Re: L2L with Nat-T (behind router) - Phase 1 error (MM_WAIT_MSG6

belalessandro · ‎12-14-2010

I'm trying to configure a Site-to-Site VPN in a Cisco ASA 5505 firewall which is behind an ISP router (Cisco 800 Series) configured in routing mode (not bridging) and with a static nat of all the ports to the firewall (avoiding bridging mode of the router).

INSIDE --> FIREWALL (VPN) --> ISP ROUTER -> .... internet ... -> REMOTE PEER (VPN)

inside: 192.168.12.x/24

firewall inside ip: 192.168.12.1/24

firewall outside ip: 192.168.1.11/24

isp router inside ip: 192.168.1.1/24

isp router outside ip: xxxxxxxxx/0

...

remote peer outside: xxxxxxxxxx/0

remote peer lan: 192.168.0.x/24

Remote peer is NOT behind a Nat and accepts incoming connections from ISP Router public address

The tunnel fails in Phase 1, returning a MM_WAIT_MSG6 error

I enabled IPSec-Over-TCP with 4500,500,40,41 ports, otherwise I get a NO_PROPOSAL_CHOSEN error

Nat-T is enabled by default (I've also tried to type manually the cmd)

Is it a problem of firewall identity? It's in automatic mode.. (other choices: VendorID, Address or Hostname)

.. and what about Reverse Routing Injection? (which is disabled)

Cisco ASA 5505 firewall config


ASA Version 8.2(1) 
... 
!
interface Vlan1 
nameif inside 
security-level 100 
ip address 192.168.12.1 255.255.255.0 
!
interface Vlan2 
nameif outside 
security-level 0 
ip address 192.168.1.11 255.255.255.0 
!
interface Ethernet0/0 
switchport access vlan 2 
!
interface Ethernet0/1 
!
interface Ethernet0/2 
!
interface Ethernet0/3 
!
interface Ethernet0/4 
!
interface Ethernet0/5 
!
interface Ethernet0/6 
!
interface Ethernet0/7 
!
ftp mode passive 
same-security-traffic permit intra-interface 

! ##rule created by the vpn wizard
access-list outside_1_cryptomap extended permit ip 192.168.12.0 255.255.255.0 192.168.0.0 255.255.255.0 

! ##Porte per stabilire la connession tra VPN remota e firewall
access-list outside_access_in extended permit ip any any 

! ##Allow incoming ping (redundant rule)
access-list outside_access_in extended permit icmp any any 

! ##..created by the vpn wizard
access-list inside_nat0_outbound extended permit ip 192.168.12.0 255.255.255.0 192.168.0.0 255.255.255.0 

pager lines 24 
logging enable 
logging asdm debugging 
mtu inside 1500 
mtu outside 1500 
icmp unreachable rate-limit 1 burst-size 1 
icmp permit any inside 
icmp permit any outside 
no asdm history enable 
arp timeout 14400 


global (outside) 1 interface 
! ## .. created by the wizard
nat (inside) 0 access-list inside_nat0_outbound 

! 
nat (inside) 1 0.0.0.0 0.0.0.0 dns 


access-group inside_access_out out interface inside 
access-group outside_access_in in interface outside 

! ## routing outbound internet traffic
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1 
! ## routing outbound vpn traffic
route outside 192.168.0.0 255.255.255.0 XXxx-REMOTE_PEER_IP-xxXX 1 


timeout xlate 3:00:00 
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute 
timeout tcp-proxy-reassembly 0:01:00 
dynamic-access-policy-record DfltAccessPolicy 
http server enable 
http 192.168.1.0 255.255.255.0 inside 
http 192.168.12.0 255.255.255.0 inside 
no snmp-server location 
no snmp-server contact 
snmp-server enable traps snmp authentication linkup linkdown coldstart 

! Phase 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800 
crypto ipsec security-association lifetime kilobytes 4608000 

crypto map outside_map 1 match address outside_1_cryptomap 
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer XXxx-REMOTE_PEER_IP-xxXX 
crypto map outside_map 1 set transform-set ESP-3DES-SHA 
crypto map outside_map interface outside 

! ## Phase 1
crypto isakmp enable outside 
crypto isakmp policy 5 
authentication pre-share 
encryption 3des 
hash sha 
group 2 
lifetime 86400 
! ## DO I HAVE TO ENABLE IPSEC-OVER-TCP ??
crypto isakmp ipsec-over-tcp port 500 4500 50 51 
! ## NAT-T is enabled by default

telnet timeout 5 
ssh timeout 5 
console timeout 0 
dhcpd auto_config outside 
! inside dhcp
dhcpd address 192.168.12.5-192.168.12.36 inside 
dhcpd dns XXxx-DNS_IPs-xxXX interface inside 
dhcpd enable inside 
!

threat-detection basic-threat 
threat-detection statistics access-list 
no threat-detection statistics tcp-intercept 
webvpn 
group-policy DfltGrpPolicy attributes 
tunnel-group DefaultL2LGroup ipsec-attributes 
pre-shared-key * 


tunnel-group XXxx-REMOTE_PEER_IP-xxXX type ipsec-l2l 
tunnel-group XXxx-REMOTE_PEER_IP-xxXX ipsec-attributes 
pre-shared-key * 
!
!
prompt hostname context

Log Debug IKE:

IKE MM Initiator FSM error history (struct &0xc9d73740)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG6, EV_PROB_AUTH_FAIL-->MM_WAIT_MSG6, EV_TIMEOUT-->MM_WAIT_MSG6, NullEvent-->MM_SND_MSG5, EV_SND_MSG-->MM_SND_MSG5, EV_START_TMR-->MM_SND_MSG5, EV_RESEND_MSG-->MM_WAIT_MSG6, EV_TIMEOUT

Thanks for the help

PS: I've written a Java App to highlight cisco asa sintax.. I will post it soon, in case anyone would find it useful

Jennifer Halim · ‎12-14-2010

You do not need the following static route as it should just use the default route:

route outside 192.168.0.0 255.255.255.0 XXxx-REMOTE_PEER_IP-xxXX 1

Please kindly remove the following too:

crypto isakmp ipsec-over-tcp port 500 4500 50 51

NAT-T should be enabled by default, and it uses UDP/4500.

For IPSec VPN tunnel, you would need to allow/NAT the following 2 ports:

Phase 1: UDP/500

Phase 2: UDP/4500

Hope that helps.

Mohamed Sobair · ‎12-14-2010

Hi,

Please post the configuraion of your remote peer VPN ASA or router here.

Hi Jennifer,

Phase 2 doesnt require 4500 UDP, this port is primarily used to encapsulate IPsec in UDP if there is a device performing NAT between IPsec Peer which allows NAT-T.

However, he would require to allow the following in his firewall (which already permited):

1- ISAKMP , UDP port 500

2- ESP

3- NAT-T , UDP port 4500

Regards,

Mohamed

belalessandro · ‎12-14-2010

The remote peer isn't mine (it has other VPNs working correctly), however it's a Juniper SSG-140 with these settings:

Remote gateway: xxx-MY_ISP_ROUTER_PUBLIC_IP-xxx

Phase1: pre-g2-3des-sha

Phase2: g2-esp-3des-sha

Replay Protection: Disabled

Transport Mode (for L2TP-over-IPSec): Disabled

Use As Seed: Disabled

Preferred Certificate:

-Local Cert: None

-Peer CA: All

-Peer Type: X509-SIG

Bind to: None

Source Interface: default

Destination IP: default

Enable NAT-Traversal: Enabled (keepalive frequency: 0)

The pre-shared key has been checked several times and it's surely correct.

Thanks

mulatif · ‎12-16-2010

Hi Mohamed,

Just to clarify, the below ports are used in Phase1\Phase2

No NAT-T:

Phase 1 and Phase 2 (Control Plane Traffic): UDP 500

Data Plane: ESP

With NAT-T:

Phase 1 : UDP 500 for MM1 - MM4, UDP 4500 (MM5, MM6)

Phase 2: UDP 4500

Data Plane: UDP 4500 (ESP is encapsulated in UDP 4500 to avoid any NAT issues and thus the usefulness of NAT-T)

You probably can verify that also by doing a packet capture on the ASA for a new Tunnel Setup and then save it in PCAP to be viewed later on Wireshark.

Thanks,

Naman

belalessandro · ‎12-14-2010

Thanks for the reply,

I think that without the "route outside..", the outbound packets for the vpn (directed to the 192.168.0.x, which is the remote lan) will go outside without a destination, not protected by the tunnel (because the tunnel is down) .. could you confirm this?

As far as "crypto isakmp ipsec-over-tcp..", if I remove it, I get NO_PROPOSAL_CHOSEN Error.. Which probably indicates mismatched settings.. Is it due to a wrong identity of my firewall? (the remote peer receives packets with a different source ip instead of the ISP public ip)

Ports UDP 4500 and 500 are already allowed/NAT-ed (even better, every port of the isp router is static natted to my firewall)

Jennifer Halim · ‎12-14-2010

I think that without the "route outside..", the outbound packets for the vpn (directed to the 192.168.0.x, which is the remote lan) will go outside without a destination, not protected by the tunnel (because the tunnel is down) .. could you confirm this?

A: this statement is incorrect. It should be encrypted and routed to the Internet as per your default route/default gateway. Hence, it is incorrect to configure specific "route outside" to the peer address as the peer address is not even directly connected to the ASA.

Which probably indicates mismatched settings.. Is it due to a wrong identity of my firewall? (the remote peer receives packets with a different source ip instead of the ISP public ip)

A: yes, there is possibility that the remote peer is matching the peer ip address which is behind a NAT router, and the actual ISAKMP negotiation messages about the peer ip address would be private ip address (not the NATed address) because NAT is only performed in the IP header, not within the messages of the ISAKMP negotiation (data). Is there anyway to include the private address in the Juniper configuration for the peer ip address?

Mohamed Sobair · ‎12-15-2010

Hi,

Please post the output of the bellow:

# debug isakmp sa

- In general, I would check the following configuration :

1- The Security Assocaiation life time should match between IPsec peers (Check Juniper configuration).

2- Some ISPs blocks UDP ports which is necessary to establish the tunnel, in this case , either the ports are allowed NAT-T 4500 , However still port 500 UDP should be allowed.

Note:

You can ennable IPsec over TCP if the ISP blocks port 4500 UDP, but you will need UDP port 500 to be open and allowed.

Can you confirm these steps>?

Regards,

Mohamed

mulatif · ‎12-16-2010

Hi,

Since you are using NAT-T (ASA behind a NAT device) the communication will be as below

ASA <------> Juniper

MM1 -->

<-- MM2

MM3 -->

<-- MM4

** Communication will now shift to UDP 4500 from UDP 500 **

MM5 -->

<-- MM6 (Which is Not being Received)

So we have couple of possibilities here

1. Juniper doesn't like MM5 because of pre-shared key mismatch. Though as you said this has been verified.

2. Juniper does send MM6 back to ASA, but it never makes it (In which case you need to verify ISP etc)

Please verify this as below

a. On the ASA setup the capture as below

access-list capture permit ip host host

capture outside access-list capture interface outside

b. Try to bring up the tunnel and then take a look at "show capture outside" Output. If you do not see any UDP 4500 packet coming back from Juniper then issue is Not on the ASA.

However if you Do see UDP 4500 coming back (though very little chance) then please open a TAC case and we can take a look at the issue.

3. I would also verify on Juniper by doing a capture in front that Juniper 'is' sending MM6 back to ASA.

Thanks,

Naman

Mohamed Sobair · ‎12-16-2010

Hi Naman,

The book doesnt state that phase 2 uses UDP port 4500, I have read this before and run some debugs on the ASA to verify.

Still , the 4500 UDP port is used to Encapsulate the IPsec traffic in UDP when there is a device perform NAT, and would therfore require the ASA to be configured with the following:

ASA# Isakmp nat-traversal 20

However, it doesnt mean that ISAKMP wont still use port 500 UDP for phase 1 whenever NAT-T is used.

Let me know your openion,

Regards,

Mohamed

mulatif · ‎12-16-2010

Hi Mohamed,

You are right that "isakmp nat-traversal.." need to be enabled but it is enabled by default on ASA, so unless it was disabled earlier this step doesn't need to be performed.

With Or Without NAT-T the first 4 packets (MM1 - MM4) will always use UDP 500.

However after this the , if NAT-T was negotiated then All the further communication will use UDP 4500 (remaining phase1 i.e. MM5\MM6, Phase2, Data).

So Phase 2 does use UDP 4500 when NAT-T was negotiated earlier.

The best way for you to look at it will be to do a packet capture.

Thanks,

Naman

belalessandro · ‎12-20-2010

Sorry for my delay and thank you all for the support.

Today I'll try all the possible solutions you wrote (also to discover what was the problem), but since my ISP finally allowed my firewall to have a public ip, I think all the troubles will disappear (I hope.. )

marstoyanoff · ‎03-27-2013

Hi all,

here is my solution.

Disable NAT-T as follows:

crypto map MyMap 1 set nat-t-disable

This is will avoid the use of 4500/udp

Explanation:

11: 17:30:07.748313 initiator.500 > responder.500: udp 364 packet 1
12: 17:30:07.749640 responder.500 > initiator.500: udp 132 packet 2

13: 17:30:07.782826 initiator.500 > responder.500: udp 304 packet 3
14: 17:30:07.784734 responder.500 > initiator.500: udp 304 packet 4

15: 17:30:07.817813 initiator.4500 > responder.4500: udp 112 - (packet 5)you started waiting for packet 6
16: 17:30:07.818698 responder.4500 > initiator.4500: udp 112 - (packet6 was sent) I'm good so I am active now. But the initiator never got packet 6

I hope this makes sense!

Cheers.

Marty-

L2L with Nat-T (behind router) - Phase 1 error (MM_WAIT_MSG6)