Solved: Re: ipsec proxy-id problem

Nirav Thaker · ‎04-26-2013

I am trying to create a site-to-site l2l vpn and phase 1 completes fine but when validating the proxy-id in phase 2, the id is not being set correctly.

here is the config:

access-list ssatunnel extended permit ip 10.1.10.0 255.255.255.0 x.x.x.32 255.255.255.224

crypto ipsec security-association lifetime seconds 3600

crypto map ssa 1 match address ssatunnel

crypto map ssa 1 set pfs

crypto map ssa 1 set connection-type originate-only

crypto map ssa 1 set peer peerip

crypto map ssa 1 set ikev1 transform-set ssa

crypto map ssa 1 set security-association lifetime seconds 3600

crypto map ssa interface outside

crypto isakmp identity address

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 28800

tunnel-group peerip type ipsec-l2l

tunnel-group peerip ipsec-attributes

ikev1 pre-shared-key *****

it keeps useing the the peer-ip and my public ip for the proxy-id. this faild the check on the remote side so phase 2 fails.

is there something i am missing.

olpeleri · ‎04-26-2013

Hello,

Can you remove crypto map ssa 1 set connection-type originate-only

It's supposed to work only with an ASA peer configured as receive-only or bidirectional

Cheers

View solution in original post

olpeleri · ‎04-26-2013

Hello,

Can you remove crypto map ssa 1 set connection-type originate-only

It's supposed to work only with an ASA peer configured as receive-only or bidirectional

Cheers

Nirav Thaker · ‎04-26-2013

when i do that, it does not seem to initiate the connection. the other side is a juniper, and it is not set to initiate the connection.

olpeleri · ‎04-26-2013

Hello,

As long the interesting traffic reaches the ASA, it will start. Are you sure the traffic is routed to your ASA?

It will never work with initiate-only with Juniper.

Cheers,

Varinder Singh · ‎04-26-2013

Nirav,

Can you confirm with settings on Juniper to match pfs with group 2 as well as crypto access list?

You need to take debug level of 255 to see what Juniper is presenting for phase 2 cookies.

Take debug crypto isakmp 255 & debug crypto ipsec 255.

Can you also confirm on Juniper that they have configured address as ID and not hostname? Cisco uses IP adddress to negotiate the tunnel.

crypto map ssa 1 set connection-type originate-only command is to be used in scenario where you want to force ASA to initiate only. I would doubt that should be a problem.

Hope that helps

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Nirav Thaker · ‎04-26-2013

this is the error message from the juniper

2013-04-25 11:15:43	info	IKE 192.168.2.221 Phase 2 msg ID 67bd2a80: Negotiations have failed.
2013-04-25 11:15:43	info	Rejected an IKE packet on ethernet1/3 from 192.168.2.221:500 to 10.10.10.18:500with cookies e2bea3abcac4b367 and 5b81debf2f1f2970 because The peer sent a proxy ID that did not match the one in the SA config.
2013-04-25 11:15:43	info	IKE 192.168.2.221 Phase 2: No policy exists for the proxy ID received: local ID (10.10.10.18/255.255.255.255, 0, 0) remote ID (192.168.2.221/255.255.255.255, 0, 0).
2013-04-25 11:15:43	info	IKE 192.168..221 Phase 2 msg ID 67bd2a80: Responded to the peer's first message.
2013-04-25 11:15:43	info	IKE 192.168.2.221 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.

olpeleri · ‎04-26-2013

Yep expected with initiate-only, we negotiate proxy-id's for the peer public IP in order to securise some messages between the 2 ASA's

From the command reference guide:

http://www.cisco.com/en/US/docs/security/asa/asa91/command/reference/c8.html#wp2477607

The crypto map set connection-type command specifies the connection types for the backup LAN-to-LAN feature. It allows multiple backup peers to be specified at one end of the connection.

This feature works only between the following platforms:

•Two Cisco ASA 5500 series

•A Cisco ASA 5500 series and a Cisco VPN 3000 concentrator

•A Cisco ASA 5500 series and a security appliance running Cisco PIX security appliance software Version 7.0, or higher

Varinder Singh · ‎04-26-2013

This is quiet strange that Juniper is seeing the proxy ID as

received: local ID (

10.10.10.18/255.255.255.255

, 0, 0) remote ID (

192.168.2.221/255.255.255.255

but you have configured

10.1.10.0 255.255.255.0 x.x.x.32 255.255.255.224 on ASA

Though 192.168.2.221 does not come in range 192.168.2.32/27. Can you match the crypto access list on both ends?

Also what do you see in debugs on ASA?

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Nirav Thaker · ‎04-26-2013

sorry, didnt clean up the ips correctly before posting.

i got it to work, thanks olpeleri. taking out the originate-only option and trying to send traffic to the server started the vpn and it all worked.

thanks for all the help

Nirav