Hello Experts,

Just wondering if I can get some help on setting up a IPSEC VPN tunnel between a Cisco 2921 and ASA 550x. Below is the config

show run | s crypto

crypto pki token default removal timeout 0

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp key xxxxxxxxxxxxxxxxxxxxxx address A.A.A.A

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

mode transport

crypto map ICQ-2-ILAND 1 ipsec-isakmp

set peer A.A.A.A

set transform-set ESP-AES128-SHA

match address iland_london_s2s_vpn

crypto map ICQ-2-ILAND

The config on the remote end has not been shared with me, so I don't know if I am doing something wrong locally or if the remote end is wrongly configured.

The command Sh crypto isakmp sa displays the following

show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
A.A.A.A    B.B.B.B   MM_NO_STATE       1231 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

show crypto session
Crypto session current status

Interface: GigabitEthernet0/0
Session status: DOWN-NEGOTIATING
Peer: A.A.A.A port 500
  IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
  IKEv1 SA: local B.B.B.B/500 remote A.A.A.A/500 Inactive
  IPSEC FLOW: permit ip 10.20.111.0/255.255.255.0 10.120.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip 10.10.0.0/255.255.0.0 10.120.1.0/255.255.255.0
        Active SAs: 0, origin: crypto map

The debug logs from the debug crypto isakmp command are listed below.

ISAKMP:(0): local preshared key found
Dec  6 08:51:52.019: ISAKMP : Scanning profiles for xauth ...
Dec  6 08:51:52.019: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
Dec  6 08:51:52.019: ISAKMP:      encryption AES-CBC
Dec  6 08:51:52.019: ISAKMP:      keylength of 128
Dec  6 08:51:52.019: ISAKMP:      hash SHA
Dec  6 08:51:52.019: ISAKMP:      default group 2
Dec  6 08:51:52.019: ISAKMP:      auth pre-share
Dec  6 08:51:52.019: ISAKMP:      life type in seconds
Dec  6 08:51:52.019: ISAKMP:      life duration (basic) of 28800
Dec  6 08:51:52.019: ISAKMP:(0):atts are acceptable. Next payload is 0
Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:actual life: 0
Dec  6 08:51:52.019: ISAKMP:(0):Acceptable atts:life: 0
Dec  6 08:51:52.019: ISAKMP:(0):Basic life_in_seconds:28800
Dec  6 08:51:52.019: ISAKMP:(0):Returning Actual lifetime: 28800
Dec  6 08:51:52.019: ISAKMP:(0)::Started lifetime timer: 28800.

Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec  6 08:51:52.019: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Dec  6 08:51:52.019: ISAKMP:(0): vendor ID is NAT-T v2
Dec  6 08:51:52.019: ISAKMP:(0): processing vendor id payload
Dec  6 08:51:52.019: ISAKMP:(0): processing IKE frag vendor id payload
Dec  6 08:51:52.019: ISAKMP:(0):Support for IKE Fragmentation not enabled
Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

Dec  6 08:51:52.019: ISAKMP:(0): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_SA_SETUP
Dec  6 08:51:52.019: ISAKMP:(0):Sending an IKE IPv4 Packet.
Dec  6 08:51:52.019: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec  6 08:51:52.019: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

Dec  6 08:51:52.155: ISAKMP (0): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_SA_SETUP
Dec  6 08:51:52.155: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec  6 08:51:52.155: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

Dec  6 08:51:52.155: ISAKMP:(0): processing KE payload. message ID = 0
Dec  6 08:51:52.175: ISAKMP:(0): processing NONCE payload. message ID = 0
Dec  6 08:51:52.175: ISAKMP:(0):found peer pre-shared key matching A.A.A.A
Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is Unity
Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID seems Unity/DPD but major 92 mismatch
Dec  6 08:51:52.175: ISAKMP:(1227): vendor ID is XAUTH
Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec  6 08:51:52.175: ISAKMP:(1227): speaking to another IOS box!
Dec  6 08:51:52.175: ISAKMP:(1227): processing vendor id payload
Dec  6 08:51:52.175: ISAKMP:(1227):vendor ID seems Unity/DPD but hash mismatch
Dec  6 08:51:52.175: ISAKMP:received payload type 20
Dec  6 08:51:52.175: ISAKMP (1227): His hash no match - this node outside NAT
Dec  6 08:51:52.175: ISAKMP:received payload type 20
Dec  6 08:51:52.175: ISAKMP (1227): No NAT Found for self or peer
Dec  6 08:51:52.175: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM4

Dec  6 08:51:52.179: ISAKMP:(1227):Send initial contact
Dec  6 08:51:52.179: ISAKMP:(1227):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
Dec  6 08:51:52.179: ISAKMP (1227): ID payload
        next-payload : 8
        type         : 1
        address      : B.B.B.B
        protocol     : 17
        port         : 500
        length       : 12
Dec  6 08:51:52.179: ISAKMP:(1227):Total payload length: 12
Dec  6 08:51:52.179: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) MM_KEY_EXCH
Dec  6 08:51:52.179: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec  6 08:51:52.179: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec  6 08:51:52.179: ISAKMP:(1227):Old State = IKE_I_MM4  New State = IKE_I_MM5

Dec  6 08:51:52.315: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) MM_KEY_EXCH
Dec  6 08:51:52.315: ISAKMP:(1227): processing ID payload. message ID = 0
Dec  6 08:51:52.315: ISAKMP (1227): ID payload
        next-payload : 8
        type         : 1
        address      : A.A.A.A
        protocol     : 17
        port         : 0
        length       : 12
Dec  6 08:51:52.315: ISAKMP:(0):: peer matches *none* of the profiles
Dec  6 08:51:52.315: ISAKMP:(1227): processing HASH payload. message ID = 0
Dec  6 08:51:52.315: ISAKMP:received payload type 17
Dec  6 08:51:52.315: ISAKMP:(1227): processing vendor id payload
Dec  6 08:51:52.315: ISAKMP:(1227): vendor ID is DPD
Dec  6 08:51:52.315: ISAKMP:(1227):SA authentication status:
        authenticated
Dec  6 08:51:52.315: ISAKMP:(1227):SA has been authenticated with A.A.A.A
Dec  6 08:51:52.315: ISAKMP: Trying to insert a peer B.B.B.B/A.A.A.A/500/,  and inserted successfully 2B79E8BC.
Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM5  New State = IKE_I_MM6

Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_I_MM6

Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

Dec  6 08:51:52.315: ISAKMP:(1227):beginning Quick Mode exchange, M-ID of 1511581970
Dec  6 08:51:52.315: ISAKMP:(1227):QM Initiator gets spi
Dec  6 08:51:52.315: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec  6 08:51:52.315: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec  6 08:51:52.315: ISAKMP:(1227):Node 1511581970, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
Dec  6 08:51:52.315: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Dec  6 08:51:52.315: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec  6 08:51:52.455: ISAKMP: set new node -1740216573 to QM_IDLE
Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 2554750723
Dec  6 08:51:52.455: ISAKMP:(1227): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 0, message ID = 2554750723, sa = 0x2B78D574
Dec  6 08:51:52.455: ISAKMP:(1227):deleting node -1740216573 error FALSE reason "Informational (in) state 1"
Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Dec  6 08:51:52.455: ISAKMP (1227): received packet from A.A.A.A dport 500 sport 500 Global (I) QM_IDLE
Dec  6 08:51:52.455: ISAKMP: set new node 1297146574 to QM_IDLE
Dec  6 08:51:52.455: ISAKMP:(1227): processing HASH payload. message ID = 1297146574
Dec  6 08:51:52.455: ISAKMP:(1227): processing DELETE payload. message ID = 1297146574
Dec  6 08:51:52.455: ISAKMP:(1227):peer does not do paranoid keepalives.

Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1297146574 error FALSE reason "Informational (in) state 1"
Dec  6 08:51:52.455: ISAKMP: set new node -1178304129 to QM_IDLE
Dec  6 08:51:52.455: ISAKMP:(1227): sending packet to A.A.A.A my_port 500 peer_port 500 (I) QM_IDLE
Dec  6 08:51:52.455: ISAKMP:(1227):Sending an IKE IPv4 Packet.
Dec  6 08:51:52.455: ISAKMP:(1227):purging node -1178304129
Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

Dec  6 08:51:52.455: ISAKMP:(1227):deleting SA reason "No reason" state (I) QM_IDLE       (peer A.A.A.A)
Dec  6 08:51:52.455: ISAKMP: Unlocking peer struct 0x2B79E8BC for isadb_mark_sa_deleted(), count 0
Dec  6 08:51:52.455: ISAKMP: Deleting peer node by peer_reap for A.A.A.A: 2B79E8BC
Dec  6 08:51:52.455: ISAKMP:(1227):deleting node 1511581970 error FALSE reason "IKE deleted"
Dec  6 08:51:52.455: ISAKMP:(1227):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Dec  6 08:51:52.455: ISAKMP:(1227):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

would appreciate any help you can provide.

Regards,

Sidney Dsouza