Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1465
Views
0
Helpful
7
Replies

Ikev1 phase2 not comming up between Cisco ASA5525 and a vCloud Air device

Go to solution
sgrg07
Level 1
Level 1

‎02-26-2020 03:51 AM

Hi all, 

I am trying to set up an IPSec tunnel with our telco who using a  vcloud air. It has very limited capabilities in regards to IPSec.

 
Below is config our end :- 

 

group-policy NSL-VPN-IPSEC internal
group-policy NSL-VPN-IPSEC attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1

 

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy NSL-VPN-IPSEC
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 120 retry 3


crypto ikev1 enable WAN1
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 28800

crypto ipsec ikev1 transform-set NSL-IPSEC esp-aes-256 esp-sha-hmac

 

access-list NSL-IPSEC-IKEV1 line 1 extended permit ip 10.172.63.0 255.255.255.0 10.200.10.0 255.255.255.0 
access-list NSL-IPSEC-IKEV1 line 2 extended permit ip 172.16.63.0 255.255.255.0 10.200.10.0 255.255.255.0 

 

crypto map NSL-IPSEC 1 match address NSL-IPSEC-IKEV1
crypto map NSL-IPSEC 1 set peer x.x.x.x
crypto map NSL-IPSEC 1 set ikev1 transform-set NSL-IPSEC
crypto map NSL-IPSEC 1 set security-association lifetime seconds 3600

crypto map NSL-IPSEC interface WAN1

 

nat (Inside1,WAN1) source static DM_INLINE_NETWORK_106 DM_INLINE_NETWORK_106 destination static NSL-IPO-Remote-Network NSL-IPO-Remote-Network no-proxy-arp route-lookup

nat (Inside1,WAN1) source static NSL-IPO-Remote-Network NSL-IPO-Remote-Network destination static DM_INLINE_NETWORK_100 DM_INLINE_NETWORK_100 no-proxy-arp route-lookup

 

 

-->Phase 1 is up

-->PFS has been disabled

-->crypto acl matches both ends 

-->but phase 2 fails to initialise  (Debug of isakmp attached)

 

***********************************************************************************************************************

The VPN remote peer is a telco vm that has very few options with IPSec
Please see their setup below (please note that psf is showing as enabled but we disabled it as of this morning)

 

telco-ikev1.png

 

Also the vm vendor came back with the following regarding the requirements.

 

Phase 1

  • Main mode negotiation must be used
  • Encryption algorithm AES/ AES 256 (Recommended) / AES-GCM (must match Phase 2 setting) | 3DES can currently be selected but is set to be removed
  • SHA-1 authentication
  • SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying
  • ISAKMP aggressive mode disabled


Phase 2

  • AES/ AES 256 (Recommended) / AES-GCM (must match Phase 1 setting)
  • SHA-1 authentication
  • ESP tunnel mode
  • SA lifetime of 3600 seconds (one hour) with no kbytes rekeying
  • Dead Peer Detection must be enabled.

 

DPD delay, timeout, and action values 
    dpddelay = 30
    dpdtimeout = 120
    dpdaction = restart

 

*************************************************************************************************************************

 

I have tweaked around with parameters but no luck yet. Would anyone be able to help?

 

Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to sgrg07

‎02-26-2020 06:04 AM - edited ‎02-26-2020 06:18 AM

The NAT rule is bi-directional, you don't need another NAT rule from WAN1 to INSIDE1. Regardless nothing is matching that first NAT rule.....do you have another rule above that could be being matched first? Usually a dynamic NAT rule.

Run packet-tracer twice, upload the output of the second test. Use this example:- "packet-tracer input inside1 tcp 172.16.63.5 8000 10.200.10.5 80"

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎02-26-2020 05:00 AM

Hi,

In your IKEv1 Policy you've define SHA1

 

crypto ikev1 enable WAN1
crypto ikev1 policy 15
authentication pre-share
encryption aes-256
hash sha

 

In the screenshot of the peer, it is using SHA256. Change the hashing value to ensure they match and try again.

 

HTH

0 Helpful

Go to solution
sgrg07
Level 1
Level 1
In response to Rob Ingram

‎02-26-2020 05:46 AM

Hi RJI, 

Many thanks for your reply. 


Unfortunately on the ASA  ikev1 policy I cant change hash to to sha256.

 

Also isakmp phase 1 is up 

 

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: X.X.X.X
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 28800
Lifetime Remaining: 24233

 

I can see see ipsec sa but no packets are being encapsulated/no hits on the counter.

 

I have attached of "sh crypto ipsec sa". I am not sure what to make of it.

 

Kind Regards,

 

 

Preview file
5 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to sgrg07

‎02-26-2020 05:54 AM

Ok, so if Phase 1 has been established the other side is also using SHA then.

Your NAT rules don't look correct, please provide the output of "show nat detail" and the configuration of the objects used in the NAT rules.
0 Helpful

Go to solution
sgrg07
Level 1
Level 1
In response to Rob Ingram

‎02-26-2020 05:56 AM

Hi RJI, 

Thanks for replying. 

I saw the error on the NAT too .. so I have amended to the below :- 

 

nat (Inside1,WAN1) source static DM_INLINE_NETWORK_106 DM_INLINE_NETWORK_106 destination static NSL-IPO-Remote-Network NSL-IPO-Remote-Network no-proxy-arp route-lookup
nat (WAN1,Inside1) source static NSL-IPO-Remote-Network NSL-IPO-Remote-Network destination static DM_INLINE_NETWORK_100 DM_INLINE_NETWORK_100 no-proxy-arp route-lookup

 

**********************************************************************************************************************

output of show nat detail :- 

 

10 (Inside1) to (WAN1) source static DM_INLINE_NETWORK_106 DM_INLINE_NETWORK_106 destination static NSL-IPO-Remote-Network NSL-IPO-Remote-Network no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 172.16.63.0/24, 10.172.63.0/24, Translated: 172.16.63.0/24, 10.172.63.0/24
Destination - Origin: 10.200.10.0/24, Translated: 10.200.10.0/24
11 (WAN1) to (Inside1) source static NSL-IPO-Remote-Network NSL-IPO-Remote-Network destination static DM_INLINE_NETWORK_100 DM_INLINE_NETWORK_100 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.200.10.0/24, Translated: 10.200.10.0/24
Destination - Origin: 10.172.63.0/24, 172.16.63.0/24, Translated: 10.172.63.0/24, 172.16.63.0/24

 

Kind Regards,

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to sgrg07

‎02-26-2020 06:04 AM - edited ‎02-26-2020 06:18 AM

The NAT rule is bi-directional, you don't need another NAT rule from WAN1 to INSIDE1. Regardless nothing is matching that first NAT rule.....do you have another rule above that could be being matched first? Usually a dynamic NAT rule.

Run packet-tracer twice, upload the output of the second test. Use this example:- "packet-tracer input inside1 tcp 172.16.63.5 8000 10.200.10.5 80"

0 Helpful

Go to solution
sgrg07
Level 1
Level 1
In response to Rob Ingram

‎02-26-2020 09:02 AM

Hi RJI, 

Yes there was another rule that was matching 1st.

I moved the rule above it and it is now working.

 

Many thanks for your help on this appriciate it. 

 

Kind Regards, 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to sgrg07

‎02-26-2020 09:15 AM

Good to hear it's now working, glad I could help.
0 Helpful
Customers Also Viewed These Support Documents