04-18-2017 06:18 AM
Hi
I am trying to set up a site-to-site between am asa5506x which is behind a broadband and has a dynamic Ip address on outside interface. This is to another asa with a fixed IP.
I have used adsm to configure the connection profiles at both sides and am currently allowing all transform sets . The local end has no set IP just a remote connection name. The far end has an IP address and the same connection name.
I get a "no proposal chosen error " at the broadband side and the following at the local headend.
"Apr 18 14:04:19 [IKEv1 DEBUG]IP = x.x.x.x, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: True
Apr 18 14:04:19 [IKEv1]IP = x.x.x.x, Received ISAKMP Aggressive Mode message 1 with unknown tunnel group name 'x.x.x.x'.
Apr 18 14:04:19 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 92.237.220.243, processing IKE SA payload
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Apr 18 14:04:19 [IKEv1]IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 40
Apr 18 14:04:19 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x , All SA proposals found unacceptable
Apr 18 14:04:19 [IKEv1]IP = x.x.x.x , All IKE SA proposals found unacceptable
I assume this fails because of the tunnel group message ? I can get this working with easyVPN configuration but I would rather not use that as its not ideal and after all I have an ASA !
Any ideas or pointers would be appreciated .
04-18-2017 08:56 AM
I have since made some progress.
I can get the VPN up for a single remote site.
this was achieved by using a Key-ID in the Ike parameters and setting this key-id to the same as the tunnel-group .( if these two do not match then the connection fails ) .
If I get another branch however I cannot see how this branch can use a different tunnel -group and key-id., so presume it must have the same tunnel-group and key-id .
so for example I have for the working tunnel
crypto isakmp identity key-id remoteVPN
crypto dynamic-map remoteVPN 1 match address outside_cryptomap
crypto dynamic-map remoteVPN 1 set pfs
crypto dynamic-map remoteVPN 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 ipsec-isakmp dynamic remoteVPN
crypto map outside_map1 interface outside
if however I add a new branch asa I would have
crypto dynamic-map RogettestVPN 2 match address outside_cryptomap_1
crypto dynamic-map RogettestVPN 2 set pfs
crypto dynamic-map RogettestVPN 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 2 ipsec-isakmp dynamic RogettestVPN
However what I am not understanding is how the second branch can have a different tunnel - group if the identity-key cannot be changed ( ie seems you can only have one identity key )
So what makes the second branch unique ? I want different filters and policies by branch .
Confused ! any help ? I have used the below cisco doc for help but I cant see how the user-defined tunnel group solution 2 works :0
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.pdf
Regards
04-18-2017 09:08 AM
Confused regarding your last post. Why not have different key ID on the remote ASA's and have 2 different tunnel-groups on the headend to match this?
You only need 1 dynamic map for both peers and that dynamic map linked to one crypto map on the outside (WAN) interface. For example:
Headend ASA:
crypto dynamic-map remoteVPN 1 set pfs
crypto dynamic-map remoteVPN 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 ipsec-isakmp dynamic remoteVPN
crypto map outside_map1 interface outside
Tunnel-group remote1
Tunnel-group remote2
NOTE: ACL on dynamic map is not required
Remote ASA1:
crypto isakmp identity key-id remote1
Remote ASA2:
crypto isakmp identity key-id remote2
04-18-2017 09:32 AM
I have solved this - thanks anyone who looked ....
it has to use IKEv2 and it has to have the Ike-id on the remote unit to match the tunnel-group ( I had changed it at both ends ) .
the cisco doc above is correct but this point wasn't clear to me .
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide