05-08-2013 10:04 AM
Hello,
I am trying to create a VPN between a service provider's ASA5540 and our Cisco2650XM device.
Here's our config :
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key ********* address XX.YY.223.126
crypto ipsec transform-set ipcom esp-3des esp-sha-hmac
crypto map serviceprovider local-address Loopback99
crypto map serviceprovider 1 ipsec-isakmp
description Tunnel to Service Provider
set peer XX.YY.223.126
set transform-set ipcom
set pfs group1
match address 100
interface Loopback99
ip address ZZ.YY.196.2 255.255.255.0
ip ospf 10 area 0
interface FastEthernet0/0
ip address XX.HH.126.90 255.255.255.224
duplex auto
speed auto
crypto map serviceprovider
access-list 100 permit ip any host 172.16.3.133
access-list 100 permit ip any host 172.16.3.131
And below, service provider ASA config:
object-group network Customer
network-object host ZZ.YY.196.129
network-object host ZZ.YY.196.130
network-object host XX.HH.126.129
network-object host XX.HH.126.130
object-group network DM_INLINE_NETWORK_4
network-object host 172.16.3.131
network-object host 172.16.3.133
access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133
access-list outside_20_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group Customer
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer ZZ.YY.196.2
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 3600
group-policy ZZ.YY.196.2 internal
group-policy ZZ.YY.196.2 attributes
vpn-filter value outside_20_cryptomap
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group ZZ.YY.196.2 type ipsec-l2l
tunnel-group ZZ.YY.196.2 general-attributes
default-group-policy ZZ.YY.196.2
tunnel-group ZZ.YY.196.2 ipsec-attributes
pre-shared-key *****
network ZZ.YY.196.130 0.0.0.0 area 0
=-=========================================================================
We cannot get past phase 1. Here's the log:
===========================================================================
May 8 00:47:56.863: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= ZZ.YY.196.2, remote= XX.YY.223.126,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.3.133/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xE0E40431(3773039665), conn_id= 0, keysize= 0, flags= 0x400B
May 8 00:47:57.043: CryptoEngine0: generating alg parameter for connid 19
May 8 00:47:57.043: CryptoEngine0: CRYPTO_ISA_DH_CREATE(hw)(ipsec)
May 8 00:47:57.083: CRYPTO_ENGINE: Dh phase 1 status: OK
May 8 00:47:57.264: CryptoEngine0: generating alg parameter for connid 0
May 8 00:47:57.264: CryptoEngine0: CRYPTO_ISA_DH_SHARE_SECRET(hw)(ipsec)
May 8 00:47:57.308: CryptoEngine0: create ISAKMP SKEYID for conn id 19
May 8 00:47:57.308: CryptoEngine0: CRYPTO_ISA_SA_CREATE(hw)(ipsec)
May 8 00:47:57.348: CryptoEngine0: generate hmac context for conn id 19
May 8 00:47:57.588: CryptoEngine0: generate hmac context for conn id 19
May 8 00:47:57.588: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
May 8 00:47:57.596: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)
May 8 00:47:57.781: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)
May 8 00:47:57.785: CryptoEngine0: generate hmac context for conn id 19
May 8 00:47:57.785: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
May 8 00:47:57.797: CryptoEngine0: generate hmac context for conn id 19
May 8 00:47:57.797: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
May 8 00:47:57.805: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)
May 8 00:47:57.813: IPSEC(key_engine): got a queue event with 1 kei messages....
May 8 00:48:47.815: CryptoEngine0: clear dh number for conn id 36
May 8 00:48:47.815: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)
May 8 00:48:56.865: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= ZZ.YY.196.2, remote= XX.YY.223.126,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 172.16.3.133/255.255.255.255/0/0 (type=1)
May 8 00:48:57.815: CryptoEngine0: delete connection 19
May 8 00:48:57.815: CryptoEngine0: CRYPTO_ISA_SA_DELETE(hw)(ipsec)
May 8 00:49:17.844: CryptoEngine0: clear dh number for conn id 38
May 8 00:49:17.844: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)
May 8 00:49:27.844: CryptoEngine0: delete connection 20
May 8 00:49:27.844: CryptoEngine0: CRYPTO_ISA_SA_DELETE(hw)(ipsec)
The IKE never comes up, I mostly see it in DOWN or DOWN-NEGOTIATING:
Router#sho cry sess
Crypto session current status
Interface: Loopback99
Session status: DOWN-NEGOTIATING
Peer: XX.YY.223.126 port 500
IKE SA: local ZZ.YY.196.2/500 remote XX.YY.223.126/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.3.131
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 172.16.3.133
Active SAs: 0, origin: crypto map
c2650#
Any idea what might be wrong here?
Thanks,
D.
05-08-2013 11:29 AM
On a more comprehensive debug i get this:
ay 8 02:28:03.389: CryptoEngine0: CRYPTO_ISA_DH_DELETE(hw)(ipsec)
May 8 02:28:03.393: CryptoEngine0: generate hmac context for conn id 28
May 8 02:28:03.393: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
May 8 02:28:03.401: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)
May 8 02:28:03.582: CryptoEngine0: CRYPTO_ISA_IKE_DECRYPT(hw)(ipsec)
May 8 02:28:03.590: CryptoEngine0: generate hmac context for conn id 28
May 8 02:28:03.590: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
May 8 02:28:03.598: ISAKMP:(0:28:HW:2):deleting SA reason "Recevied fatal informational" state (I) QM_IDLE (peer XX.YY.223.126)
May 8 02:28:03.602: CryptoEngine0: generate hmac context for conn id 28
May 8 02:28:03.602: CryptoEngine0: CRYPTO_ISA_IKE_HMAC(hw)(ipsec)
May 8 02:28:03.610: CryptoEngine0: CRYPTO_ISA_IKE_ENCRYPT(hw)(ipsec)
May 8 02:28:03.618: IPSEC(key_engine): got a queue event with 1 kei messages
Thanks,
D.
05-08-2013 11:52 AM
Hi Daniel,
It seems you have pfs enabled on ASA but no on router. Can you remove the following command from ASA:
no crypto map outside_map 20 set pfs
If issue persists, please paste 'show run crypto' from ASA as well.
-
Sourav
05-08-2013 11:35 AM
Router#sho cry isa sa
dst src state conn-id slot status
XX.YY.223.126 ZZ.YY.196.2 MM_NO_STATE 30 0 ACTIVE (deleted)
Router#
Help please?
05-08-2013 11:53 AM
Infact, can you please post 'show run' from both router and ASA for review? Problem seems to be in phase 1 and we don't have complete config to look at.
Thanks.
-
Sourav/
05-08-2013 12:10 PM
Links with configs from the 2650XM and the partial config I have from the service provider.
http://pastebin.com/bZA5WwMp --- Config from 2650XM
http://pastebin.com/cyy1hdNN -- partial config I have from ASA
Thanks,
D.
05-08-2013 12:32 PM
Thanks Daniel. Ok so we have pfs enabled on both ASA and router.
Few things to consider:
ASA has following access-list which seems to be for nat exempt (i don't see nat 0 anywhere in config, so can't verify):
access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133
Here is the crypto acl:
access-list outside_20_cryptomap extended permit ip object-group DM_INLINE_NETWORK_4 object-group Itelnet
Itelnet seems to be on other end of router so nat exempt acl should look like:
access-list inside_nat0_outbound_1 extended permit ip object-group DM_INLINE_NETWORK_4 object-group Itelnet
no access-list inside_nat0_outbound_1 extended permit ip object-group Itelnet host 172.16.3.133
Please fix this.
Secondly, you've a VPN filter on ASA, not sure why is that needed as crypto acl is only allowing the specific traffic anyways:
group-policy 197.157.196.2 internal
group-policy 197.157.196.2 attributes
vpn-filter value outside_20_cryptomap
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group 197.157.196.2 type ipsec-l2l
tunnel-group 197.157.196.2 general-attributes
default-group-policy 197.157.196.2
But most important thing is phase 1 policy on ASA which is not available in this config. On router we have;
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
Can you check if parameters are same on ASA as well?
-
Sourav
05-09-2013 05:09 AM
Sourav,
This is what I received from the service provider:
This above is their phase 1 config.
Is it of any use?
05-09-2013 01:46 PM
Thanks Daniel. I checked the output and we definately have a phase 1 policy match on two devices. We might need to collect more debugging info. I would recommend opening a TAC case so that we can further investigate this.
-
Sourav
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide