Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3326
Views
0
Helpful
0
Replies

All proposals found unacceptable with ESP-AES-128-SHA on ASA 8.3

manuel.faux
Level 1
Level 1

‎11-27-2011 08:47 AM

I want to configure a L2L VPN using X.509 certificates between an ASA 5505 8.3(1) and an OpenBSD 4.9 peer. The ASA has a static IP the OpenBSD peer has a dynamic public IP and is NATed.

I have configured the tunnel successfully using PSK aggressive mode, but as OpenBSD seems to have a problem with NAT-T detection using agressive mode, I have to use main mode. As I cannot use main mode using dynamic IPs with PSK (as far as I know) I want to use X.509 certificates. I simply have changed the "pre-shared-key" ipsec-attribute of the tunnel-group to the "trust-point" and added a certificate map and a tunnel-group-mapping. Since this I get following error message:

Nov 27 16:50:13 [IKEv1]: Group = brno, IP = 78.90.67.34, Mismatch: P1 Authentication algorithm in the crypto map entry different from negotiated algorithm for the L2L connection
Nov 27 16:50:13 [IKEv1]: Group = brno, IP = 78.90.67.34, All IPSec SA proposals found unacceptable!

I have not changed any IPSec nor ISAKMP proposals since the tunnel worked with PSK. I have changed the dynamic map to a static crypto map, but this did not resolve the problem.

I have configured my ASA to accept "ESP-AES-128-SHA" (beyond others) and this is the proposal my OpenBSD sends and the ASA receives (according to debug isakmp 254), but the ASA reports, that it cannot accept the proposal. I have also tried to use other combinations like 3DES-MD5.

Here is the configuration of my ASA:

tunnel-group brno type ipsec-l2l

tunnel-group brno general-attributes

 default-group-policy IPSec_Site-to-Site

tunnel-group brno ipsec-attributes

 trust-point vienna.private.lan
crypto map outside_map 2 match address vpn_brno
crypto map outside_map 2 set peer 78.90.67.34 
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-SHA ESP-3DES-MD5
tunnel-group-map enable rules
tunnel-group-map brno 10 brno

crypto ca certificate map brno 10
 subject-name attr cn eq brno.private.lan
crypto isakmp enable outside
crypto isakmp policy 80

 authentication rsa-sig

 encryption aes

 hash sha     

 group 2      

 lifetime 86400


And here is the configuration of my OpenBSD peer:

ike esp from 10.1.0.0/16 to 10.4.0.0/22 peer 12.7.9.32 \
        main auth hmac-sha enc aes group modp1024 \
        quick auth hmac-sha enc aes group none \
        srcid brno.private.lan dstid vienna.private.lan

With this configuration both gateways support at least the proposal "ESP-AES-128-SHA" in both phases. But the ASA does not accept the proposal from the OpenBSD peer (see debug messages above). The group selection is being done correctly (as can be seen in the debug messages).

I cannot imagin any misconfiguration, but I also have no more idea to resolve this problem.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents