06-02-2019 11:55 PM - edited 02-21-2020 09:39 PM
Good Afternoon All,
I'm attempting to establish an IPSEC VTI VPN tunnel connection between a Cisco ASA 5506 F/W and a Cisco c3945 router.
Let me state that I have already numerous successful IPSEC VTI VPN connections on the c3945 between a number a different devices including Cisco ISR routers and non-Cisco devices (i.e. Sophos UTM) etc...…….this is the first attempt with a Cisco ASA F/W device.
Summary:
=======
Public IP Public IP
10.100.10.1 20.200.20.2
ASA ==========IPSEC VTI VPN============c3945
Tunnel1 Tunnel2
192.168.10.14 /30 192.168.10.13 /30
Note: Using IKE v1
Phase 1 completes the ISAKMP negotiations and establishes a SA, however Phase 2 IPSEC seems to be unable to "match" on the proposed IPSEC Transform-set (TS) and Phase 2 negotiations fails. I have both "google" and searched on the CCO Community - although there are a few hits /examples which relate to the above symptoms, some are simple mis-match of the defined IPSEC TS and another indicate that the issue was fixed using certs rather than a pre-share key...………….
I have also "heard" on the grapevine that there may be an incompatibility issue (software bug aka Cisco enhanced feature) when using ASA IPSEC Virtual Tunnel Interfaces (VTIs) - has anyone successfully established a IPSEC VTI VPN (i.e. not the standard typical site-2-site IPSEC VPN) between an ASA and other Cisco platform? (i.e hopefully a c3900 series device) I'm looking forwards to thoughts on this...…….
I have posted the scrubbed device configs further below, so please no comments about inappropriate IP addressing as they are far removed from the actual IPs etc.
I'm hoping that it may be just a simple configuration error, however please bear in mind the c3945 is running stable but old software and this may be a "known" and fixed issue.
All thoughts welcome.
Thanking you.
Regards,
Drew
The following are debugs from the c3945 side
Phase 1 (ISAKMP) SA is established successfully:
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Checking ISAKMP transform 1 against priority 7 policy
May 31 2019 23:43:15.946 AEST: ISAKMP: default group 5
May 31 2019 23:43:15.946 AEST: ISAKMP: encryption AES-CBC
May 31 2019 23:43:15.946 AEST: ISAKMP: keylength of 256
May 31 2019 23:43:15.946 AEST: ISAKMP: hash SHA
May 31 2019 23:43:15.946 AEST: ISAKMP: auth pre-share
May 31 2019 23:43:15.946 AEST: ISAKMP: life type in seconds
May 31 2019 23:43:15.946 AEST: ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):atts are acceptable. Next payload is 3
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Acceptable atts:actual life: 28800
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Acceptable atts:life: 0
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Fill atts in sa vpi_length:4
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Fill atts in sa life_in_seconds:28800
May 31 2019 23:43:15.946 AEST: ISAKMP:(0):Returning Actual lifetime: 28800
May 31 2019 23:43:15.946 AEST: ISAKMP:(0)::Started lifetime timer: 28800.
May 31 2019 23:43:15.948 AEST: ISAKMP:(0): processing vendor id payload
May 31 2019 23:43:15.948 AEST: ISAKMP:(0): processing IKE frag vendor id payload
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Support for IKE Fragmentation not enabled
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
May 31 2019 23:43:15.948 AEST: ISAKMP:(0): sending packet to 10.100.10.1 my_port 500 peer_port 500 (R) MM_SA_SETUP
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Sending an IKE IPv4 Packet.
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 31 2019 23:43:15.948 AEST: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
May 31 2019 23:43:15.986 AEST: ISAKMP (0): received packet from 10.100.10.1 dport 500 sport 500 Global (R) MM_SA_SETUP
May 31 2019 23:43:15.986 AEST: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
May 31 2019 23:43:15.986 AEST: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
May 31 2019 23:43:15.986 AEST: ISAKMP:(0): processing KE payload. message ID = 0
May 31 2019 23:43:15.986 AEST: ISAKMP:(0): processing NONCE payload. message ID = 0
May 31 2019 23:43:15.986 AEST: ISAKMP:(0):found peer pre-shared key matching 10.100.10.1
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): processing vendor id payload
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): vendor ID is Unity
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): processing vendor id payload
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): vendor ID seems Unity/DPD but major 167 mismatch
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): vendor ID is XAUTH
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): processing vendor id payload
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): speaking to another IOS box!
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678): processing vendor id payload
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678):vendor ID seems Unity/DPD but hash mismatch
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
May 31 2019 23:43:15.986 AEST: ISAKMP:(14678):Old State = IKE_R_MM3 New State = IKE_R_MM3
May 31 2019 23:43:15.988 AEST: ISAKMP:(14678): sending packet to 10.100.10.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 31 2019 23:43:15.988 AEST: ISAKMP:(14678):Sending an IKE IPv4 Packet.
May 31 2019 23:43:15.988 AEST: ISAKMP:(14678):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 31 2019 23:43:15.988 AEST: ISAKMP:(14678):Old State = IKE_R_MM3 New State = IKE_R_MM4
However, Phase 2 IPSEC can't find a "matching" IPSEC TS:
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678): sending packet to 10.100.10.1 my_port 500 peer_port 500 (R) MM_KEY_EXCH
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Sending an IKE IPv4 Packet.
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):IKE_DPD is enabled, initializing timers
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
May 31 2019 23:43:16.028 AEST: ISAKMP:(14678):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
May 31 2019 23:43:16.066 AEST: ISAKMP (14678): received packet from 10.100.10.1 dport 500 sport 500 Global (R) QM_IDLE
May 31 2019 23:43:16.066 AEST: ISAKMP: set new node -1429091036 to QM_IDLE
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): processing HASH payload. message ID = 2865876260
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): processing SA payload. message ID = 2865876260
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Checking IPSec proposal 1
May 31 2019 23:43:16.066 AEST: ISAKMP: transform 1, ESP_AES
May 31 2019 23:43:16.066 AEST: ISAKMP: attributes in transform:
May 31 2019 23:43:16.066 AEST: ISAKMP: SA life type in seconds
May 31 2019 23:43:16.066 AEST: ISAKMP: SA life duration (basic) of 28800
May 31 2019 23:43:16.066 AEST: ISAKMP: SA life type in kilobytes
May 31 2019 23:43:16.066 AEST: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
May 31 2019 23:43:16.066 AEST: ISAKMP: encaps is 1 (Tunnel)
May 31 2019 23:43:16.066 AEST: ISAKMP: authenticator is HMAC-SHA
May 31 2019 23:43:16.066 AEST: ISAKMP: key length is 256
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):atts are acceptable.
May 31 2019 23:43:16.066 AEST: IPSEC(validate_proposal_request): proposal part #1
May 31 2019 23:43:16.066 AEST: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 20.200.20.2:0, remote= 10.100.10.1:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: map_db_find_best did not find matching map
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
May 31 2019 23:43:16.066 AEST: IPSEC(ipsec_process_proposal): invalid transform proposal flags -- 0x1
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): IPSec policy invalidated proposal with error 1024
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): phase 2 SA policy not acceptable! (local 20.200.20.1 remote 10.100.10.1)
May 31 2019 23:43:16.066 AEST: ISAKMP: set new node 24155184 to QM_IDLE
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 636948416, message ID = 24155184
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678): sending packet to 10.100.10.1 my_port 500 peer_port 500 (R) QM_IDLE
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Sending an IKE IPv4 Packet.
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):purging node 24155184
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):deleting node -1429091036 error TRUE reason "QM rejected"
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Node 2865876260, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
May 31 2019 23:43:16.066 AEST: ISAKMP:(14678):Old State = IKE_QM_READY New State = IKE_QM_READY
#### Device Configs ####
ASA 5500 IPSEC VTI VPN Snippets:
===============================
!
### ASA S/ware verison ###
!
Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
!
### IPSEC Interfaces ###
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 10.100.10.1 255.255.255.0
!
interface Tunnel1
nameif VRTI
ip address 192.168.10.14 255.255.255.252
tunnel source interface outside
tunnel destination 20.200.20.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile ABC1
!
### Phase 1 ISAKMP (IKEv1) Paremeters ###
!
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
!
tunnel-group 20.200.20.2 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
!
### Phase 2 IPSEC (IKEv1) Paremeters ###
!
crypto ipsec ikev1 transform-set ABC1 esp-aes-256 esp-sha-hmac
crypto ipsec profile ABC1
set ikev1 transform-set ABC1
set pfs group14
set security-association lifetime seconds 28800
!
group-policy ABC-Tunnel internal
group-policy ABC-Tunnel attributes
vpn-idle-timeout none
vpn-filter none
vpn-tunnel-protocol ikev1
!
### ACLs etc ###
!
object network ABC_Services
subnet 109.10.180.0 255.255.255.0
object network ABC_remote
subnet 192.168.10.14 255.255.255.255
!
access-list outsite_to_CDE extended permit ip object ABC_remote object ABC_Services
!
crypto map static-map 2 match address outsite_to_CDE
crypto map static-map 2 set pfs
crypto map static-map 2 set peer 192.168.10.13
crypto map static-map 2 set ikev1 transform-set ABC1
crypto map static-map 2 set nat-t-disable
!
=====================================================
!
### IOS Software Version ###
!
Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.4(3)M3, RELEASE SOFTWARE (fc2)
!
### IPSEC Interfaces ###
!
interface Loopback10
description IP Public
ip address 20.200.20.2 255.255.255.255
!
!
interface Tunnel2
description IPSEC VTI VPN Tunnel
ip address 192.168.10.13 255.255.255.252
ip access-group TS_VPN in
ip mtu 1400
ip tcp adjust-mss 1360
load-interval 30
tunnel source Loopback10
tunnel mode ipsec ipv4
tunnel destination 10.100.10.1
tunnel protection ipsec profile TS_VPN
!
### Phase 1 ISAKMP (IKEv1) Paremeters ###
!
crypto isakmp policy 7
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp key 6 <removed> address 10.100.10.1
!
### Phase 2 IPSEC (IKEv1) Paremeters ###
!
crypto ipsec transform-set TS-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile TS_VPN
set transform-set TS-SHA
set pfs group14
!
ip access-list extended TS_VPN
permit icmp host 192.168.10.14 host 192.168.10.13
permit ip any any log
deny ip any any log
!
Solved! Go to Solution.
06-03-2019 01:03 AM
Hi,
You don't need to define a VTI and a Crypto Map on either device, you just need to define the VTI with a static route to the destination via the tunnel interface. Example here.
HTH
06-05-2019 01:06 PM
Hi,
I don't believe you can use the VTI IP address as the source of the NAT, it doesn't appear to allow it. You can NAT over a VTI though, you just need to define an object and create a NAT rule. E.g:-
object network LOCAL_NETWORK
subnet 10.30.0.0 255.255.252.0
object network NAT_OBJECT
host 192.168.10.15
nat (INSIDE,any) source dynamic LOCAL_NETWORK NAT_OBJECT destination static REMOTE_NET REMOTE_NET
When creating the NAT rule it doesn't allow you to specify the nameif of the VTI, hence why you need to define "any", which is why you cannot NAT behind the interface. This is using ASA v9.9(1)
HTH
06-03-2019 01:00 AM
Adding:
ASA Debug /Log Messages:
======================
ASA> en
Password:
ASA# terminal pager 0
ASA# show logging asdm
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 5
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 5
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 1
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
5|May 31 2019 17:32:46|713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
6|May 31 2019 17:32:46|113009: AAA retrieved default group policy (ABC-Tunnel) for user = 20.200.20.2
5|May 31 2019 17:32:46|713119: Group = 20.200.20.2, IP = 20.200.20.2, PHASE 1 COMPLETED
5|May 31 2019 17:32:46|713904: Group = 20.200.20.2, IP = 20.200.20.2, All IPSec SA proposals found unacceptable!
3|May 31 2019 17:32:46|713902: Group = 20.200.20.2, IP = 20.200.20.2, QM FSM error (P2 struct &0x00007f833567d400, mess id 0xd9e9e85e)!
3|May 31 2019 17:32:46|713902: Group = 20.200.20.2, IP = 20.200.20.2, Removing peer from correlator table failed, no match!
6|May 31 2019 17:32:46|713905: Group = 20.200.20.2, IP = 20.200.20.2, Warning: Ignoring IKE SA (src) without VM bit set
5|May 31 2019 17:32:46|713259: Group = 20.200.20.2, IP = 20.200.20.2, Session is being torn down. Reason: Phase 2 Mismatch
4|May 31 2019 17:32:46|113019: Group = 20.200.20.2, Username = 20.200.20.2, IP = 20.200.20.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|May 31 2019 17:32:46|713904: IP = 20.200.20.2, Received encrypted packet with no matching SA, dropping
3|May 31 2019 17:32:55|610001: NTP daemon interface inside_7: Packet denied from 192.x.x.x
5|May 31 2019 17:33:05|502103: User priv level changed: Uname: enable_15 From: 1 To: 15
5|May 31 2019 17:33:05|111008: User 'enable_1' executed the 'enable' command.
5|May 31 2019 17:33:06|752004: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = __vti-crypto-map-6-0-1. Map Sequence Number = 65280.
4|May 31 2019 17:33:06|752010: IKEv2 Doesn't have a proposal specified
5|May 31 2019 17:33:06|713041: IP = 20.200.20.2, IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer 20.200.20.2 local Proxy Address 0.0.0.0, remote Proxy Address 0.0.0.0, Crypto map (__vti-crypto-map-6-0-1)
6|May 31 2019 17:33:06|113009: AAA retrieved default group policy (ABC-Tunnel) for user = 20.200.20.2
5|May 31 2019 17:33:06|713119: Group = 20.200.20.2, IP = 20.200.20.2, PHASE 1 COMPLETED
5|May 31 2019 17:33:06|713068: Group = 20.200.20.2, IP = 20.200.20.2, Received non-routine Notify message: No proposal chosen (14)
5|May 31 2019 17:33:10|111008: User 'enable_15' executed the 'terminal pager 0' command.
5|May 31 2019 17:33:10|111010: User 'enable_15', running 'CLI' from IP 0.0.0.0, executed 'terminal pager 0'
5|May 31 2019 17:33:16|713904: Group = 20.200.20.2, IP = 20.200.20.2, All IPSec SA proposals found unacceptable!
3|May 31 2019 17:33:16|713902: Group = 20.200.20.2, IP = 20.200.20.2, QM FSM error (P2 struct &0x00007f83356ba900, mess id 0x224b8d6b)!
3|May 31 2019 17:33:16|713902: Group = 20.200.20.2, IP = 20.200.20.2, Removing peer from correlator table failed, no match!
5|May 31 2019 17:33:26|713904: Group = 20.200.20.2, IP = 20.200.20.2, All IPSec SA proposals found unacceptable!
ASA#
06-03-2019 01:03 AM
Hi,
You don't need to define a VTI and a Crypto Map on either device, you just need to define the VTI with a static route to the destination via the tunnel interface. Example here.
HTH
06-03-2019 01:20 AM
Hi HTH,
Firstly thank you for your reply and excellent example!
OK, so I will re-configure for IKEv2 rather than IKEv1 and retest /advise.
From my limited understanding, "crypto profiles" replaced "crypto maps" from a configuration perspective, but the IOS stills creates them:
#sh crypto map
Crypto Map IPv4 "Tunnel2-head-0" 63344 ipsec-isakmp
Profile name: TS_VPN
Security association lifetime: 4608000 kilobytes/28800 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group14
Mixed-mode : Disabled
Transform sets={
TS-SHA: { esp-256-aes esp-sha-hmac } ,
}
Crypto Map IPv4 "Tunnel2-head-0" 63344 ipsec-isakmp
Map is a PROFILE INSTANCE.
Peer = 10.100.10.1
Extended IP access list
access-list permit ip any any
Current peer: 10.100.10.1
Security association lifetime: 4608000 kilobytes/28800 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group14
Mixed-mode : Disabled
Transform sets={
TS-SHA: { esp-256-aes esp-sha-hmac } ,
}
Always create SAs
Interfaces using crypto map Tunnel2-head-0:
Tunnel2
Thanking you
Regards
Drew
06-05-2019 05:38 AM
Yes that definitely worked with IKEv2 as per the configuration example - thank you very much!
Would you have another example showing how to source NAT on the ASA using the ASA VTI endpoint IP as the NAT source IP?
i.e. all traffic transvering the IPSEC tunnel to the IOS router would have a source IP of the ASA tunnel side
Thanking you in advance
Kind Regards,
Drew
06-05-2019 05:40 AM
06-05-2019 01:06 PM
Hi,
I don't believe you can use the VTI IP address as the source of the NAT, it doesn't appear to allow it. You can NAT over a VTI though, you just need to define an object and create a NAT rule. E.g:-
object network LOCAL_NETWORK
subnet 10.30.0.0 255.255.252.0
object network NAT_OBJECT
host 192.168.10.15
nat (INSIDE,any) source dynamic LOCAL_NETWORK NAT_OBJECT destination static REMOTE_NET REMOTE_NET
When creating the NAT rule it doesn't allow you to specify the nameif of the VTI, hence why you need to define "any", which is why you cannot NAT behind the interface. This is using ASA v9.9(1)
HTH
06-13-2019 12:12 AM
Hi,
Yep that works for ASA NAT functionality - thank you once again.
Cheers
Drew
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide