11-29-2021 09:58 PM
Hi There,
I am trying to build site to site IPSEC VPN tunnel with my ISP edge Firewall but for some reason tunnel is not coming up, below is the config and debug output, please suggest .
My End public IP: 5.5.5.5
Peer End public IP: 1.1.1.1
ASA01# show run crypto map
crypto map outside_map0 1 match address outside_cryptomap_1
crypto map outside_map0 1 set PFS group14
crypto map outside_map0 1 set peer 205.182.208.43
crypto map outside_map0 1 set ikev2 IPsec-proposal ANS
crypto map outside_map0 interface outside
ASA01# show run crypto ikev2
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 14
PRF sha256
lifetime seconds 2800
crypto ikev2 enable outside
Debug log:
===========
IKEv2-PROTO-2: (34): Sending Packet [To 5.5.5.5:500/From 1.1.1.1:500/VRF i0:f0]
(34): Initiator SPI : 44A604D4DD0405F6 - Responder SPI : 0000000000000000 Message id: 0
(34): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (34): Next payload: SA, version: 2.0 (34): Exchange type: IKE_SA_INIT, flags: INITIATOR (34): Message id: 0, length: 762(34):
Payload contents:
(34): SA(34): Next payload: KE, reserved: 0x0, length: 300
(34): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4(34): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(34): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 4, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): last proposal: 0x2, reserved: 0x0, length: 48
Proposal: 5, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): last proposal: 0x0, reserved: 0x0, length: 48
Proposal: 6, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: DES
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): KE(34): Next payload: N, reserved: 0x0, length: 200
(34): DH group: 5, Reserved: 0x0
(34):
(34): c1 93 4b 63 53 f3 e6 a3 67 04 db 39 a7 8e 08 ca
(34): 5e 7a d5 76 70 6c 81 79 5c b0 12 ea 08 81 fe a7
(34): 4f d9 7a 8c 9e e1 73 2e 8f 46 94 32 aa cc ff 19
(34): b2 eb a1 6a 05 ca 75 da 23 3e 7f d4 74 4f 85 d8
(34): 23 e2 6f 92 a4 83 1a f9 f8 c9 54 e4 ca 4e 63 2a
(34): c6 24 3d 07 7c d8 77 a8 e4 92 db 22 b5 4e ff 53
(34): 88 a5 f7 9d dc 1c b9 c6 0c bd fd 57 a2 9b 27 ce
(34): 81 fa 69 3c ce 96 f6 f9 5d 60 b1 87 51 a3 1c 42
(34): 97 e2 2c 78 21 84 4d b0 13 72 57 59 cd af b2 ba
(34): 9e f4 05 13 1f f8 fb 68 72 8a ab da a3 8e 34 e4
(34): ba 7a 29 79 c9 70 c5 e7 a4 9d c0 30 ec 73 c5 b2
(34): b2 f0 c4 34 c8 65 df e9 88 f6 db 9b 23 de 20 cd
(34): N(34): Next payload: VID, reserved: 0x0, length: 68
(34):
(34): b8 bc 44 6d 34 10 11 1b cf d4 49 62 70 9d 21 04
(34): 95 ea 40 17 60 aa 63 e6 05 71 a3 73 94 f2 16 bf
(34): 9b b0 a1 62 33 ad 63 95 d6 c6 ac d8 e8 24 3c c6
(34): 0d 47 82 cf e7 fb 15 06 fb 83 73 c0 2f 9d 29 6b
(34): VID(34): Next payload: VID, reserved: 0x0, length: 23
(34):
(34): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(34): 53 4f 4e
(34): VID(34): Next payload: NOTIFY, reserved: 0x0, length: 59
(34):
(34): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(34): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(34): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(34): 73 2c 20 49 6e 63 2e
(34): NOTIFY(NAT_DETECTION_SOURCE_IP)(34): Next payload: NOTIFY, reserved: 0x0, length: 28
(34): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(34):
(34): de 02 7c 27 a3 0d d3 c0 f1 7a 74 e3 cb ee 5f 6a
(34): ae 4c 94 d1
(34): NOTIFY(NAT_DETECTION_DESTINATION_IP)(34): Next payload: NOTIFY, reserved: 0x0, length: 28
(34): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(34):
(34): 83 a7 50 5c 17 fb 0a 70 ea d0 9a 37 df ea 33 c8
(34): 02 dc 2d fe
(34): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(34): Next payload: VID, reserved: 0x0, length: 8
(34): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(34): VID(34): Next payload: NONE, reserved: 0x0, length: 20
(34):
(34): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(34):
IKEv2-PLAT-3: (34): SENT PKT [IKE_SA_INIT] [1.1.1.1]:500->[5.5.5.5]:500 InitSPI=0x44a604d4dd0405f6 RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-5: (34): SM Trace-> SA: I_SPI=44A604D4DD0405F6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
Regards,
Antony
11-29-2021 11:16 PM
Hello,
post the full running configurations of both ASAs...
11-29-2021 11:27 PM
Hi Georg,
Please find the below config from my end Firewall, I dont have access to the ISP end Firewall, let me know if you need any further configs
ASA01# show run crypto map | in 1.1.1.1
crypto map outside_map0 1 set peer 1.1.1.1
ASA01#
ASA01# show run crypto map | in outside_map0 1
crypto map outside_map0 1 match address outside_cryptomap_1
crypto map outside_map0 1 set pfs group14
crypto map outside_map0 1 set peer 1.1.1.1
crypto map outside_map0 1 set ikev2 ipsec-proposal ANS
ASA01# show run tunnel-group 1.1.1.1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy2_ANS
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA01# show run group-policy 1.1.1.1
ASA01#
ASA01# show run access-list outside_cryptomap_1
access-list outside_cryptomap_1 extended permit ip object-group APPER_ANS object-group ACTUANT
ASA01# show run crypto ikev2
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 2800
crypto ikev2 enable outside
11-29-2021 11:47 PM
Hello,
I cannot tell from the partial config you posted if you are using NAT (exemptions) and what the content is of the object groups referenced in the access list.
Either way, the config of the ISP firewall needs to have the same, reversed object groups for the access list.
It is going to be near to impossible to troubleshoot this without access to the ISP side firewall.
11-30-2021 12:06 AM
ok, let me check with ISP.
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide