Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
841
Views
0
Helpful
4
Replies

5506-X Site to Site IPSEC VPN tunnel

Antony.xavier
Level 1
Level 1

‎11-29-2021 09:58 PM

Hi There,

 

I am trying to build site to site IPSEC VPN tunnel with my ISP edge Firewall but for some reason tunnel is not coming up, below is the config and debug output, please suggest .

 

My End public IP: 5.5.5.5

Peer End public IP: 1.1.1.1

 

ASA01# show run crypto map
crypto map outside_map0 1 match address outside_cryptomap_1
crypto map outside_map0 1 set PFS group14
crypto map outside_map0 1 set peer 205.182.208.43
crypto map outside_map0 1 set ikev2 IPsec-proposal ANS
crypto map outside_map0 interface outside

 

ASA01# show run crypto ikev2
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 14
PRF sha256
lifetime seconds 2800
crypto ikev2 enable outside

 

 

Debug log:

===========

 

IKEv2-PROTO-2: (34): Sending Packet [To 5.5.5.5:500/From 1.1.1.1:500/VRF i0:f0]
(34): Initiator SPI : 44A604D4DD0405F6 - Responder SPI : 0000000000000000 Message id: 0
(34): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-3: (34): Next payload: SA, version: 2.0 (34): Exchange type: IKE_SA_INIT, flags: INITIATOR (34): Message id: 0, length: 762(34):
Payload contents:
(34): SA(34): Next payload: KE, reserved: 0x0, length: 300
(34): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4(34): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(34): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 4, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): last proposal: 0x2, reserved: 0x0, length: 48
Proposal: 5, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): last proposal: 0x0, reserved: 0x0, length: 48
Proposal: 6, Protocol id: IKE, SPI size: 0, #trans: 5(34): last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: DES
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
(34): last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
(34): last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
(34): KE(34): Next payload: N, reserved: 0x0, length: 200
(34): DH group: 5, Reserved: 0x0
(34):
(34): c1 93 4b 63 53 f3 e6 a3 67 04 db 39 a7 8e 08 ca
(34): 5e 7a d5 76 70 6c 81 79 5c b0 12 ea 08 81 fe a7
(34): 4f d9 7a 8c 9e e1 73 2e 8f 46 94 32 aa cc ff 19
(34): b2 eb a1 6a 05 ca 75 da 23 3e 7f d4 74 4f 85 d8
(34): 23 e2 6f 92 a4 83 1a f9 f8 c9 54 e4 ca 4e 63 2a
(34): c6 24 3d 07 7c d8 77 a8 e4 92 db 22 b5 4e ff 53
(34): 88 a5 f7 9d dc 1c b9 c6 0c bd fd 57 a2 9b 27 ce
(34): 81 fa 69 3c ce 96 f6 f9 5d 60 b1 87 51 a3 1c 42
(34): 97 e2 2c 78 21 84 4d b0 13 72 57 59 cd af b2 ba
(34): 9e f4 05 13 1f f8 fb 68 72 8a ab da a3 8e 34 e4
(34): ba 7a 29 79 c9 70 c5 e7 a4 9d c0 30 ec 73 c5 b2
(34): b2 f0 c4 34 c8 65 df e9 88 f6 db 9b 23 de 20 cd
(34): N(34): Next payload: VID, reserved: 0x0, length: 68
(34):
(34): b8 bc 44 6d 34 10 11 1b cf d4 49 62 70 9d 21 04
(34): 95 ea 40 17 60 aa 63 e6 05 71 a3 73 94 f2 16 bf
(34): 9b b0 a1 62 33 ad 63 95 d6 c6 ac d8 e8 24 3c c6
(34): 0d 47 82 cf e7 fb 15 06 fb 83 73 c0 2f 9d 29 6b
(34): VID(34): Next payload: VID, reserved: 0x0, length: 23
(34):
(34): 43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
(34): 53 4f 4e
(34): VID(34): Next payload: NOTIFY, reserved: 0x0, length: 59
(34):
(34): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(34): 26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
(34): 30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
(34): 73 2c 20 49 6e 63 2e
(34): NOTIFY(NAT_DETECTION_SOURCE_IP)(34): Next payload: NOTIFY, reserved: 0x0, length: 28
(34): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
(34):
(34): de 02 7c 27 a3 0d d3 c0 f1 7a 74 e3 cb ee 5f 6a
(34): ae 4c 94 d1
(34): NOTIFY(NAT_DETECTION_DESTINATION_IP)(34): Next payload: NOTIFY, reserved: 0x0, length: 28
(34): Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
(34):
(34): 83 a7 50 5c 17 fb 0a 70 ea d0 9a 37 df ea 33 c8
(34): 02 dc 2d fe
(34): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(34): Next payload: VID, reserved: 0x0, length: 8
(34): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
(34): VID(34): Next payload: NONE, reserved: 0x0, length: 20
(34):
(34): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(34):
IKEv2-PLAT-3: (34): SENT PKT [IKE_SA_INIT] [1.1.1.1]:500->[5.5.5.5]:500 InitSPI=0x44a604d4dd0405f6 RespSPI=0x0000000000000000 MID=00000000
IKEv2-PROTO-5: (34): SM Trace-> SA: I_SPI=44A604D4DD0405F6 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT

 

Regards,

Antony

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎11-29-2021 11:16 PM

Hello,

 

post the full running configurations of both ASAs...

0 Helpful

Antony.xavier
Level 1
Level 1
In response to Georg Pauwen

‎11-29-2021 11:27 PM

Hi Georg,

 

Please find the below config from my end Firewall, I dont have access to the ISP end Firewall, let me know if you need any further configs

 

ASA01# show run crypto map | in 1.1.1.1
crypto map outside_map0 1 set peer 1.1.1.1
ASA01#
ASA01# show run crypto map | in outside_map0 1
crypto map outside_map0 1 match address outside_cryptomap_1
crypto map outside_map0 1 set pfs group14
crypto map outside_map0 1 set peer 1.1.1.1
crypto map outside_map0 1 set ikev2 ipsec-proposal ANS

ASA01# show run tunnel-group 1.1.1.1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy2_ANS
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA01# show run group-policy 1.1.1.1
ASA01#
ASA01# show run access-list outside_cryptomap_1
access-list outside_cryptomap_1 extended permit ip object-group APPER_ANS object-group ACTUANT
ASA01# show run crypto ikev2
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 2800
crypto ikev2 enable outside

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to Antony.xavier

‎11-29-2021 11:47 PM

Hello,

 

I cannot tell from the partial config you posted if you are using NAT (exemptions) and what the content is of the object groups referenced in the access list.

 

Either way, the config of the ISP firewall needs to have the same, reversed object groups for the access list.

 

It is going to be near to impossible to troubleshoot this without access to the ISP side firewall.

0 Helpful

Antony.xavier
Level 1
Level 1
In response to Georg Pauwen

‎11-30-2021 12:06 AM

ok, let me check with ISP.

 

Thanks,

0 Helpful
Customers Also Viewed These Support Documents