06-16-2015 03:58 PM
I'm trying to get a L2L VPN working between an ASA one 8.4 code, and a 2800 on 12.4.
I was first seeing the following errors in the debug logs on ASA side:
Error Message %PIX|ASA-6-713219: Queueing KEY-ACQUIRE messages to be processed when
P1 SA is complete.
I'm seeing the following on the 2800 End:
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): processing IKE frag vendor id payload
ISAKMP:(0):Support for IKE Fragmentation not enabled
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): sending packet to x.x.x.x my_port 500 peer_po0 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP (0): received packet from x.x.x.x dport 500 sport lobal (R)
MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching x.x.x.x
ISAKMP:(2345): processing vendor id payload
ISAKMP:(2345): vendor ID is Unity
ISAKMP:(2345): processing vendor id payload
ISAKMP:(2345): vendor ID seems Unity/DPD but major 54 mismatch
ISAKMP:(2345): vendor ID is XAUTH
ISAKMP:(2345): processing vendor id payload
ISAKMP:(2345): speaking to another IOS box!
ISAKMP:(2345): processing vendor id payload
ISAKMP:(2345):vendor ID seems Unity/DPD but hash mismatch
ISAKMP:received payload type 20
ISAKMP (2345): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (2345): No NAT Found for self or peer
ISAKMP:(2345):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(2345):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP:(2345): sending packet to x.x.x.x my_port 500 peer 500 (R)
MM_KEY_EXCH
----------
Here is some of the config from the ASA:
object network ABCD
subnet 10.20.30.0 255.255.255.0
object network ABCD-Net
subnet 172.16.10.0 255.255.255.0
access-list cry-map-77 extended permit ip object-group XXXX object abc-site_Network
access-list abc-site extended permit ip object-group XXXX object abc-site_Network
access-list abc-site extended permit ip object abc-site_Network object-group XXXX-60
nat (any,any) source static XXXX-20 XXXX-20 destination static abc-site_Network abc-site_Network
nat (any,any) source static XXXX-20 XXXX-20 destination static abc-site_Network abc-site_Network
XXXX-20
object-group network XXXX-20
network-object object ABCD-Net
group-object abcd-Int-Net
XXXX_127
object-group network XXXX-20
network-object object ABCD-Net
group-object abcd-Int-Net
access-list abc-site extended permit ip object abc-site_Network object-group XXXX-60
crypto map out-map-44 11 match address cry-map-77
crypto map out-map-44 11 set peer 62.73.52.xxx
crypto map out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
access-list cry-map-77 extended permit ip object-group XXXX object abc-site_Network
crypto map out-map-44 11 match address cry-map-77
crypto map out-map-44 11 set peer 62.73.52.xxx
crypto map out-map-44 11 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map out-map-44 11 set ikev1 transform-set ESP-3DES-SHA
object-group network XXXX
network-object object ABCD-Net
group-object abcd-Int-Net
------------------------
Here is some from the 2800:
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key r2374923 address 72.15.21.xxx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map cry-map-1 1 ipsec-isakmp
set peer 72.15.21.xxx
set transform-set ESP-3DES-SHA
match address VPN
!
class-map type inspect match-all class-map-vpn
match access-group 100
class-map type inspect match-all cm-inspect-1
match access-group name inside-outside
class-map type inspect match-all cm-inspect-2
match access-group name outside-inside
!
!
policy-map type inspect policy-map-inspect
class type inspect cm-inspect-1
inspect
class class-default
drop
policy-map type inspect policy-map-inspect-2
class type inspect class-map-vpn
inspect
class type inspect cm-inspect-2
class class-default
drop
!
!
interface FastEthernet0
ip address 74.25.89.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly
zone-member security Outside
duplex auto
speed auto
crypto map cry-map-1
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
ip nat inside source route-map route-map-1 interface FastEthernet0 overload
!
ip access-list extended inside-outside
permit ip 172.16.10.0 0.0.0.255 any
ip access-list extended nat-acl
deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 28.20.14.xxx.0.0 0.0.255.255 172.16.10.0 0.0.0.255
deny ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
deny ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
deny ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
deny ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip any any
ip access-list extended outside-inside
permit ip any any
ip access-list extended VPN
permit ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
permit ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
permit ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
permit ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
permit ip 28.20.14.xxx.0.0 0.0.255.255 172.16.10.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit 10.200.0.0 0.0.255.255
access-list 23 permit 172.16.10.0 0.0.0.255
access-list 123 remark class-map-acl-4 Category=0
access-list 123 permit ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 10.200.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 192.168.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 28.20.14.xxx.0.0 0.0.255.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 10.10.10.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 10.200.0.0 0.0.255.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 28.20.14.xxx.0.0 0.0.255.255
access-list 123 permit ip 172.16.10.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!
!
route-map route-map-1 permit 1
match ip address nat-acl
!
Solved! Go to Solution.
06-16-2015 09:44 PM
Hi
i just quickly went through your config and what i could notice is
your transform set (iskamp) on ASA and Router are not the same, try to configure the same on both the sides.
on the ASA NAT statement you have given (any,any) try to give the interface name instead of any any.
06-16-2015 09:44 PM
Hi
i just quickly went through your config and what i could notice is
your transform set (iskamp) on ASA and Router are not the same, try to configure the same on both the sides.
on the ASA NAT statement you have given (any,any) try to give the interface name instead of any any.
06-17-2015 06:52 AM
Shine,
That was exactly the issue. Thank you very much for the great info and quick reply. You saved my day ;)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: