I have since made some

manuscript1 · ‎04-18-2017

Hi

I am trying to set up a site-to-site between am asa5506x which is behind a broadband and has a dynamic Ip address on outside interface. This is to another asa with a fixed IP.

I have used adsm to configure the connection profiles at both sides and am currently allowing all transform sets . The local end has no set IP just a remote connection name. The far end has an IP address and the same connection name.

I get a "no proposal chosen error " at the broadband side and the following at the local headend.

"Apr 18 14:04:19 [IKEv1 DEBUG]IP = x.x.x.x, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Apr 18 14:04:19 [IKEv1]IP = x.x.x.x, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'x.x.x.x'.
Apr 18 14:04:19 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 92.237.220.243, processing IKE SA payload
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Apr 18 14:04:19 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x , All SA proposals found unacceptable
Apr 18 14:04:19 [IKEv1]IP = x.x.x.x , All IKE SA proposals found unacceptable

I assume this fails because of the tunnel group message ? I can get this working with easyVPN configuration but I would rather not use that as its not ideal and after all I have an ASA !

Any ideas or pointers would be appreciated .

manuscript1 · ‎04-18-2017

I have since made some progress.

I can get the VPN up for a single remote site.

this was achieved by using a Key-ID in the Ike parameters and setting this key-id to the same as the tunnel-group .( if these two do not match then the connection fails ) .

If I get another branch however I cannot see how this branch can use a different tunnel -group and key-id., so presume it must have the same tunnel-group and key-id .

so for example I have for the working tunnel

crypto isakmp identity key-id remoteVPN

crypto dynamic-map remoteVPN 1 match address outside_cryptomap
crypto dynamic-map remoteVPN 1 set pfs
crypto dynamic-map remoteVPN 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map1 1 ipsec-isakmp dynamic remoteVPN

crypto map outside_map1 interface outside

if however I add a new branch asa I would have

crypto dynamic-map RogettestVPN 2 match address outside_cryptomap_1
crypto dynamic-map RogettestVPN 2 set pfs
crypto dynamic-map RogettestVPN 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map1 2 ipsec-isakmp dynamic RogettestVPN

However what I am not understanding is how the second branch can have a different tunnel - group if the identity-key cannot be changed ( ie seems you can only have one identity key )

So what makes the second branch unique ? I want different filters and policies by branch .

Confused ! any help ? I have used the below cisco doc for help but I cant see how the user-defined tunnel group solution 2 works :0

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.pdf

Regards

Rahul Govindan · ‎04-18-2017

Confused regarding your last post. Why not have different key ID on the remote ASA's and have 2 different tunnel-groups on the headend to match this?

You only need 1 dynamic map for both peers and that dynamic map linked to one crypto map on the outside (WAN) interface. For example:

Headend ASA:

crypto dynamic-map remoteVPN 1 set pfs 
crypto dynamic-map remoteVPN 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 ipsec-isakmp dynamic remoteVPN
crypto map outside_map1 interface outside

Tunnel-group remote1
Tunnel-group remote2

NOTE: ACL on dynamic map is not required

Remote ASA1:
crypto isakmp identity key-id remote1

Remote ASA2:
crypto isakmp identity key-id remote2

manuscript1 · ‎04-18-2017

I have solved this - thanks anyone who looked ....

it has to use IKEv2 and it has to have the Ike-id on the remote unit to match the tunnel-group ( I had changed it at both ends ) .

the cisco doc above is correct but this point wasn't clear to me .

regards

Ikev1 aggresive mode asa5506x to asa 5510