IOS vpn endpoint behind ASA 5510

rekdal163 · ‎08-03-2011

Hi,

trying to TS a VPN device that is behind an ASA

basic set up is

IOS VPN<firewall/nat<internet>ASA/nat>IOS VPN

I do not have a lot of insight into the other side of the connection, although the tech on the other side claims all is good.

so to the point.

Is the asa capable of allowing this tunnel to work?

The configs and debug follow.

Thanks in advance for any help or suggestions.

Randy

1.1.1.1 = my public ip

2.2.2.2 = peer public ip

The asa -

I have a one to one nat on the asa directing all traffic to the VPN router

object network MobileBank

host 10.3.6.5

object network Mobile
nat (INSIDE,OUTSIDE) static 1.1.1.1

ip inspection is also set for ipsec-pass-through

all ports are open for the vpn traffic to reach the VPN router. I opened ports to public as well as the translated inside address just to be sure as I am not totally sure what the other end talks to. I also dont think I need AH or GRE but just to cover all bases while troubleshooting I stuck em in there.

access-list 101 extended permit udp any host 10.3.6.5 eq isakmp

access-list 101 extended permit udp any host 10.3.6.5 eq 4500

access-list 101 extended permit esp any host 10.3.6.5

access-list 101 extended permit gre any host 10.3.6.5

access-list 101 extended permit ah any host 10.3.6.5

access-list 101 extended permit esp any host 1.1.1.1

access-list 101 extended permit udp any host 1.1.1.1 eq isakmp

access-list 101 extended permit udp any host 1.1.1.1 eq 4500

access-list 101 extended permit gre any host 1.1.1.1

access-list 101 extended permit ah any host 1.1.1.1

The Router (IOS VPN End Point) -

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxxxxxx address 2.2.2.2

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key xxxxxxx address 2.2.2.2

!

crypto ipsec transform-set ANB esp-aes 256 esp-sha-hmac

crypto ipsec nat-transparency spi-matching

!

crypto map Fiserv 10 ipsec-isakmp

set peer 2.2.2.2

set transform-set ANB

match address RM31601A_VPN

!

interface Tunnel0

ip address 10.185.48.26 255.255.255.252

ip tcp adjust-mss 1436

tunnel source Vlan1

tunnel destination 10.46.70.7

crypto map CRYPTO

!

interface FastEthernet0

description -----> asa inside network

switchport access vlan 1

!

interface Vlan1

ip address 10.3.6.5 255.255.255.0

crypto map CRYPTO

!

ip access-list extended RM31601A_VPN

permit gre host 10.3.6.5 host 10.46.70.7

!

ip route 10.46.0.0 255.255.252.0 10.185.48.25

ip route 10.46.4.0 255.255.252.0 10.185.48.25

ip route 10.46.70.7 255.255.255.255 2.2.2.2

ip route 10.46.226.0 255.255.254.0 10.185.48.25

ip route 10.46.248.0 255.255.254.0 10.185.48.25

ip route 10.69.31.32 255.255.255.248 Null0 ?

ip route 2.2.2.2 255.255.255.255 10.3.6.1

The Debug

looks like we complete phase 1 but nothing happens after that

debug crypto isakmp

*Aug 3 14:55:33 CDT: ISAKMP:(0): SA request profile is (NULL)
*Aug 3 14:55:33 CDT: ISAKMP: Created a peer struct for 2.2.2.2, peer port 500
*Aug 3 14:55:33 CDT: ISAKMP: New peer created peer = 0x852404A0 peer_handle = 0x800000BD
*Aug 3 14:55:33 CDT: ISAKMP: Locking peer struct 0x852404A0, refcount 1 for isakmp_initiator
*Aug 3 14:55:33 CDT: ISAKMP: local port 500, remote port 500
*Aug 3 14:55:33 CDT: ISAKMP: set new node 0 to QM_IDLE
*Aug 3 14:55:33 CDT: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 85766228
*Aug 3 14:55:33 CDT: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Aug 3 14:55:33 CDT: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
*Aug 3 14:55:33 CDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Aug 3 14:55:33 CDT: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Aug 3 14:55:33 CDT: ISAKMP:(0): beginning Main Mode exchange
*Aug 3 14:55:33 CDT: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Aug 3 14:55:33 CDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Aug 3 14:55:34 CDT: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Aug 3 14:55:34 CDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 3 14:55:34 CDT: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Aug 3 14:55:34 CDT: ISAKMP:(0): processing SA payload. message ID = 0
*Aug 3 14:55:34 CDT: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
*Aug 3 14:55:34 CDT: ISAKMP:(0): local preshared key found
*Aug 3 14:55:34 CDT: ISAKMP :. Scanning profiles for xauth ...
*Aug 3 14:55:34 CDT: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Aug 3 14:55:34 CDT: ISAKMP:      encryption AES-CBC
*Aug 3 14:55:34 CDT: ISAKMP:      keylength of 256
*Aug 3 14:55:34 CDT: ISAKMP:      hash SHA
*Aug 3 14:55:34 CDT: ISAKMP:      default group 5
*Aug 3 14:55:34 CDT: ISAKMP:      auth pre-share
*Aug 3 14:55:34 CDT: ISAKMP:      life type in seconds
*Aug 3 14:55:34 CDT: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Aug 3 14:55:34 CDT: ISAKMP:(0):atts are acceptable. Next payload is 0
*Aug 3 14:55:34 CDT: ISAKMP:(0):Acceptable atts:actual life: 0
*Aug 3 14:55:34 CDT: ISAKMP:(0):Acceptable atts:life: 0
*Aug 3 14:55:34 CDT: ISAKMP:(0):Fill atts in sa vpi_length:4
*Aug 3 14:55:34 CDT: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Aug 3 14:55:34 CDT: ISAKMP:(0):Returning Actual lifetime: 86400
*Aug 3 14:55:34 CDT: ISAKMP:(0)::Started lifetime timer: 86400.

