06-19-2013 01:26 PM - edited 02-21-2020 06:58 PM
Cisco ASA 5505, Software 8.0(3)
MikroTik RouterBoard RB493AH, RouterOS 6.0
IPsec site-to-site is set up.
When MikroTik initiates IPsec tunnel to Cisco, it is established, data are encrypted and sent through tunnel as expected.
When Cisco should initiate tunnel, it ends with this error message:
Jun 17 19:22:21 [IKEv1]: Group = < IP>, IP = <IP>, QM FSM error (P2 struct &0xd54e6a00, mess id 0x6dbfce6b)!
Jun 17 19:22:21 [IKEv1]: Group = <IP>, IP = <IP>, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 17 19:22:21 [IKEv1]: Group = <IP>, IP = <IP>, Removing peer from correlator table failed, no match!
This is corresponding part of ASA config:
crypto ipsec transform-set ts_esp_aes_256_sha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map cdm_outside 10 set pfs
crypto dynamic-map cdm_outside 10 set transform-set ts_esp_aes_256_sha
crypto dynamic-map cdm_outside 10 set security-association lifetime kilobytes 262144
crypto map cm_outside 10 match address acl_encrypt_sk
crypto map cm_outside 10 set pfs group5
crypto map cm_outside 10 set peer <MikroTik public IP>
crypto map cm_outside 10 set transform-set ts_esp_aes_256_sha
crypto map cm_outside 10 set security-association lifetime kilobytes 262144
crypto map cm_outside 20 ...
crypto map cm_outside 65535 ipsec-isakmp dynamic cdm_outside
crypto map cm_outside interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 3600
crypto isakmp policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600
tunnel-group <remote IP> type ipsec-l2l
tunnel-group <remote IP> ipsec-attributes
pre-shared-key <key>
And this MikroTik config:
/ip ipsec peer print
Flags: X - disabled
0 ;;; IKE Phase 1: Authenticate IPSec peers
address=<Cisco public IP>/32 passive=no port=500 auth-method=pre-shared-key
secret="<key>" generate-policy=no exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=strict
hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1536 lifetime=1h
lifebytes=268435456 dpd-interval=2m dpd-maximum-failures=5
/ip ipsec proposal print
Flags: X - disabled, * - default
0 X* name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m
pfs-group=modp1024
1 name="aes-256-sha1-dh5" auth-algorithms=sha1 enc-algorithms=aes-256
lifetime=1h pfs-group=modp1536
/ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - inactive
0 ;;; IKE Phase 2: negotiate IPSec SAs
src-address=<MikroTik LAN>/20 src-port=any dst-address=<Cisco LAN>/20
dst-port=any protocol=all action=encrypt level=unique
ipsec-protocols=esp tunnel=yes sa-src-address=<MikroTik public IP>
sa-dst-address=<Cisco public IP> proposal=aes-256-sha1-dh5 priority=0
I tried IPsec debugging on both sides but I understand IKE Phase 1 was successfully done but there is an issue with IKE Phase 2 and I don't know why:
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE Initiator: New Phase 1, Intf inside, IKE Peer <IP> local Proxy Address <Cisco LAN>, remote Proxy Address <MikroTik LAN>, Crypto map (cm_outside)
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 192
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 152
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 368
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 300
Jun 17 22:08:58 [IKEv1]: IP = <IP>, Connection landed on tunnel_group <IP>
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Jun 17 22:08:58 [IKEv1]: Group = <IP>, IP = <IP>, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Jun 17 22:08:58 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Jun 17 22:08:58 [IKEv1]: IP = <IP>, Connection landed on tunnel_group <IP>
Jun 17 22:08:58 [IKEv1]: Group = <IP>, IP = <IP>, Freeing previously allocated memory for authorization-dn-attributes
Jun 17 22:08:59 [IKEv1]: Group = <IP>, IP = <IP>, PHASE 1 COMPLETED
Jun 17 22:08:59 [IKEv1]: IP = <IP>, Keep-alive type for this connection: DPD
Jun 17 22:08:59 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=5e1d666a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 400
Jun 17 22:08:59 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=d1beb252) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:08:59 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:07 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=9a38d4e6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:07 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:11 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=1644b80a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:11 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=f1bacead) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:15 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=cf34797b) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:15 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:21 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=a765efb2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:21 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=e9d5b67e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 17 22:09:23 [IKEv1]: IP = <IP>, IKE_DECODE RECEIVED Message (msgid=8ce4de3a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 64
Jun 17 22:09:23 [IKEv1]: Group = <IP>, IP = <IP>, Received non-routine Notify message: Invalid Payload (1)
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, QM FSM error (P2 struct &0xd5976180, mess id 0x5e1d666a)!
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Jun 17 22:09:31 [IKEv1]: Group = <IP>, IP = <IP>, Removing peer from correlator table failed, no match!
Jun 17 22:09:31 [IKEv1]: IP = <IP>, IKE_DECODE SENDING Message (msgid=5cb3f812) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 17 22:09:31 [IKEv1]: Ignoring msg to mark SA with dsID 6029312 dead because SA deleted
I will appreciate any clue...
06-20-2013 02:21 AM
Hi,
Phase 2
1. Try, change on both devices PFS from "group5" to "group2"
2. Compare ACL on ASA with Mikrotik
acl_encrypt_sk
src-address=
Might mask don't match?
__________________________________________
The message:
Received non-routine Notify message: .........
By Cisco documentation:
This message occurs due to misconfiguration (that is, when the policies or ACLs are not configured to be the same on peers). Once the policies and ACLs are matched the tunnel comes up without any problem.
________________
Best regards,
MB
09-24-2013 10:33 AM
Hi had this exact same issue when trying to have a Mikrotik in DHCP do a site to site VPN to a Cisco ASA.
The Phase2 is about the " IPsec Proposal " on the Mikrotik Side, so be sure the Auth end Encyption Algorithms checked in winbox are allowed on the ASA.
Also maybe just change the " PFS Group " from "modp1023" ( default ) to "none" and clear the "Installed SAs" on the Mikrotik.
Perfect Forward Secrecy ( PFS ) is probably not activate on your ASA if the IPSec go up after that. On my side wrong PFS Group was the issue.
11-13-2013 07:39 AM
Hi David!
Can you show your config of ASA and Mikrotik. How did you made ipsec up? in my case Phase 1 -
successful. Phase 2 didn't esteblished...
11-13-2013 08:29 AM
On the ASA you first need to put the NO NAT rule
Exemple:
access-list no-nat-inside line 15 extended permit ip 192.168.128.0 255.255.252.0 192.168.126.0 255.255.255.0
Then I created a tunnel-group with a FQDN an not an IP ( causse Mikrotik side are in DHCP )
tunnel-group exemple.cisco.com type ipsec-l2l tunnel-group exemple.cisco.com ipsec-attributes pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SYSTEM_DEFAULT_CRYPTO_MAP could be OK, if not create a CryptoMap
access-list Mkt_splittunnel extended permit ip 192.168.128.0 255.255.252.0 192.168.126.0 255.255.255.0 crypto dynamic-map Mkt-crypto 5 match address Mkt_splittunnel crypto dynamic-map Mkt-crypto 5 set transform-set ESP-AES-256-SHA crypto map Outside_map 10 ipsec-isakmp dynamic Mkt-crypto
-------------------------------------------------------------------------------------------
Then on the Mikrotik Side create the Phase2 proposal and the Peer config
I use a script to check the sa-src-address with the DHCP assigned IP.
Important to use Agressive mode to send the FQDN if the Mikrotik are in DHCP
# Phase2 SHA1 / aes-256 / none /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256 lifetime=30m name=default pfs-group=none # # PEER ( ASA ) in Agressive Mode for FQDN ( VPN Group on ASA ) /ip ipsec peer add address=x.x.x.x auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=disable-dpd dpd-maximum-failures=5 \ enc-algorithm=aes-256 exchange-mode=aggressive generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn=\ exemple.cisco.com nat-traversal=no port=500 proposal-check=obey secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXX send-initial-contact=yes # # What to put in IPSec /ip ipsec policy add action=encrypt disabled=no dst-address=192.168.128.0/22 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default \ protocol=all sa-dst-address=X.X.X.X sa-src-address=X.X.X.X src-address=192.168.126.0/24 src-port=any tunnel=yes # # Script to fill sa-src-address with the DHCP assigned address /system scheduler add disabled=no interval=1m name=dynamic-dns-schedule on-event=dynamic-router-update policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive start-time=startup /system script add name=dynamic-router-update policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":local CurrentWanIP [/ip dhcp-clien\ t get [find where interface=ether1-gateway] address]\r\ \n:local length [:len \$CurrentWanIP]\r\ \n:set length (\$length -3)\r\ \n:local WanIP [:pick \$CurrentWanIP 0 \$length ] \r\ \n:local SaWanIP [/ip ipsec policy get [find where dst-address=192.168.128.0/22] sa-src-address]\r\ \n:if (\$WanIP != \$SaWanIP) do={\r\ \n\t:log info \"SaIpMatic: Wan IP update need DHCP IP \$WanIP and current SA IPsec IP \$SaWanIP\"\r\ \n\t/ip ipsec policy set [find where dst-address=192.168.128.0/22] sa-src-address=\$WanIP\r\ \n\t/ip ipsec installed-sa flush\r\ \n} else={\r\ \n\t:log info \"SaIpMatic: Current DHCP IP \$WanIP and current SA IPsec IP \$SaWanIP equal, no update need\"\r\ \n}"
11-14-2013 12:51 AM
Hello, David!
Thanks a lot!
I will try your metod.
I think my ASA config is OK, That do you think about it. My ASA is 8.6
nat- NO NAT:
nat (inside,outside) source static asa-sb asa-sb destination static m1-sb m1-sb
I need more then one connect that's why I use DefaultL2LGroup(I hope its accept conection from 0.0.0.0/0):
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
and my crypyo mat policy and access-list:
access-list asa-m1-sb extended permit ip object asa-sb object m1-sb
crypto ipsec ikev1 transform-set 3DES esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10 set ikev1 transform-set 3DES
crypto map outside 1000 ipsec-isakmp dynamic DYNMAP
crypto map outside interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
its strange... I run the comand :
crypto map outside 1000 match address asa-m1-sb
But it dosen't appers in config...
Debug crypto ikev1 127 is empty but then i ping from asa-sb(192.168.88.0/24) to m1-sb(10.9.9.0/24) ASDM log show:
Error: %ASA-3-752006: Tunnel Manager failed to dispatch a KEY_ACQUIRE message.
Mikrotik...
David, that you think about do no use a script to check the sa-src-address with the DHCP assigned IP? instead of this in peer config:
generate-policy=yes
11-14-2013 08:42 AM
On my side I actually use the
SYSTEM_DEFAULT_CRYPTO_MAP without problem, but I have create a tunnel group just for the Mikrotik.
If the Mikrotik have a static IP try create a Tunnel Group with IP, if not use a tunnel group with FQDN.
tunnel-group exemple.cisco.com type ipsec-l2l tunnel-group exemple.cisco.com ipsec-attributes pre-shared-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
To debug in SSH you can also try this ...
terminal monitor debug crypto isa debug crypto ipsec
And on the Mikrotik Side did you try this value on the IPSec Proposal ?
pfs-group=none
I also recommended you to read the Slide (
http://gregsowell.com/wp-content/uploads/2009/12/GregSowell-mikrotik-vpn1.pdf )
of the Mikrotik VPN class of Greg ( he have a great blog ) at
http://gregsowell.com/?p=1290 you will find interesting config about
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide