11-20-2009 01:20 AM
Hi,
I'm unable to bring up the tunnel between this two devices. The remote is an ASA, the local a cisco 3745 (c3745-ik9o3s-mz.122-13.T4.bin).
The configuration in the 3745 is the following :
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key password address asa_external_ip
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
crypto map map1 73 ipsec-isakmp
set peer asa_external_ip
set transform-set TEST
set pfs group2
match address ACL_NAT
ip access-list extended ACL_NAT
permit ip host 10.40.0.1 host 10.50.0.1
permit ip host 10.50.0.1 host 10.40.0.1
ip nat inside source static 172.16.1.1 10.40.0.1
ip nat outside source static 10.50.0.1 192.168.1.1
and the log message :
1418028: Nov 20 10:13:12: ISAKMP (0:2615): Old State = IKE_READY New State = IKE_R_MM1
1418029: Nov 20 10:13:12: ISAKMP (0:2615): processing SA payload. message ID = 0
1418030: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418031: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418032: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID is NAT-T
1418033: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418034: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418035: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID is NAT-T
1418036: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418037: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418038: Nov 20 10:13:12: ISAKMP (0:2615): found peer pre-shared key matching asa_external_ip
1418039: Nov 20 10:13:12: ISAKMP (0:2615) local preshared key found
1418040: Nov 20 10:13:12: ISAKMP (0:2615): Checking ISAKMP transform 1 against priority 1 policy
1418041: Nov 20 10:13:12: ISAKMP: default group 2
1418042: Nov 20 10:13:12: ISAKMP: encryption 3DES-CBC
1418043: Nov 20 10:13:12: ISAKMP: hash SHA
1418044: Nov 20 10:13:12: ISAKMP: auth pre-share
1418045: Nov 20 10:13:12: ISAKMP: life type in seconds
1418046: Nov 20 10:13:12: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
1418047: Nov 20 10:13:12: ISAKMP (0:2615): atts are acceptable. Next payload is 3
1418048: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418049: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418050: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID is NAT-T
1418051: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418052: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418053: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID is NAT-T
1418054: Nov 20 10:13:12: ISAKMP (0:2615): processing vendor id payload
1418055: Nov 20 10:13:12: ISAKMP (0:2615): vendor ID seems Unity/DPD but bad major
1418056: Nov 20 10:13:12: ISAKMP (0:2615): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
1418057: Nov 20 10:13:12: ISAKMP (0:2615): Old State = IKE_R_MM1 New State = IKE_R_MM1
1418058: Nov 20 10:13:12: ISAKMP (0:2609): retransmitting phase 1 MM_SA_SETUP...
1418059: Nov 20 10:13:12: ISAKMP (0:2609): incrementing error counter on sa: retransmit phase 1
1418060: Nov 20 10:13:12: ISAKMP (0:2609): retransmitting phase 1 MM_SA_SETUP
1418061: Nov 20 10:13:12: ISAKMP (0:2609): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418062: Nov 20 10:13:12: ISAKMP (0:2615): constructed NAT-T vendor-03 ID
1418063: Nov 20 10:13:12: ISAKMP (0:2615): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418064: Nov 20 10:13:12: ISAKMP (0:2615): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
1418065: Nov 20 10:13:12: ISAKMP (0:2615): Old State = IKE_R_MM1 New State = IKE_R_MM2
1418066: Nov 20 10:13:12: ISAKMP: received ke message (1/1)
1418067: Nov 20 10:13:12: ISAKMP: local port 500, remote port 500
1418068: Nov 20 10:13:12: ISAKMP: set new node 0 to QM_IDLE
1418069: Nov 20 10:13:12: ISAKMP (0:2616): constructed NAT-T vendor-03 ID
1418070: Nov 20 10:13:12: ISAKMP (0:2616): constructed NAT-T vendor-02 ID
1418071: Nov 20 10:13:12: ISAKMP (0:2616): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
1418072: Nov 20 10:13:12: ISAKMP (0:2616): Old State = IKE_READY New State = IKE_I_MM1
1418073: Nov 20 10:13:12: ISAKMP (0:2616): beginning Main Mode exchange
1418074: Nov 20 10:13:12: ISAKMP (0:2616): sending packet to asa_external_ip my_port 500 peer_port 500 (I) MM_NO_STATE
1418075: Nov 20 10:13:14: ISAKMP (0:2608): retransmitting phase 1 MM_SA_SETUP...
