cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
51742
Views
0
Helpful
6
Replies

Cisco <> MikroTik site-to-site IPsec tunnel

rga-rga-rga
Level 1
Level 1

Cisco ASA 5505, Software 8.0(3)

MikroTik RouterBoard RB493AH, RouterOS 6.0

IPsec site-to-site is set up.

When MikroTik initiates IPsec tunnel to Cisco, it is established, data are encrypted and sent through tunnel as expected.

When Cisco should initiate tunnel, it ends with this error message:

Jun 17 19:22:21 [IKEv1]: Group = < IP>, IP = <IP>, QM FSM error (P2 struct &0xd54e6a00, mess id 0x6dbfce6b)!

Jun 17 19:22:21 [IKEv1]: Group = <IP>, IP = <IP>, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

Jun 17 19:22:21 [IKEv1]: Group = <IP>, IP = <IP>, Removing peer from correlator table failed, no match!

This is corresponding part of ASA config:

crypto ipsec transform-set ts_esp_aes_256_sha esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map cdm_outside 10 set pfs
crypto dynamic-map cdm_outside 10 set transform-set ts_esp_aes_256_sha
crypto dynamic-map cdm_outside 10 set security-association lifetime kilobytes 262144
crypto map cm_outside 10 match address acl_encrypt_sk
crypto map cm_outside 10 set pfs group5
crypto map cm_outside 10 set peer <MikroTik public IP>
crypto map cm_outside 10 set transform-set ts_esp_aes_256_sha
crypto map cm_outside 10 set security-association lifetime kilobytes 262144

crypto map cm_outside 20 ...

crypto map cm_outside 65535 ipsec-isakmp dynamic cdm_outside
crypto map cm_outside interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600

tunnel-group <remote IP> type ipsec-l2l
tunnel-group <remote IP> ipsec-attributes
pre-shared-key <key>

And this MikroTik config:

/ip ipsec peer print
Flags: X - disabled
0   ;;; IKE Phase 1: Authenticate IPSec peers
     address=<Cisco public IP>/32 passive=no port=500 auth-method=pre-shared-key
     secret="<key>" generate-policy=no exchange-mode=main
     send-initial-contact=yes nat-traversal=no proposal-check=strict
     hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1h
     lifebytes=268435456 dpd-interval=2m dpd-maximum-failures=5

/ip ipsec proposal print
Flags: X - disabled, * - default
0 X* name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
      pfs-group=modp1024

1    name="aes-256-sha1-dh5" auth-algorithms=sha1 enc-algorithms=aes-256
      lifetime=1h pfs-group=modp1536

/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0    ;;; IKE Phase 2: negotiate IPSec SAs
      src-address=<MikroTik LAN>/20 src-port=any dst-address=<Cisco LAN>/20
      dst-port=any protocol=all action=encrypt level=unique
      ipsec-protocols=esp tunnel=yes sa-src-address=<MikroTik public IP>

      sa-dst-address=<Cisco public IP> proposal=aes-256-sha1-dh5 priority=0

I tried IPsec debugging on both sides but I understand IKE Phase 1 was successfully done but there is an issue with IKE Phase 2 and I don't know why:

Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <IP>  local Proxy Address <Cisco LAN>, remote Proxy Address <MikroTik LAN>,  Crypto map (cm_outside)
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 192
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 368
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 300
Jun 17 22:08:58 [IKEv1]: IP = <IP>, Connection landed on tunnel_group <IP>
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Jun 17 22:08:58 [IKEv1]: Group = <IP>, IP = <IP>, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 17 22:08:58 [IKEv1]: IP = <IP>, Connection landed on tunnel_group <IP>
Jun 17 22:08:58 [IKEv1]: Group = <IP>, IP = <IP>, Freeing previously allocated memory for authorization-dn-attributes
Jun 17 22:08:59 [IKEv1]: Group = <IP>, IP = <IP>, PHASE 1 COMPLETED
Jun 17 22:08:59 [IKEv1]: IP = <IP>, Keep-alive type for this connection: DPD
Jun 17 22:08:59 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=5e1d666a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 400
Jun 17 22:08:59 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=d1beb252) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:08:59 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:07 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=9a38d4e6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:07 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:11 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=1644b80a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:11 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=f1bacead) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:15 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=cf34797b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:15 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:21 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=a765efb2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:21 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=e9d5b67e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:23 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=8ce4de3a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:23 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, QM FSM error (P2 struct &0xd5976180, mess id 0x5e1d666a)!
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, Removing peer from correlator table failed, no match!
Jun 17 22:09:31 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=5cb3f812) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 17 22:09:31 [IKEv1]: Ignoring msg to mark SA with dsID 6029312 dead because SA deleted

I will appreciate any clue...