cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2692
Views
0
Helpful
11
Replies

Remote Access VPN with Racoon to Cisco ASA

norbertmurzsa
Level 1
Level 1

Hi there,

I would like to implement a remote access VPN with Racoon to Cisco ASA using certificate.

It works fine now so the following steps have already implemented successfully:

- Phase 1 is completed with success

- Phase 2 is completed with success

but

When I try to send packets from the Linux client using racoon I got the following errors on Cisco ASA:

Jul 15 16:31:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Jul 15 16:31:22 [IKEv1]: IKE Initiator unable to find policy: Intf inside, Src: INTERNAL_DEST, Dst: LINUX_SRC

So the incoming traffic should be OK from racoon to ASA because it matched to my crypto map configuration on the ASA (I could see it on DEBUG level on ASA) but from some reason the answer packets are denied by the ASA.

I could debug the VPN process on the ASA and I can see all automatically and temporary generated VPN access list. So it seems everything is fine but I have this problem with the answer packets.

I haven't find any documentation for this solution but I don't think I'm the only person who wanted to implement this.

Any idea?

Regards

11 Replies 11

Farrukh Haroon
VIP Alumni
VIP Alumni

Does your linux box have multiple interfaces?

Also can you post a more detailed debug?

Perhaps:

debug crypto isakmp 127

debug crypto ipsec 127

Regards

Farrukh

I have no information about the other site because the Racoon and ASA are on two different geographic locations but I'm going to get it tomorrow.

I only have debug 255 output for these commands so I cut and pasted all lines started with date because debug 255 is too much.

Racoon uses certificate based authentication+XAUTH. Both of process are ok.

If you need specific part of the debug 255 please let me know.

I had problem with the ADSM dynamic crypto map and the automatically generated access-list because it didn't match somehow so I created an access-list "55" using the CLI to match for the traffic which works fine as you can see.

Regards

Norbert

What does the 'auto-generated' ACL look like?

How is it different from the one you created?

Regards

Farrukh

Nothing special. I think ASA used a string.65535.number and me just a number to identify the referred ACL for the dynamic crypto map.

When I started to modify the original (not-working) configuration using CLI ASA said that the original and automatically created dynamic crypto map configuration was inactive.

I wasn't me who created the initial (original) dynamic crypto map but it wasn't tested with racoon before.

The strangest thing was that original crypto map was fine..it was totally the same than mine..it just didn't match somehow..

I have the original config and mine one as well. I will copy both of them for you to see.

Q: How ASA uses the configuration? Does it generate a binary from the clear text version?..or..can it be that the binary version didn't match to the clear text..or whatever..?

Regards

Norbert

Automatically generated:

------------------------

access-list Internet_IPSec_cryptomap_65535.55 extended permit ip RA_VPN_POOL RA_VPN_POOL_MASK host INTERNAL_IP

crypto dynamic-map Internet_IPSec_dyn_map 55 match address Internet_IPSec_cryptomap_65535.55

crypto dynamic-map Internet_IPSec_dyn_map 55 set pfs

crypto dynamic-map Internet_IPSec_dyn_map 55 set transform-set ESP-AES-192-SHA ESP-3DES-SHA ESP-AES-128-SHA

crypto map Internet_IPSec_map 65535 ipsec-isakmp dynamic Internet_IPSec_dyn_map

crypto map Internet_IPSec_map interface Internet_IPSec

Manually generated:

-------------------

access-list 55 extended permit ip RA_VPN_POOL RA_VPN_POOL_MASK host INTERNAL_IP log

crypto dynamic-map Internet_IPSec_dyn_map 55 match address 55

crypto dynamic-map Internet_IPSec_dyn_map 55 set pfs

crypto dynamic-map Internet_IPSec_dyn_map 55 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-192-SHA

crypto map Internet_IPSec_map 65535 ipsec-isakmp dynamic Internet_IPSec_dyn_map

crypto map Internet_IPSec_map interface Internet_IPSec

I tried to generate the dynamic crypto map automatically several times but it didn't match to the required traffic somehow.

We have other automatically generated crypto maps as well without any problem.

However this is the first dynamic crypto map on that interface.

Regards

Norbert

Well the ACL seem identical to me?

regards

Farrukh

Can I debug somehow the ASA tested ACLs as well to see which ACLs were tested by ASA for the connection?

You could use the 'log' keyword at the end of the ACL.

Regards

Farrukh

Yes, I know and thank you for your help.

I really appreciate your time but I meant something similar than ASA has for debugging VPN traffic.

Regards

Norbert

Hi,

Problem is still the same.

I attached the SA information.

I can see the incoming and outgoing tunnel traffic (icmp and tcp) on the internal LAN and on ASA's inside interface as well using its packet capture capability (icmp requests/replies for example).

Unfortunately the remote racoon client can not see my outgoing packets from some reasons.

How can I debug where the tunneled packages are going from the inside interface back to racoon?

Should I see any captured tunnel traffic on on the Internet_IPSec interface (external)?

Thank you for help.

Regards

Norbert

Double check your routing and crypto ACLs.

Regards

Farrukh