Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
5
Helpful
2
Replies

Issue with phase 1 VPN tunnel from Cisco ASA to D-link

Go to solution
Gallain
Level 1
Level 1

‎03-01-2021 10:28 PM

Hello,

 

I'm looking for help in creating an ipsec between a dlink dwr-925 and a cisco ASA.

 

On the dlink I've had to tick the box to set the IKE and IPSEC proposal as it kept sending the wrong DH group no matter what i had configured on the dlink.

 

Below is the output of when i unticked the set proposal

 

Mar 02 15:38:26 [IKEv1]IKE Receiver: Packet received on 43.255.33.138:500 from 161.43.198.111:500
Mar 02 15:38:26 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Mar 02 15:38:26 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Mar 02 15:38:26 [IKEv1]Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2

 

So once i made the dlink set the proposals it got past that bit, but now it says there is no matching crypto map.

 

Cisco ASA config below:

 

object network 192.168.70.0-24
subnet 192.168.70.0 255.255.255.0


object network 192.168.100.0-24
subnet 192.168.100.0 255.255.255.0

 

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

 

tunnel-group (PEER IP) type ipsec-l2l
tunnel-group (PEER IP) ipsec-attributes
ikev1 pre-shared-key *****

 

crypto map 4G 10 match address 100
crypto map 4G 10 set peer (PEER IP)
crypto map 4G 10 set ikev1 transform-set 4G
crypto map 4G interface outside

 

crypto ipsec ikev1 transform-set 4G esp-3des esp-md5-hmac

 

nat (inside,outside) source static 192.168.70.0-24 192.168.70.0-24 destination static 192.168.100.0-24 192.168.100.0-24 no-proxy-arp route-lookup

 

access-list 100 extended permit ip object 192.168.70.0-24 object 192.168.100.0-24

 

access-list OUTSIDE-IN extended permit icmp any any time-exceeded
access-list OUTSIDE-IN extended permit icmp any any unreachable
access-list OUTSIDE-IN extended permit tcp any any eq https
access-list OUTSIDE-IN extended permit tcp any any eq www
access-list OUTSIDE-IN extended permit tcp any any eq pop3
access-list OUTSIDE-IN extended permit tcp any any eq pptp
access-list OUTSIDE-IN extended permit tcp any any eq ssh
access-list OUTSIDE-IN extended permit udp any any eq isakmp
access-list OUTSIDE-IN extended permit udp any any eq 4500
access-list OUTSIDE-IN extended permit ip host (PEER IP) any
access-list OUTSIDE-IN extended permit esp host (PEER IP) any
access-list OUTSIDE-IN extended permit udp host (PEER IP) any eq isakmp

 

 

I've attached a screenshot of the VPN config on the dlink and also attached the readout of a debug crypto ikev1 5.

 

Also here are the readouts of show crypto isakmp sa. It appears briefly before the phase 1 is torn down.

 

ACAHealth-COLO-FW01# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 161.43.198.111
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3

 

Any help is appreciated.

Labels:
Preview file
106 KB
Preview file
7 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-02-2021 01:04 AM

Hi @Gallain 

IKEv1]Group = (PEER IP), IP = (PEER IP), Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.100.0/255.255.255.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

The dlink is configured with a remote network of 0.0.0.0/0.0.0.0 which is obseved in the output above, not the remote network/netmask of the ASA local network (192.168.70.0-24) configured on the dlink. Change this and try again, post the output of the ASA debugs if still not working.

 

FYI, You are also using the weakest algorithms, consider using AES, SHA and DH group 14,19,20, 21 or the highest supported. Later versions of ASA have or will depcreciate DH group 2.

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎03-02-2021 01:04 AM

Hi @Gallain 

IKEv1]Group = (PEER IP), IP = (PEER IP), Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.100.0/255.255.255.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside

The dlink is configured with a remote network of 0.0.0.0/0.0.0.0 which is obseved in the output above, not the remote network/netmask of the ASA local network (192.168.70.0-24) configured on the dlink. Change this and try again, post the output of the ASA debugs if still not working.

 

FYI, You are also using the weakest algorithms, consider using AES, SHA and DH group 14,19,20, 21 or the highest supported. Later versions of ASA have or will depcreciate DH group 2.

Go to solution
Gallain
Level 1
Level 1
In response to Rob Ingram

‎03-02-2021 07:46 PM

Thanks will do.

 

I'll also start to use stronger algorithms where i can. 

0 Helpful
Customers Also Viewed These Support Documents