKE_R_MM4

 

However, Phase 2 IPSEC can't find a "matching" IPSEC TS:

 

May 31 2019 23:43:16.028 AEST: ISAKMP:(14678): sending packet to 10.100.10.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Sending an IKE IPv4 Packet.
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):IKE_DPD is enabled, initializing timers
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

May 31 2019 23:43:16.066 AEST: ISAKMP (14678): received packet from 10.100.10.1 dport 500 sport 500 Global (R) QM_IDLE     
May 31 2019 23:43:16.066 AEST: ISAKMP: set new node -1429091036 to QM_IDLE     
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): processing HASH payload. message ID = 2865876260
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): processing SA payload. message ID = 2865876260
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Checking IPSec proposal 1
May 31 2019 23:43:16.066 AEST: ISAKMP: transform 1, ESP_AES
May 31 2019 23:43:16.066 AEST: ISAKMP:   attributes in transform:
May 31 2019 23:43:16.066 AEST: ISAKMP:      SA life type in seconds
May 31 2019 23:43:16.066 AEST: ISAKMP:      SA life duration (basic) of 28800
May 31 2019 23:43:16.066 AEST: ISAKMP:      SA life type in kilobytes
May 31 2019 23:43:16.066 AEST: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
May 31 2019 23:43:16.066 AEST: ISAKMP:      encaps is 1 (Tunnel)
May 31 2019 23:43:16.066 AEST: ISAKMP:      authenticator is HMAC-SHA
May 31 2019 23:43:16.066 AEST: ISAKMP:      key length is 256
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):atts are acceptable.
May 31 2019 23:43:16.066 AEST: IPSEC(validate_proposal_request): proposal part #1
May 31 2019 23:43:16.066 AEST: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 20.200.20.2:0, remote= 10.100.10.1:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
        src addr     : 0.0.0.0
        dst addr     : 0.0.0.0
        protocol     : 0
        src port     : 0
        dst port     : 0
May 31 2019 23:43:16.066 AEST: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x1
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): IPSec policy invalidated proposal with error 1024
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): phase 2 SA policy not acceptable! (local 20.200.20.1 remote 10.100.10.1)
May 31 2019 23:43:16.066 AEST: ISAKMP: set new node 24155184 to QM_IDLE     
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 636948416, message ID = 24155184
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): sending packet to 10.100.10.1 my_port 500 peer_port 500 (R) QM_IDLE     
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Sending an IKE IPv4 Packet.
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):purging node 24155184
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):deleting node -1429091036 error TRUE reason "QM rejected"
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Node 2865876260, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Old State = IKE_QM_READY  New State = IKE_QM_READY

 

 

#### Device Configs ####


ASA 5500 IPSEC VTI VPN Snippets:
===============================
!
### ASA S/ware verison ###
!
Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
!
### IPSEC Interfaces ###
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 10.100.10.1 255.255.255.0
!
interface Tunnel1
 nameif VRTI
 ip address 192.168.10.14 255.255.255.252
 tunnel source interface outside
 tunnel destination 20.200.20.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ABC1
!
### Phase 1 ISAKMP (IKEv1) Paremeters ###
!
crypto ikev1 policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 28800
!
tunnel-group 20.200.20.2 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
 isakmp keepalive disable
!
### Phase 2 IPSEC (IKEv1) Paremeters ###
!
crypto ipsec ikev1 transform-set ABC1 esp-aes-256 esp-sha-hmac
crypto ipsec profile ABC1
 set ikev1 transform-set ABC1
 set pfs group14
 set security-association lifetime seconds 28800
!
group-policy ABC-Tunnel internal
group-policy ABC-Tunnel attributes
 vpn-idle-timeout none
 vpn-filter none
 vpn-tunnel-protocol ikev1
!
### ACLs etc ###
!
object network ABC_Services
 subnet 109.10.180.0 255.255.255.0
object network ABC_remote
 subnet 192.168.10.14 255.255.255.255
!
access-list outsite_to_CDE extended permit ip object ABC_remote object ABC_Services
!
crypto map static-map 2 match address outsite_to_CDE
crypto map static-map 2 set pfs
crypto map static-map 2 set peer 192.168.10.13
crypto map static-map 2 set ikev1 transform-set ABC1
crypto map static-map 2 set nat-t-disable
!

=====================================================
!
### IOS Software Version ###
!
Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.4(3)M3, RELEASE SOFTWARE (fc2)
!
### IPSEC Interfaces ###
!
interface Loopback10
 description IP Public
 ip address 20.200.20.2 255.255.255.255
!
!
interface Tunnel2
 description IPSEC VTI VPN Tunnel
 ip address 192.168.10.13 255.255.255.252
 ip access-group TS_VPN in
 ip mtu 1400
 ip tcp adjust-mss 1360
 load-interval 30
 tunnel source Loopback10
 tunnel mode ipsec ipv4
 tunnel destination 10.100.10.1
 tunnel protection ipsec profile TS_VPN
!
### Phase 1 ISAKMP (IKEv1) Paremeters ###
!
crypto isakmp policy 7
 encr aes 256
 authentication pre-share
 group 5
 lifetime 28800
!
crypto isakmp key 6 <removed> address 10.100.10.1
!
### Phase 2 IPSEC (IKEv1) Paremeters ###
!
crypto ipsec transform-set TS-SHA esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile TS_VPN
 set transform-set TS-SHA
 set pfs group14
!
ip access-list extended TS_VPN
 permit icmp host 192.168.10.14 host 192.168.10.13
 permit ip any any log
 deny   ip any any log
!

 

2 Accepted Solutions

Accepted Solutions

Hi,

You don't need to define a VTI and a Crypto Map on either device, you just need to define the VTI with a static route to the destination via the tunnel interface. Example here.

 

HTH

View solution in original post

Hi,
I don't believe you can use the VTI IP address as the source of the NAT, it doesn't appear to allow it. You can NAT over a VTI though, you just need to define an object and create a NAT rule. E.g:-

 

object network LOCAL_NETWORK
 subnet 10.30.0.0 255.255.252.0

object network NAT_OBJECT
 host 192.168.10.15

nat (INSIDE,any) source dynamic LOCAL_NETWORK NAT_OBJECT destination static REMOTE_NET REMOTE_NET

 

When creating the NAT rule it doesn't allow you to specify the nameif of the VTI, hence why you need to define "any", which is why you cannot NAT behind the interface. This is using ASA v9.9(1)

 

HTH

View solution in original post

7 Replies 7

Drew1815
Level 1
Level 1

Adding:

ASA Debug /Log Messages:

======================


ASA> en
Password:
ASA# terminal pager 0
ASA# show logging asdm
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for                                              class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 5
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 5
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 5
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
6|May 31 2019 17:32:46|113009: AAA retrieved default group policy (ABC-Tunnel) for user = 20.200.20.2
5|May 31 2019 17:32:46|713119: Group = 20.200.20.2, IP = 20.200.20.2, PHASE 1 COMPLETED
5|May 31 2019 17:32:46|713904: Group = 20.200.20.2, IP = 20.200.20.2, All IPSec SA proposals found unacceptable!
3|May 31 2019 17:32:46|713902: Group = 20.200.20.2, IP = 20.200.20.2, QM FSM error (P2 struct &0x00007f833567d400, mess id 0xd9e9e85e)!
3|May 31 2019 17:32:46|713902: Group = 20.200.20.2, IP = 20.200.20.2, Removing peer from correlator table failed, no match!
6|May 31 2019 17:32:46|713905: Group = 20.200.20.2, IP = 20.200.20.2, Warning: Ignoring IKE SA (src) without VM bit set
5|May 31 2019 17:32:46|713259: Group = 20.200.20.2, IP = 20.200.20.2, Session is being torn down. Reason: Phase 2 Mismatch
4|May 31 2019 17:32:46|113019: Group = 20.200.20.2, Username = 20.200.20.2, IP = 20.200.20.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|May 31 2019 17:32:46|713904: IP = 20.200.20.2, Received encrypted packet with no matching SA, dropping
3|May 31 2019 17:32:55|610001: NTP daemon interface inside_7: Packet denied from 192.x.x.x
5|May 31 2019 17:33:05|502103: User priv level changed: Uname: enable_15 From: 1 To: 15
5|May 31 2019 17:33:05|111008: User 'enable_1' executed the 'enable' command.
5|May 31 2019 17:33:06|752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1.  Map Tag = __vti-crypto-map-6-0-1.  Map Sequence Number = 65280.
4|May 31 2019 17:33:06|752010: IKEv2 Doesn't have a proposal specified
5|May 31 2019 17:33:06|713041: IP = 20.200.20.2, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 20.200.20.2  local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0,  Crypto map (__vti-crypto-map-6-0-1)
6|May 31 2019 17:33:06|113009: AAA retrieved default group policy (ABC-Tunnel) for user = 20.200.20.2
5|May 31 2019 17:33:06|713119: Group = 20.200.20.2, IP = 20.200.20.2, PHASE 1 COMPLETED
5|May 31 2019 17:33:06|713068: Group = 20.200.20.2, IP = 20.200.20.2, Received non-routine Notify message: No proposal chosen (14)
5|May 31 2019 17:33:10|111008: User 'enable_15' executed the 'terminal pager 0' command.
5|May 31 2019 17:33:10|111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'terminal pager 0'
5|May 31 2019 17:33:16|713904: Group = 20.200.20.2, IP = 20.200.20.2, All IPSec SA proposals found unacceptable!
3|May 31 2019 17:33:16|713902: Group = 20.200.20.2, IP = 20.200.20.2, QM FSM error (P2 struct &0x00007f83356ba900, mess id 0x224b8d6b)!
3|May 31 2019 17:33:16|713902: Group = 20.200.20.2, IP = 20.200.20.2, Removing peer from correlator table failed, no match!
5|May 31 2019 17:33:26|713904: Group = 20.200.20.2, IP = 20.200.20.2, All IPSec SA proposals found unacceptable!
ASA#

Hi,

You don't need to define a VTI and a Crypto Map on either device, you just need to define the VTI with a static route to the destination via the tunnel interface. Example here.

 

HTH

Hi HTH,

 

Firstly thank you for your reply and excellent example!

 

OK, so I will re-configure for IKEv2 rather than IKEv1 and retest /advise.

 

From my limited understanding, "crypto profiles" replaced "crypto maps" from a configuration perspective, but the IOS stills creates them:

#sh crypto map
Crypto Map IPv4 "Tunnel2-head-0" 63344 ipsec-isakmp
        Profile name: TS_VPN
        Security association lifetime: 4608000 kilobytes/28800 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y
        DH group:  group14
        Mixed-mode : Disabled
        Transform sets={
                TS-SHA:  { esp-256-aes esp-sha-hmac  } ,
        }

Crypto Map IPv4 "Tunnel2-head-0" 63344 ipsec-isakmp
        Map is a PROFILE INSTANCE.
        Peer = 10.100.10.1
        Extended IP access list
            access-list  permit ip any any
        Current peer: 10.100.10.1
        Security association lifetime: 4608000 kilobytes/28800 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y
        DH group:  group14
        Mixed-mode : Disabled
        Transform sets={
                TS-SHA:  { esp-256-aes esp-sha-hmac  } ,
        }
        Always create SAs
        Interfaces using crypto map Tunnel2-head-0:
                Tunnel2

 

Thanking you

Regards

Drew

Yes that definitely worked with IKEv2 as per the configuration example - thank you very much!

 

Would you have another example showing how to source NAT on the ASA using the ASA VTI endpoint IP as the NAT source IP?

i.e. all traffic transvering the IPSEC tunnel to the IOS router would have a source IP of the ASA tunnel side

Thanking you in advance

Kind Regards,

Drew

Just to clarify - the traffic would be source NAT using 192.168.10.14.

Hi,
I don't believe you can use the VTI IP address as the source of the NAT, it doesn't appear to allow it. You can NAT over a VTI though, you just need to define an object and create a NAT rule. E.g:-

 

object network LOCAL_NETWORK
 subnet 10.30.0.0 255.255.252.0

object network NAT_OBJECT
 host 192.168.10.15

nat (INSIDE,any) source dynamic LOCAL_NETWORK NAT_OBJECT destination static REMOTE_NET REMOTE_NET

 

When creating the NAT rule it doesn't allow you to specify the nameif of the VTI, hence why you need to define "any", which is why you cannot NAT behind the interface. This is using ASA v9.9(1)

 

HTH

Hi,

Yep that works for ASA NAT functionality - thank you once again.

 

Cheers

Drew

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: