03-27-2014 07:05 AM
Hello,
I was hoping somebody could help me with the problem i have with creating a site to site tunnel.
The site i am working on has a ASA 5505+ which VPN works but another site (which i do not have access to) wants L2L configuring but they only use a fortigate router.
I'm still learning ASA but i have succeeded with other sites to create a tunnel, but they are asa to asa.
This is the info the fortigate router is configured for the tunnel,
Phase 1 –
Encryption = 3DES , Authentication = SHA1 DH Group = 5 Keylife = 86400 NAT Traversal enabled
Phase 2 –
Encryption = AES256, Authentication = SHA1 Enable PFS DH Group = 5 Keylife = 3600 Our source address = 192.168.113.0 /24 to their destination address = 192.168.0.0 /24
This what i have created on the ASA;
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.113.0 255.255.255.0
access-list TEST extended permit ip 192.168.0.0 255.255.255.0 192.168.113.0 255.255.255.0
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto ipsec transform-set S2SSET esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 100 set transform-set VPNSET
crypto dynamic-map dynmap 120 set pfs
crypto map BBMAP 1 match address TEST
crypto map BBMAP 1 set pfs group1
crypto map BBMAP 1 set peer xxx.xxx.xxx.xxx
crypto map BBMAP 1 set transform-set S2SSET
crypto map BBLMAP 10 set security-association lifetime seconds 3600
crypto map BBMAP 65535 ipsec-isakmp dynamic dynmap
crypto map BBMAP interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 20
I created isakmp policy 20 for the tunnel
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
this is the log for debug isakmp
Mar 26 19:03:14 [IKEv1]: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
Mar 26 19:03:16 [IKEv1]: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Mar 26 19:03:16 [IKEv1]: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
Mar 26 19:03:19 [IKEv1]: Group = xxx.xxx.xxx.xxx, IP = xxx.xxx.xxx.xxx, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
Any help would be appriciated.
03-27-2014 07:55 AM
I've edited crypto map BBLMAP 10 set security-association lifetime seconds 3600 to crypto map BBLMAP 1 set security-association lifetime seconds 3600
03-27-2014 08:02 AM
I see couple things that you might want to take a look at.
- Looking at the debug output, it says that the pre-shared key configured on the Fortigate and ASA might be different. They need to be the same, you might want to check the keys again.
- The access-list for no-nat traffic should be permitting traffics from your side destined to the remote end. Only these specific traffics that will be not natted. Your current no-nat ACL is saying the other way around.
- Your DH group value for phase 2 on the Fortigate and ASA are different. From what I understand, they need to be the same.
HTH,
03-27-2014 08:47 AM
Thank you for the reply.
I am waiting for confirmation from the fortigate site regarding the pre shared key.
As for the nonat and ACL, i thought all i needed to do was the them coming in and they do the reverse at there end?
DH on phase 2, i created policy 20 for this as policy 10 is for the VPNSET, will this not work?
thank you again.
03-27-2014 09:21 AM
The purpose of nonat ACL is actually to prevent the ASA on natting the ip addresses that are going through the tunnel.
Crypto isakmp policy is the policy for vpn phase 1, both ends need to have same policy. Cypto map is where the policy for phase 2. Phase 2 will only take place after phase 1 is completed/successful.
See following configuration example to understand better how the process works: link
You are welcome, please rate if you find it helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: