Hi,

We are configuring a CISCO ASA to connect a VPN tunnel over IPSEC.

on both side, we can see initation frame,

but then, nothing happens.

vyatta is allready connected to other site using IPSEC.

CISCO ASA is only trying to connect to this Vyatta, no other connexion existing.

both Peer XXX.XXX.XX (vyatta) and YYY.YYY.YY. (ASA) can ping each other.

could you please help us to find out what is wrong on the CISCO ASA config, as we think the vyatta one is correct, working with many other sites. 

we have tried to change the PSK on both side, nothing better, we have tried to change encryption and authentication rules from 3DES to aes128, but still same behaviour,

we have changed multiple config on vyatta side, but nothing change (initiate or respond mode, fps enable/disable, change lifetime, compression enable, disable...) because we know better vyatta than the cisco conf.

we want to connect 192.168.20.150/32 to 172.19.1.0/24

192 is on vyatta side, and is nat to another internal IP using vyatta nat, as all other ip in this network, and this usualy works perfect with other Ipsec VPN.

cisco log sample: what it means ? we guess a timeout wiating for key exchange/validation from vyatta.

Mar 18 01:39:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:16 [IKEv1]: IP = XX.XXX.XX.XXX, IKE Initiator: New Phase 1, Intf in
side, IKE Peer XX.XXX.XX.XXX  local Proxy Address 172.19.1.0, remote Proxy Addre
ss 192.168.20.150,  Crypto map (outside-map)
Mar 18 01:39:16 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, constructing ISAKMP SA payloa
d
Mar 18 01:39:16 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, constructing Fragmentation VI
D + extended capabilities payload
Mar 18 01:39:16 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:39:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:20 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:24 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:24 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:24 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:39:28 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:28 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:32 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:32 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:32 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:39:36 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:36 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:40 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:40 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:40 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:39:44 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:44 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:48 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:48 [IKEv1]: IP = XX.XXX.XX.XXX, Queuing KEY-ACQUIRE messages to be
processed when P1 SA is complete.
Mar 18 01:39:48 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, IKE MM Initiator FSM error hi
story (struct &0x392d8c0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2,
EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_
SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,
 EV_RETRY
Mar 18 01:39:48 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, IKE SA MM:5a074820 terminatin
g:  flags 0x01000022, refcnt 0, tuncnt 0
Mar 18 01:39:48 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, sending delete/delete with re
ason message
Mar 18 01:39:48 [IKEv1]: IP = XX.XXX.XX.XXX, Removing peer from peer table faile
d, no match!
Mar 18 01:39:48 [IKEv1]: IP = XX.XXX.XX.XXX, Error: Unable to remove PeerTblEntr
y
Mar 18 01:39:52 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 18 01:39:52 [IKEv1]: IP = XX.XXX.XX.XXX, IKE Initiator: New Phase 1, Intf in
side, IKE Peer XX.XXX.XX.XXX  local Proxy Address 172.19.1.0, remote Proxy Addre
ss 192.168.20.150,  Crypto map (outside-map)
Mar 18 01:39:52 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, constructing ISAKMP SA payloa
d
Mar 18 01:39:52 [IKEv1 DEBUG]: IP = XX.XXX.XX.XXX, constructing Fragmentation VI
D + extended capabilities payload
Mar 18 01:39:52 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE SENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:40:00 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 18 01:40:08 [IKEv1]: IP = XX.XXX.XX.XXX, IKE_DECODE RESENDING Message (msgid
=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

• CISCO Config:

hostname ciscoasa
enable password 8Ry2Yjxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
 description connexion vers Rter Internet
 nameif outside
 security-level 0
 ip address YYY.YYY.YYY.110 255.255.255.252
!
interface Ethernet0/1
 description Connexion LAN
 nameif inside
 security-level 100
 ip address 172.19.1.251 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 6Iby0Jaxxxxxxx encrypted
ftp mode passive
access-list nonat extended permit ip 172.19.1.0 255.255.255.0 host 192.168.20.10
access-list encrypt extended permit ip 172.19.1.0 255.255.255.0 host 192.168.20.150
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 YYY.YYY.YYY.109 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set passwordset esp-3des esp-sha-hmac
crypto map outside-map 10 match address encrypt
crypto map outside-map 10 set peer 46.105.37.153
crypto map outside-map 10 set transform-set passwordset
crypto map outside-map interface outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group 46.105.37.153 type ipsec-l2l
tunnel-group 46.105.37.153 ipsec-attributes
 pre-shared-key *
telnet 172.19.1.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
service-policy global_policy global
Cryptochecksum:d039f8b71fexxx
: end

• VYatta config:

peer YYY.YYY.YY.YY
 authentication {
     mode pre-shared-secret
     pre-shared-secret password123
 }
 connection-type initiate
 description "VPN "
 ike-group IKE_3DES_SHA1
 local-address XX.XXX.XXX.XXX.XXX
 tunnel 1 {
     allow-nat-networks disable
     allow-public-networks disable
     esp-group ESP_3DES_SHA1_28800
     local {
         prefix 192.168.20.150/32
     }
     remote {
         prefix 172.19.1.0/24
     }
 }
 
 
 esp-group ESP_3DES_SHA1_28800 {
             compression disable
             lifetime 28800
             mode tunnel
             pfs disable
             proposal 1 {
                 encryption 3des
                 hash sha1
             }
         }
 ike-group IKE_3DES_SHA1 {
             dead-peer-detection {
                 action restart
                 interval 30
                 timeout 60
             }
             lifetime 86400
             proposal 1 {
                 dh-group 2
                 encryption 3des
                 hash sha1
             }
         }

when checking wyatta logs, we can see 

Mar 20 16:54:50 vyatta pluto[15187]:   loaded PSK secret for XXX.XXX.XXX.XXX.  YYY.YYY.YY.YYY
Mar 20 16:54:50 vyatta pluto[15187]: added connection description "peer-YYY.YYY.YYY.YY-tunnel-1"
Mar 20 16:54:50 vyatta pluto[15187]: "peer-YYY.YYY.YYY.YY-tunnel-1" #243442: initiating Main Mode

then

#243442: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message

sometime, we could get:

Mar 18 11:38:34 vyatta pluto[15187]: packet from YYY.YYY.YYY.YYY:1645: initial Main Mode message received on XX.XXX.XXX.XXX:500 but no connection has been authorized with policy=PSK

Do we miss somehting important?

thanks

vincent