1418076: Nov 20 10:13:14: ISAKMP (0:2608): incrementing error counter on sa: retransmit phase 1
1418077: Nov 20 10:13:14: ISAKMP (0:2608): retransmitting phase 1 MM_SA_SETUP
1418078: Nov 20 10:13:14: ISAKMP (0:2608): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418079: Nov 20 10:13:14: ISAKMP (0:2614): retransmitting phase 1 MM_SA_SETUP...
1418080: Nov 20 10:13:14: ISAKMP (0:2614): incrementing error counter on sa: retransmit phase 1
1418081: Nov 20 10:13:14: ISAKMP (0:2614): retransmitting phase 1 MM_SA_SETUP
1418082: Nov 20 10:13:14: ISAKMP (0:2614): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418083: Nov 20 10:13:16: ISAKMP (0:2607): retransmitting phase 1 MM_SA_SETUP...
1418084: Nov 20 10:13:16: ISAKMP (0:2607): peer does not do paranoid keepalives.
1418085: Nov 20 10:13:16: ISAKMP (0:2607): deleting SA reason "death by retransmission P1" state (R) MM_SA_SETUP (peer asa_external_ip) input queue 0
1418086: Nov 20 10:13:16: ISAKMP (0:2612): retransmitting phase 1 MM_SA_SETUP...
1418087: Nov 20 10:13:16: ISAKMP (0:2612): incrementing error counter on sa: retransmit phase 1
1418088: Nov 20 10:13:16: ISAKMP (0:2612): retransmitting phase 1 MM_SA_SETUP
1418089: Nov 20 10:13:16: ISAKMP (0:2612): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418090: Nov 20 10:13:16: ISAKMP (0:2607): deleting SA reason "death by retransmission P1" state (R) MM_SA_SETUP (peer asa_external_ip) input queue 0
1418091: Nov 20 10:13:16: ISAKMP (0:2607): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
1418092: Nov 20 10:13:16: ISAKMP (0:2607): Old State = IKE_R_MM2 New State = IKE_DEST_SA
1418093: Nov 20 10:13:18: ISAKMP (0:2611): retransmitting phase 1 MM_SA_SETUP...
1418094: Nov 20 10:13:18: ISAKMP (0:2611): incrementing error counter on sa: retransmit phase 1
In the other side :
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20
crypto isakmp ipsec-over-tcp port 10000
object-group network TEST_prod_local
description Network list TEST Prod Local
network-object host 10.50.0.1
object-group network TEST_prod_remote
description Network list TEST Prod Remote
network-object host 10.40.0.1
access-list INSIDE_nat0_outbound extended permit ip object-group TEST_prod_local object-group test_prod_remote
access-list OUTSIDE_57_cryptomap extended permit ip object-group TEST_prod_local object-group test_prod_remote
tunnel-group ip_cisco3745 type ipsec-l2l
tunnel-group ip_cisco3745 ipsec-attributes
pre-shared-key password
crypto map OUTSIDE_map interface OUTSIDE
crypto map OUTSIDE_map 57 match address OUTSIDE_57_cryptomap
crypto map OUTSIDE_map 57 set pfs
crypto map OUTSIDE_map 57 set peer ip_cisco3745
crypto map OUTSIDE_map 57 set transform-set ESP-3DES-SHA1
And the asa keep repeating :
6|Nov 19 2009|18:02:30|713219|||IP = ip_cisco3745, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Nov 19 2009|18:02:29|713219|||IP = ip_cisco3745, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Nov 19 2009|18:02:28|713219|||IP = ip_cisco3745, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Nov 19 2009|18:02:27|713219|||IP = ip_cisco3745, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Why can I bring up Phase 2 ?
Thank you for your help !
Solved! Go to Solution.
11-20-2009 04:20 AM
Youre transform set on the 3745 for Phase 2 is 3des sha-hmac
On the ASA your transform set is 3des md5-hmac.
You need to change one of these so they match.
Also on Phase 2 on the 3745 you have PFS group 1. On the ASA it's not clear what group you have set this to ?
