cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
524
Views
0
Helpful
2
Replies
User-10 Cisco
Beginner

Site-to-Site VPN Connection between ASA and 2800 Router

I'm trying to get a L2L VPN working between an ASA one 8.4 code, and a 2800 on 12.4.  

 

I was first seeing the following errors in the debug logs on ASA side:

Error Message    %PIX|ASA-6-713219: Queueing KEY-ACQUIRE messages to be processed when 
P1 SA is complete.

 

I'm seeing the following on the 2800 End:

 ISAKMP:(0): processing vendor id payload
 ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
 ISAKMP:(0): vendor ID is NAT-T v3
 ISAKMP:(0): processing vendor id payload
 ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
 ISAKMP (0): vendor ID is NAT-T RFC 3947
 ISAKMP:(0): processing vendor id payload
 ISAKMP:(0): processing IKE frag vendor id payload
 ISAKMP:(0):Support for IKE Fragmentation not enabled
 ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
 ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

 ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
 ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_po0 (R) MM_SA_SETUP
 ISAKMP:(0):Sending an IKE IPv4 Packet.
 ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
 ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM2

 ISAKMP (0): received packet from x.x.x.x dport 500 sport lobal (R) 

MM_SA_SETUP
 ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
 ISAKMP:(0):Old State = IKE_R_MM2  New State = IKE_R_MM3

 ISAKMP:(0): processing KE payload. message ID = 0
 ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching x.x.x.x
 ISAKMP:(2345): processing vendor id payload
 ISAKMP:(2345): vendor ID is Unity
 ISAKMP:(2345): processing vendor id payload
 ISAKMP:(2345): vendor ID seems Unity/DPD but major 54 mismatch
 ISAKMP:(2345): vendor ID is XAUTH
 ISAKMP:(2345): processing vendor id payload
 ISAKMP:(2345): speaking to another IOS box!
 ISAKMP:(2345): processing vendor id payload
 ISAKMP:(2345):vendor ID seems Unity/DPD but hash mismatch
 ISAKMP:received payload type 20
 ISAKMP (2345): His hash no match - this node outside NAT
 ISAKMP:received payload type 20
 ISAKMP (2345): No NAT Found for self or peer
 ISAKMP:(2345):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
 ISAKMP:(2345):Old State = IKE_R_MM3  New State = IKE_R_MM3

 ISAKMP:(2345): sending packet to x.x.x.x my_port 500 peer 500 (R) 

MM_KEY_EXCH

 

----------

 

Here is some of the config from the ASA:

 

object network ABCD
 subnet 10.20.30.0 255.255.255.0
 
 object network ABCD-Net 
 subnet 172.16.10.0 255.255.255.0
 
 access-list cry-map-77 extended permit ip object-group XXXX object abc-site_Network 
 
 access-list abc-site extended permit ip object-group XXXX object abc-site_Network 
 
 access-list abc-site extended permit ip object abc-site_Network object-group XXXX-60 
 
 nat (any,any) source static XXXX-20 XXXX-20 destination static abc-site_Network abc-site_Network
 
 nat (any,any) source static XXXX-20 XXXX-20 destination static abc-site_Network abc-site_Network
 
 XXXX-20
 
 object-group network XXXX-20
  network-object object ABCD-Net
 group-object abcd-Int-Net
 
 XXXX_127
 
 object-group network XXXX-20
  network-object object ABCD-Net
 group-object abcd-Int-Net
 
 access-list abc-site extended permit ip object abc-site_Network object-group XXXX-60 
 
 
 crypto map out-map-44 11 match address cry-map-77
 crypto map out-map-44 11 set peer 62.73.52.xxx
crypto map out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

access-list cry-map-77 extended permit ip object-group XXXX object abc-site_Network 

crypto map out-map-44 11 match address cry-map-77
crypto map out-map-44 11 set peer 62.73.52.xxx
crypto map out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map out-map-44 11 set ikev1 transform-set ESP-3DES-SHA

object-group network XXXX
 network-object object ABCD-Net        
 group-object abcd-Int-Net

 

------------------------

 

Here is some from the 2800:

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key r2374923 address 72.15.21.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map cry-map-1 1 ipsec-isakmp 
set peer 72.15.21.xxx
 set transform-set ESP-3DES-SHA 
 match address VPN
!
class-map type inspect match-all class-map-vpn
 match access-group 100
class-map type inspect match-all cm-inspect-1
 match access-group name inside-outside
class-map type inspect match-all cm-inspect-2
 match access-group name outside-inside
!
!
policy-map type inspect policy-map-inspect
 class type inspect cm-inspect-1
  inspect 
 class class-default
  drop
 
policy-map type inspect policy-map-inspect-2
 class type inspect class-map-vpn
  inspect 
 class type inspect cm-inspect-2
 class class-default
  drop
!

!
interface FastEthernet0
ip address 74.25.89.xxx 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 zone-member security Outside
 duplex auto
 speed auto
 crypto map cry-map-1
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip nat inside source route-map route-map-1 interface FastEthernet0 overload
!
ip access-list extended inside-outside
 permit ip 172.16.10.0 0.0.0.255 any
ip access-list extended nat-acl
 deny   ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
 deny   ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
 deny   ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
 deny   ip 28.20.14.xxx.0.0 0.0.255.255 172.16.10.0 0.0.0.255
 deny   ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
 deny   ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
 deny   ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 deny   ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
 deny   ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip any any
ip access-list extended outside-inside
 permit ip any any
ip access-list extended VPN
 permit ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
 permit ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
 permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
 permit ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
 permit ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
 permit ip 28.20.14.xxx.0.0 0.0.255.255 172.16.10.0 0.0.0.255
 permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255

access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 10.200.0.0 0.0.255.255
access-list 23 permit 172.16.10.0 0.0.0.255
access-list 123 remark class-map-acl-4 Category=0
access-list 123 permit ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 28.20.14.xxx.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!


!
route-map route-map-1 permit 1
 match ip address nat-acl
!

1 ACCEPTED SOLUTION

Accepted Solutions
shine pothen
Participant

Hi 

 

 i just quickly went through your config and what i could notice is 

your transform set (iskamp) on ASA and Router are not the same, try to configure the same on both the sides.

on the ASA NAT statement you have given (any,any) try to give the interface name instead of any any.

 

View solution in original post

2 REPLIES 2
shine pothen
Participant

Hi 

 

 i just quickly went through your config and what i could notice is 

your transform set (iskamp) on ASA and Router are not the same, try to configure the same on both the sides.

on the ASA NAT statement you have given (any,any) try to give the interface name instead of any any.

 

View solution in original post

Shine,

 

That was exactly the issue.  Thank you very much for the great info and quick reply.  You saved my day ;)

 

Content for Community-Ad