cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2203
Views
0
Helpful
2
Replies

Site-to-Site VPN between ASA5510 and Edge Router Lite

Makenshin
Level 1
Level 1

Hi! I need establish a connetction between ASA5510 and Edge Router Lite.

ASA have:

- Tunnel with cisco 881 - ok

- Remote users - ok

 

This connection is not established, and I dissapointed why???

Неre are the configs:

ASA  5510:

! Local addresses
object network inside-novip
 subnet 10.10.x.0 255.255.254.0
 !
object network it-group
 subnet 10.10.x.0 255.255.255.224
!
object network servers
 subnet 10.10.x.0 255.255.255.128
!
object-group network LOCAL-FOR-IPSEC
 network-object object inside-novip
 network-object object it-group
 network-object object servers
!
!Remote addresses
object network net-192.168.x.0
 subnet 192.168.x.0 255.255.255.0
!
!ACL for match traffic
access-list YOURDOORS extended permit ip object-group LOCAL-FOR-IPSEC object net-192.168.x.0
!
!Outside permit
access-list Outside_acl_in extended permit ip object net-192.168.x.0 object-group LOCAL-FOR-IPSEC
!
!Nat Exemption
nat (backbone,INTERNET) source static LOCAL-FOR-IPSEC LOCAL-FOR-IPSEC destination static net-192.168.x.0 net-192.168.x.0
!
!
crypto ipsec transform-set transform-1 esp-3des esp-md5-hmac
crypto ipsec transform-set MICRO esp-aes esp-md5-hmac
!
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
crypto dynamic-map ras-dmap 10 set transform-set transform-1
crypto dynamic-map ras-dmap 10 set reverse-route
!
crypto map branch-crmap 10 ipsec-isakmp dynamic ras-dmap
crypto map branch-crmap 20 match address L2L-ND
crypto map branch-crmap 20 set peer 77.243.x.98
crypto map branch-crmap 20 set transform-set transform-1
crypto map branch-crmap 20 set reverse-route
crypto map branch-crmap 30 match address YOURDOORS
crypto map branch-crmap 30 set connection-type answer-only
crypto map branch-crmap 30 set peer 90.188.x.109
crypto map branch-crmap 30 set transform-set MICRO
crypto map branch-crmap 30 set security-association lifetime seconds 28800
!
crypto map branch-crmap interface INTERNET
!
crypto isakmp enable INTERNET
!
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 43200
!
crypto isakmp policy 20
 authentication pre-share
 encryption aes
 hash md5
 group 2
 lifetime 86400
!
crypto isakmp nat-traversal 50
crypto isakmp ipsec-over-tcp port 500
!
!
tunnel-group 90.188.x.109 type ipsec-l2l
tunnel-group 90.188.x.109 ipsec-attributes
 pre-shared-key *****

--------------------------------------------------------

 

Edge Router Lite:

---------------------------------------------

m@YOURDOORS# show vpn ipsec
 auto-firewall-nat-exclude enable
 esp-group FOO0 {
     compression disable
     lifetime 86400
     mode tunnel
     pfs enable
     proposal 1 {
         encryption aes128
         hash md5
     }
 }
 ike-group FOO0 {
     lifetime 28800
     proposal 1 {
         dh-group 2
         encryption aes128
         hash md5
     }
 }
 ipsec-interfaces {
     interface pppoe0
 }
 nat-networks {
     allowed-network 0.0.0.0/0 {
     }
 }
 nat-traversal enable
 site-to-site {
     peer 195.206.x.14 {
         authentication {
             mode pre-shared-secret
             pre-shared-secret 3jpZgTD6Wo
         }
         connection-type initiate
         ike-group FOO0
         local-ip 90.188.x.109
         tunnel 1 {
             allow-nat-networks disable
             allow-public-networks disable
             esp-group FOO0
             local {
                 subnet 192.168.x.0/24
             }
             remote {
                 subnet 10.10.x.0/23
             }
         }
     }
 }
[edit]

---------------------------------------------

 

And there is no connection!

Debug:

------------------------------------------

Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing SA payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Oakley proposal is acceptable
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Received Cisco Unity client VID
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Received xauth V6 VID
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Received DPD VID
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Received NAT-Traversal RFC VID
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Received NAT-Traversal ver 03 VID
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Received NAT-Traversal ver 02 VID
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing IKE SA payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 4
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing ISAKMP SA payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing NAT-Traversal VID ver 02 payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing Fragmentation VID + extended capabilities payload
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 220
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing ke payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing ISA_KE payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing nonce payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing NAT-Discovery payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, computing NAT Discovery hash
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, processing NAT-Discovery payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, computing NAT Discovery hash
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing ke payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing nonce payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing Cisco Unity VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing xauth V6 VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Send IOS VID
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing VID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing NAT-Discovery payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, computing NAT Discovery hash
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, constructing NAT-Discovery payload
Aug 14 12:38:37 [IKEv1 DEBUG]: IP = 90.188.x.109, computing NAT Discovery hash
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, Connection landed on tunnel_group 90.188.x.109
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, Generating keys for Responder...
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 296
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing ID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing hash payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, Computing hash for ISAKMP
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, Connection landed on tunnel_group 90.188.x.109
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing ID payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing hash payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, Computing hash for ISAKMP
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing dpd vid payload
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, PHASE 1 COMPLETED
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, Keep-alive type for this connection: DPD
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, Starting P1 rekey timer: 27360 seconds.
Aug 14 12:38:37 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE RECEIVED Message (msgid=e4c7b5a1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing hash payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing SA payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing nonce payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing ke payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing ISA_KE for PFS in phase 2
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing ID payload
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.x.0, Mask 255.255.255.0, Protocol 0, Port 0
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing ID payload
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, Received local IP Proxy Subnet data in ID Payload:   Address 10.10.x.0, Mask 255.255.254.0, Protocol 0, Port 0
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, QM IsRekeyed old sa not found by addr
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, IKE Remote Peer configured for crypto map: ras-dmap
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, processing IPSec SA payload
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, All IPSec SA proposals found unacceptable!
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, sending notify message
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing blank hash payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing ipsec notify payload for msg id e4c7b5a1
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing qm hash payload
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE SENDING Message (msgid=fd5c4971) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, QM FSM error (P2 struct &0xae228db0, mess id 0xe4c7b5a1)!
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, IKE QM Responder FSM error history (struct &0xae228db0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, sending delete/delete with reason message
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, Removing peer from correlator table failed, no match!
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, Deleting static route for L2L peer that came in on a dynamic map. address: 192.168.x.0, mask: 255.255.255.0
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, IKE SA MM:d67edaa8 rcv'd Terminate: state MM_ACTIVE  flags 0x0000c042, refcnt 1, tuncnt 0
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, IKE SA MM:d67edaa8 terminating:  flags 0x0100c002, refcnt 0, tuncnt 0
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, sending delete/delete with reason message
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing blank hash payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing IKE delete payload
Aug 14 12:38:37 [IKEv1 DEBUG]: Group = 90.188.x.109, IP = 90.188.x.109, constructing qm hash payload
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, IKE_DECODE SENDING Message (msgid=f2b97f27) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Aug 14 12:38:37 [IKEv1]: Group = 90.188.x.109, IP = 90.188.x.109, Session is being torn down. Reason: Phase 2 Mismatch
Aug 14 12:38:37 [IKEv1]: Ignoring msg to mark SA with dsID 2035712 dead because SA deleted
Aug 14 12:38:37 [IKEv1]: IP = 90.188.x.109, Received encrypted packet with no matching SA, dropping

------------------------------------------

1 Accepted Solution

Accepted Solutions

Your dynamic crypto map has to be the last sequence in the interface-crypto map:

 

no crypto map branch-crmap 10 ipsec-isakmp dynamic ras-dmap
crypto map branch-crmap 65000 ipsec-isakmp dynamic ras-dmap

 

With the actual config the connection matches on the dynamic sequence (they are compared to the peer from the lowest to the highest sequence and the dynamic map matches any peer), which has an incompatible transform-set.

View solution in original post

2 Replies 2

Your dynamic crypto map has to be the last sequence in the interface-crypto map:

 

no crypto map branch-crmap 10 ipsec-isakmp dynamic ras-dmap
crypto map branch-crmap 65000 ipsec-isakmp dynamic ras-dmap

 

With the actual config the connection matches on the dynamic sequence (they are compared to the peer from the lowest to the highest sequence and the dynamic map matches any peer), which has an incompatible transform-set.

Thanks a lot.

Btw, I already solve this

no crypto map branch-crmap 10 ipsec-isakmp dynamic ras-dmap
crypto map branch-crmap 40 ipsec-isakmp dynamic ras-dmap

 

:)