L2L VPN not coming up

RepotSircBE · ‎02-18-2013

I am using GNS3 to build a tunnel between an ASA and a router.

Below are my configurations but the tunnel is not coming, can anyone spot what's wrong with my configs? Or could it be because of bugs on GNS3?

ciscoasa# sho running-config crypto
!
crypto ipsec transform-set MySET esp-aes esp-sha-hmac
!
access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0
!
crypto map SampleVPN 100 match address VPN_Traffic
crypto map SampleVPN 100 set peer 10.123.5.2
crypto map SampleVPN 100 set transform-set MySET
!
crypto map SampleVPN interface outside
!
crypto isakmp enable outside
!
crypto isakmp policy 100
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
tunnel-group VPN type ipsec-l2l
tunnel-group VPN ipsec-attributes
pre-shared-key 1234

R1#sho run | sec crypto
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key 1234 address 12.152.45.2 no-xauth
!
crypto ipsec transform-set MySET esp-aes esp-sha-hmac
!
ip access-list extended VPN_Traffic
permit ip 192.168.10.0 0.0.0.255 12.123.15.0 0.0.0.255
!
crypto map VPN 100 ipsec-isakmp
set peer 12.152.45.2
set transform-set MySET
match address VPN_Traffic
!
interface f0/0
crypto map VPN

Here are the debugs from the router...

*Feb 18 15:59:03.971: ISAKMP:(0): SA request profile is (NULL)
*Feb 18 15:59:03.971: ISAKMP: Created a peer struct for 12.152.45.2, peer port 500
*Feb 18 15:59:03.971: ISAKMP: New peer created peer = 0x65C73CCC peer_handle = 0x80000004
*Feb 18 15:59:03.975: ISAKMP: Locking peer struct 0x65C73CCC, refcount 1 for isakmp_initiator
*Feb 18 15:59:03.975: ISAKMP: local port 500, remote port 500
*Feb 18 15:59:03.975: ISAKMP: set new node 0 to QM_IDLE
*Feb 18 15:59:03.975: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 6568F26C
*Feb 18 15:59:03.979: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Feb 18 15:59:03.979: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Feb 18 15:59:03.983: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Feb 18 15:59:03.987: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Feb 18 15:59:03.987: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Feb 18 15:59:03.987: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

*Feb 18 15:59:03.987: ISAKMP:(0): beginning Main Mode exchange
*Feb 18 15:59:03.991: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 18 15:59:03.991: ISAKMP:(0):Sending an IKE IPv4 Packet......
Success rate is 0 percent (0/5)
R1#
*Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
*Feb 18 15:59:13.991: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 18 15:59:13.991: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
*Feb 18 15:59:13.995: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb 18 15:59:13.995: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:14.043: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Feb 18 15:59:14.047: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb 18 15:59:14.047: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2

*Feb 18 15:59:14.051: ISAKMP:(0): processing SA payload. message ID = 0
*Feb 18 15:59:14.055: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.055: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 18 15:59:14.055: ISAKMP:(0): vendor ID is NAT-T v2
*Feb 18 15:59:14.055: ISAKMP:(0)
R1#: processing vendor id payload
*Feb 18 15:59:14.059: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 18 15:59:14.059: ISAKMP:(0):found peer pre-shared key matching 12.152.45.2
*Feb 18 15:59:14.059: ISAKMP:(0): local preshared key found
*Feb 18 15:59:14.059: ISAKMP : Scanning profiles for xauth ...
*Feb 18 15:59:14.063: ISAKMP:(0):Checking ISAKMP transform 1 against priority 100 policy
*Feb 18 15:59:14.063: ISAKMP:      encryption 3DES-CBC
*Feb 18 15:59:14.063: ISAKMP:      hash MD5
*Feb 18 15:59:14.063: ISAKMP:      default group 2
*Feb 18 15:59:14.063: ISAKMP:      auth pre-share
*Feb 18 15:59:14.063: ISAKMP:      life type in seconds
*Feb 18 15:59:14.067: ISAKMP:      life duration (VPI) of 0x0 0x1 0x51 0x80
*Feb 18 15:59:14.067: ISAKMP:(0):atts are acceptable. Next payload is 0
*Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.071: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Feb 18 15:59:14.071: ISAK
R1#
R1#MP:(0): vendor ID is NAT-T v2
*Feb 18 15:59:14.071: ISAKMP:(0): processing vendor id payload
*Feb 18 15:59:14.075: ISAKMP:(0): vendor ID seems Unity/DPD but major 194 mismatch
*Feb 18 15:59:14.075: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb 18 15:59:14.075: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2

*Feb 18 15:59:14.079: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 18 15:59:14.079: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:14.079: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb 18 15:59:14.079: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3

R1#
*Feb 18 15:59:23.291: ISAKMP:(0):purging node -49064826
*Feb 18 15:59:23.291: ISAKMP:(0):purging node -330154301
*Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP...
*Feb 18 15:59:24.079: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Feb 18 15:59:24.079: ISAKMP:(0): retransmitting phase 1 MM_SA_SETUP
*Feb 18 15:59:24.083: ISAKMP:(0): sending packet to 12.152.45.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Feb 18 15:59:24.083: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Feb 18 15:59:24.111: ISAKMP (0:0): received packet from 12.152.45.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Feb 18 15:59:24.111: ISAKMP:(0):Notify has no hash. Rejected.
*Feb 18 15:59:24.111: ISAKMP (0:0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM3
*Feb 18 15:59:24.115: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Feb 18 15:59:24.115: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM3

R1#ping ip 12.123.15.2 source loo0
*Feb 18 15:59:24.115: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 12.152.45.2
R1#ping ip 12.123.15.2 source loo0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.123.15.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
....
*Feb 18 15:59:33.295: ISAKMP:(0):purging SA., sa=6568EB18, delme=6568EB18
*Feb 18 15:59:33.967: ISAKMP: set new node 0 to QM_IDLE
*Feb 18 15:59:33.971: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.123.5.2, remote 12.152.45.2)
*Feb 18 15:59:33.971: ISAKMP: Error while processing SA request: Failed to initialize SA
*Feb 18 15:59:33.975: ISAKMP: Error while processing KMI message 0, error 2..
Success rate is 0 percent (0/5)

R1#
*Feb 18 16:00:18.975: ISAKMP: quick mode timer expired.
*Feb 18 16:00:18.975: ISAKMP:(0):src 10.123.5.2 dst 12.152.45.2, SA is not authenticated
*Feb 18 16:00:18.975: ISAKMP:(0):peer does not do paranoid keepalives.

*Feb 18 16:00:18.979: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
*Feb 18 16:00:18.983: ISAKMP:(0):deleting SA reason "QM_TIMER expired" state (I) MM_SA_SETUP (peer 12.152.45.2)
*Feb 18 16:00:18.983: ISAKMP: Unlocking peer struct 0x65C73CCC for isadb_mark_sa_deleted(), count 0
*Feb 18 16:00:18.987: ISAKMP: Deleting peer node by peer_reap for 12.152.45.2: 65C73CCC
R1#
*Feb 18 16:00:18.987: ISAKMP:(0):deleting node 1582877960 error FALSE reason "IKE deleted"
*Feb 18 16:00:18.987: ISAKMP:(0):deleting node 814986207 error FALSE reason "IKE deleted"
*Feb 18 16:00:18.991: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Feb 18 16:00:18.991: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_DEST_SA

R1#
*Feb 18 16:01:08.987: ISAKMP:(0):purging node 1582877960
*Feb 18 16:01:08.987: ISAKMP:(0):purging node 814986207
R1#
*Feb 18 16:01:18.991: ISAKMP:(0):purging SA., sa=6568F26C, delme=6568F26C

jawad-mukhtar · ‎02-18-2013

access-list VPN_Traffic extended permit ip 12.123.15.0 255.255.255.0 192.168.10.0 255.255.255.0

U have to Wild Card Bits in Access-list

access-list VPN_Traffic extended permit ip 12.123.15.0 0.0.0.255 92.168.10..0 0.0.0.255

Hope that it will work

Jawad

RepotSircBE · ‎02-18-2013

Hi Jawad,

We use the "mask" on ASA and "wild card bits" on routers, don't we?

jawad-mukhtar · ‎02-18-2013

Yes u re rite. I was Thinking it of Router ACL...

Jawad

david.tran · ‎02-18-2013

crypto map SampleVPN 100 set peer 10.123.5.2

..

Is the the correct ip address of the router VPN Peer?

jawad-mukhtar · ‎02-18-2013

Please Do This in ur ASA

tunnel-group 10.123.5.2 type ipsec-l2l

tunnel-group 10.123.5.2 ipsec-attributes

pre-shared-key 1234

Do Rate if issue Solved

Jawad

malshbou · ‎02-18-2013

Hi,

when you applied the tunnel-group VPN, you should have seen a warning telling that tunnel-group can have name only if it's for remote-access VPN, or certificate authentication is used. so, L2L vpn with pre-shared keys can only have tunnel-groups named as the peer IP address.

Mashal

------------------ Mashal Shboul

RepotSircBE · ‎02-18-2013

I think I could have ignored that message.