Jon
11-20-2009 04:20 AM
Youre transform set on the 3745 for Phase 2 is 3des sha-hmac
On the ASA your transform set is 3des md5-hmac.
You need to change one of these so they match.
Also on Phase 2 on the 3745 you have PFS group 1. On the ASA it's not clear what group you have set this to ?
Jon
11-20-2009 04:26 AM
Sorry, It was not the last configuration,
The transform set in the ASA is ESP-3DES-SHA1
and pfs group2 on Phase 2 on the 3745
I will edit my first post sorry for that.
11-20-2009 05:41 AM
Hi ,
I have reviewed the configs both on router and ASA. Besides ACL rest is good so far.
With the following NAT statements made on router, i understand you are doing Dual NAT for VPN.
ip nat inside source static 172.16.1.1 10.40.0.1
ip nat outside source static 10.50.0.1 192.168.1.1
With the ACL on ASA, i have an understanding that the internal host behind ASA is 10.50.0.1, and you want to NAT it to 192.168.1.1 on router, PLease correct me if am wrong.
If this is correct, then try the following configuration.
#########ip nat outside source static 192.168.1.1 10.50.0.1#############
As an additional information on above NAT statement, following is the option on router.
cisco(config)#ip nat outside source static ?
A.B.C.D Outside global IP address <<<<<<<< NAT'd ip 192.168.1.1
network Subnet translation
tcp Transmission Control Protocol
udp User Datagram Protocol
cisco(config)#ip nat outside source static 1.1.1.1 ?
A.B.C.D Outside local IP address <<<<<<< LocaL ip i.e 10.50.0.1
Also, you need to remove the seond entry in the crypto ACL on router, which is :-
########permit ip host 10.50.0.1 host 10.40.0.1 ####### REMOVE THIS.
On ASA
-----
The object group that defines the host behind router is this:-
object-group network ipsos_prod_remote
description Network list TEST Prod Remote
network-object host 10.40.0.1
But the one used as destination in the crypto ACL is object-group test_prod_remote ...
Please do make sure you bind the correct group to in the ACL below....
access-list INSIDE_nat0_outbound extended permit ip object-group TEST_prod_local object-group test_prod_remote << should use ipsos_prod_remote
access-list OUTSIDE_57_cryptomap extended permit ip object-group TEST_prod_local object-group test_prod_remote << should use ipsos_prod_remote
***PFS on both router and ASA is set to group 2 which is correct***
Hope this helps.
Regards
M
P.S : In case you still, face any issues please post the "deb cry isa 127" and "deb cry ipse 127" from ASA.
11-20-2009 06:05 AM
What we want to have in the crypto is 10.50.0.1 and 10.40.0.1.
Unfortunately I'm just the local manager (router) and remotely (ASA), I should see 10.40.0.1 coming from them.
So we should have :
192.168.1.1 -- ROUTER -- 10.50.0.1 --- 10.40.0.1 -- ASA -- 10.40.0.1
As I don't want to see those two addresses in my network (10.50.0.1 and 10.40.0.1), I configured a NAT :
ip nat inside source static 172.16.1.1 10.40.0.1
ip nat outside source static 10.50.0.1 192.168.1.1
10.50.0.1 is global and 192.168.1.1 should be local. I think my access list :
ip nat outside source static 10.50.0.1 192.168.1.1
is in the good way and I don't have to change that.
On ASA
-----
I just forgot to anonymise everything, you gat me but I bind the correct group to in the ACL for sure.
The debug crypto in the ASA is in my first post.
Thank you very much for your help !
11-20-2009 06:10 AM
I would suggest to remove this staements.
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
Since you are using group 2 only.
Could you also reload the ISP device and the firewall if possible.
HTH
pravin
11-20-2009 06:13 AM
I cannot remove it because it's the remote client configuration. And by the way, as you can see in the log, it's not used :
1418040: Nov 20 10:13:12: ISAKMP (0:2615): Checking ISAKMP transform 1 against priority 1 policy
1418041: Nov 20 10:13:12: ISAKMP: default group 2
1418042: Nov 20 10:13:12: ISAKMP: encryption 3DES-CBC
1418043: Nov 20 10:13:12: ISAKMP: hash SHA
1418044: Nov 20 10:13:12: ISAKMP: auth pre-share
1418045: Nov 20 10:13:12: ISAKMP: life type in seconds
1418046: Nov 20 10:13:12: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
11-20-2009 06:24 AM
fine by default the pfs is in group 2.
can you check with adding the below command
crypto map OUTSIDE_map 57 set pfs group2
do clear crypto ipsec sa peer
11-20-2009 07:25 AM
What I see is :
In one side :
1418082: Nov 20 10:13:14: ISAKMP (0:2614): sending packet to asa_external_ip my_port 500 peer_port 500 (R) MM_SA_SETUP
1418083: Nov 20 10:13:16: ISAKMP (0:2607): retransmitting phase 1 MM_SA_SETUP...
sh crypto isakmp sa | i asa_external_ip
router_external_ip asa_external_ip MM_SA_SETUP 2145 0
In the other side :
26 IKE Peer: router_external_ip
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
IP = router_external_ip, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Does it look like a packet drop or something like that ?
11-20-2009 07:33 AM
######################################################
@pravin : Need not to remove the group2 to group 1 as Tunnel is negotaiting fine with the first best match on ASA as pointed out by mathieu.ploton.
@mathieu.ploton :
I had posted my understanding as per the information available in your first post. Now with your reply to it, things appears to be other way around.
The host with ip addr 192.168.1.1 needs to be NAT'd to 10.50.0.1 to go through the tunnel. The remote host 10.40.0.1 should appear as it is when it is decrypted on router's public interface. But should undergo the translation to 172.16.1.1 after decryption so that internal host see it as 172.16.1.1 .
Your statement "ip nat outside source static 10.50.0.1 192.168.1.1" is incorrect.
In that case the configuration should be this...
ip nat inside source static 192.168.1.1 10.50.0.1
ip nat outside source static 172.16.1.1 10.40.0.1
From crypto ACL REMOVE the following entry from router.
permit ip host 10.40.0.1 host 10.50.0.1
On ASA
-------
They need to change their ACL
**From**
access-list INSIDE_nat0_outbound extended permit ip object-group TEST_prod_local object-group test_prod_remote
10.50.0.1 >>> 10.40.0.1
access-list OUTSIDE_57_cryptomap extended permit ip object-group TEST_prod_local object-group test_prod_remote
10.50.0.1 >>> 10.40.0.1
**TO**
Real ip address of host behind the ASA 10.40.0.1 >>> 10.50.0.1 NAT'd ip of host behind the router.
You might need to go through the following documents.
http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
####################
Guidelines for posters (esp new one) , please make your first post clear for quicker resolution otherwise it can take 5-10 posts just to find out the exact nature of the problem. Post the configuration and debugs correct in first time along with the topology.
11-20-2009 07:43 AM
I'm maybe not clear but that's not what I want to do.
Let's sum up :
My internal host :
Real IP : 172.16.1.1
Address in the tunnel : 10.40.0.1
The remote host :
Real ip : don't care
Address in the tunnel : 10.40.0.1
Adresse nated in my internal area : 192.168.1.1
So what should be the nat commands in my router in this case ?
11-20-2009 07:46 AM
This shows that ASA is sending the MSG1 as an intiator, in the debugs you sent i see router is retransmitting 500 packet to ASA. but ASA is still waiting for the MSG2 from router.
Make sure your ISP is not blocking udp500 / 4500 .
Though by default NAT-t is enabled on router , still go for the command below , just in case...
cry ipsec nat-transparency udp-encapsulation
get the captures from ASA's outside interface . Command syntax for same
access-l test per ip host "external ip of asa" host " external ip of router"
access-l test per ip host " external ip of router" host "external ip of asa"
capture capout access-l test interface " name of the outside interface'
Execute the command " show cap capout" to see the packet on outside interface for udp 500 ... post the output here.
On router you can use the same acl as mentioned above and then run ;
deb ip packet detail " name of acl"
post both the outputs here.
Regards
M
11-20-2009 08:10 AM
I have no access to the command cry ipsec nat-transparency udp-encapsulation
I think the problem is that c3745-ik9o3s-mz.122-13.T4.bin does not support IPSec NAT Transparency !!
Sorry it's mathieu.ploton using another account...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide