12-20-2013 10:49 AM
Hi all
Am trying to get an IPsec remote access VPN working between an Android 4.3 device and Cisco ASA 5505. I have the following phase 1 proposals:
PRM-ASA3(config)# sh run crypto isakm
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Not sure what the Android VPN defaults to as doesn't have any settings that granular.
The ASA is logging this:
PRM-ASA3(config)# Dec 20 18:38:20 [IKEv1]: IP = 2.2.2.123, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 649
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing SA payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ke payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ISA_KE payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing nonce payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing ID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received Fragmentation VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received NAT-Traversal RFC VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received NAT-Traversal ver 02 VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received xauth V6 VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received Cisco Unity client VID
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, processing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: IP = 2.2.2.123, Received DPD VID
Dec 20 18:38:20 [IKEv1]: IP = 2.2.2.123, Connection landed on tunnel_group PRM-IT-access
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, processing IKE SA payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ISAKMP SA payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ke payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing nonce payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Generating keys for Responder...
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing ID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing hash payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Computing hash for ISAKMP
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing Cisco Unity VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing xauth V6 VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing dpd vid payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Traversal VID ver 02 payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Discovery payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, computing NAT Discovery hash
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing NAT-Discovery payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, computing NAT Discovery hash
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing Fragmentation VID + extended capabilities payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing VID payload
Dec 20 18:38:20 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Dec 20 18:38:23 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
Dec 20 18:38:23 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM
Dec 20 18:38:26 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
Dec 20 18:38:26 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM
Dec 20 18:38:30 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
Dec 20 18:38:30 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM
Dec 20 18:38:33 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, Duplicate Phase 1 packet detected. Retransmitting last packet.
Dec 20 18:38:33 [IKEv1]: Group = PRM-IT-access, IP = 2.2.2.123, P1 Retransmit msg dispatched to AM FSM
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE AM Responder FSM error history (struct &0xca280dc8) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_RESEND_MSG-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR-->AM_SND_MSG2, EV_RESEND_MSG-->AM_WAIT_MSG3, EV_RESEND_MSG
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, IKE SA AM:e6f1e3d8 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, sending delete/delete with reason message
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing blank hash payload
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing IKE delete payload
Dec 20 18:38:33 [IKEv1 DEBUG]: Group = PRM-IT-access, IP = 2.2.2.123, constructing qm hash payload
Totally stuck at this point! Please help me save what's left of my hair....
Thanks