*Aug 3 14:55:34 CDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Aug 3 14:55:34 CDT: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Aug 3 14:55:34 CDT: ISAKMP:(0): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Aug 3 14:55:34 CDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Aug 3 14:55:34 CDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 3 14:55:34 CDT: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

*Aug 3 14:55:34 CDT: ISAKMP (0): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Aug 3 14:55:34 CDT: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Aug 3 14:55:34 CDT: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4

*Aug 3 14:55:34 CDT: ISAKMP:(0): proces.sing KE payload. message ID = 0
*Aug 3 14:55:34 CDT: ISAKMP:(0): processing NONCE payload. message ID = 0
*Aug 3 14:55:34 CDT: ISAKMP:(0):found peer pre-shared key matching 2.2.2.2
*Aug 3 14:55:34 CDT: ISAKMP:(2174): processing vendor id payload
*Aug 3 14:55:34 CDT: ISAKMP:(2174): vendor ID is Unity
*Aug 3 14:55:34 CDT: ISAKMP:(2174): processing vendor id payload
*Aug 3 14:55:34 CDT: ISAKMP:(2174): vendor ID is DPD
*Aug 3 14:55:34 CDT: ISAKMP:(2174): processing vendor id payload
*Aug 3 14:55:34 CDT: ISAKMP:(2174): speaking to another IOS box!
*Aug 3 14:55:34 CDT: ISAKMP:(2174):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Aug 3 14:55:34 CDT: ISAKMP:(2174):Old State = IKE_I_MM4 New State = IKE_I_MM4

*Aug 3 14:55:34 CDT: ISAKMP:(2174):Send initial contact
*Aug 3 14:55:34 CDT: ISAKMP:(2174):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Aug 3 14:55:34 CDT: ISAKMP (2174): ID payload
        next-payload : 8
        type         : 1
        address      : 10.3.6.5
        protocol     : 17
        port         : 500
        length       : 12
*Aug 3 14:55:34 CDT: ISAKMP:(2174):Total payload length: 12
*Aug 3 14:55:34 CDT: ISAKMP:(2174): sending packet to 2.2.2.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Aug 3 14:55:34 CDT: ISAKMP:(2174):Sending an IKE IPv4 Packet.
*Aug 3 14:55:34 CDT: ISAKMP:(2174):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Aug 3 14:55:34 CDT: ISAKMP:(2174):Old State = IKE_I_MM4 New State = IKE_I_MM5

*Aug 3 14:55:35 CDT: ISAKMP (2174): received packet from 2.2.2.2 dport 500 sport 500 Global (I) MM_KEY_EXCH

*Aug 3 14:55:35 CDT: ISAKMP:(2174): phase 1 packet is a duplicate of a previous packet.

*Aug 3 14:55:35 CDT: ISAKMP:(2174): re.transmitting due to retransmit phase 1

*Aug 3 14:55:35 CDT: ISAKMP:(2174): retransmitting phase 1 MM_KEY_EXCH... *Aug 3 14:55:35 CDT: ISAKMP:(2174): re.transmitting due to retransmit phase 1
*Aug 3 14:55:35 CDT: ISAKMP:(2174): retransmitting phase 1 MM_KEY_EXCH...

also the following when debug crypto engine is running

*Aug 3 17:27:25 CDT: select crypto engine: ce_engine[3] does not accept the capabilities
*Aug 3 17:27:25 CDT: crypto_engine: Create DH shared secret
*Aug 3 17:27:25 CDT: select crypto engine: ce_engine[1] does not accept the capabilities
*Aug 3 17:27:25 CDT: select crypto engine: ce_engine[3] does not accept the capabilities
*Aug 3 17:27:25 CDT: crypto_engine: Create IKE SA
*Aug 3 17:27:25 CDT: crypto engine: deleting DH phase 2 SW:186
*Aug 3 17:27:25 CDT: crypto_engine: Delete DH shared secret
*Aug 3 17:27:25 CDT: crypto_engine: Generate IKE hash
*Aug 3 17:27:25 CDT: crypto_engine: Encrypt IKE packet

Collin Clark · ‎08-03-2011

The fact ISAKMP is partially working shows that the ASA configuration is working (as far as ISAKMP is concerned). You may want to debug IPSEC as well to see if it gets that far. Here's a great troubleshooting guide too-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope it helps.

rekdal163 · ‎08-04-2011

Thanks for the link Collin

finally got this on an connection attempt from the other side

*Aug 4 12:50:05 CDT: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x failed its sanity check or is malformed

*Aug 4 12:50:06 CDT: IPSEC(sa_request):

so it turns out the other side did not have the crypto isakmp key set to the proper value

after 2 days of emails we figured this out after about 10 minutes on the phone.

Thanks