Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
3
Replies

ASA Site to Site VPN with unknown destination parameters

Kane Smith
Level 1
Level 1

‎12-12-2016 06:00 AM

Hi all,

I have a Huawei HHG2500 DSL router provided by my very unhelpful SP. I can't replace this as I don't have the username and password for the connection to the SP. In the web based menu, I have configured an IPSec VPN, set the tunnel's destination IP address and the destination LAN with subnet mask. I have also configured a pre-shared key. There is no option to set the encryption algorithm or the hash algorithm. This must be a default setting built into the router but not visible by the admin. The SP doesn't know what those settings are either.

The destination of the tunnel is my ASA 5510 in the cloud running software version 9.1. I have configured the standard S2S VPN on the ASA but struggling to "guess" what to configure in the transform set. I have tried all combinations of the encryption/hash but while ike phase 1 gets established, I don't get the phase 2 completion. 

"debug crypto isakmp" gives: 

Removing peer from correlator table failed, no match!

Session is being torn down. Reason: Phase 2 Mismatch

Are there any debugs I can run on the ASA to see the encryption/hash algorithm used by the Huawei?

Labels:
0 Helpful
3 Replies 3

Vishnu Sharma
Level 1
Level 1

‎12-12-2016 07:17 AM

Run following commands to see the policies being used by Huawei:

  • debug crypto isakmp 255
  • debug crypto ipsec 255

You will be able to see the policies being pushed from the remote side on the ASA.

Let me know if this helps.

Thanks,

Vishnu

Please rate helpful posts!!
0 Helpful

Kane Smith
Level 1
Level 1
In response to Vishnu Sharma

‎12-12-2016 09:25 AM

Hi Vishnu,

Thanks for your reply. In the meantime, I had installed a TP-LINK router behind the Huawei and configured the IPsec VPN from the TP-LINK. On this router, I am able to specify the encryption and hash algorithms.

I ran the two debugs as you suggested.

On ASA 9.1, the command "debug crypto ikev1" replaced the command "debug crypto isakmp" .

For both phase 1 and phase 2, I used aes-256 for the encryption and sha1 for the hash. I can see these paramters in the ISAKMP debug but not in the IPSEC debug. It is the IPSEC parameters that I need to know when the Huawei is used for the VPN.

Logs attached. (WAN IP addresses removed).

Please advise. Thanks.

Preview file
12 KB
Preview file
32 KB
0 Helpful

Kane Smith
Level 1
Level 1
In response to Kane Smith

‎12-13-2016 02:24 AM

More debugs attached. It looks like PHASE 1 is being completed OK. For PHASE 2, the crypto map MY-MAP is selected but PHASE 2 fails because the Huawei only supports Authentication Header? Can you please look at the attached and confirm?

Preview file
7 KB
0 Helpful
Customers Also Viewed These Support Documents