cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
33851
Views
10
Helpful
7
Replies

Site-to-site vpn IPsec SA proposals unacceptable

karblane1
Level 1
Level 1

Hey

I'm trying to set up a site-to-site vpn between a cisco 871 router(IOS 12.4) and asa 5550  8.4

The router conf:

crypto isakmp policy 1

authentication pre-share

encr 3des

hash sha

group 2

lifetime 86400

exit

crypto isakmp key secretkey address router_external_ip

crypto ipsec transform-set ASA-IPSEC esp-sha-hmac esp-des

mode tunnel

exit

ip access-list extended SDM_2

permit ip remote_lan 0.0.0.255 local_lan 0.0.0.255

exit

crypto map SDM_CMAP_1 2 ipsec-isakmp

set transform-set ASA-IPSEC

set peer router_external_ip

match address SDM_2

and ASA conf:

object network local_lan

subnet local_lan 255.255.255.0

object network remote_lan

subnet remote_lan 255.255.255.0

access-list outside_cryptomap extended permit ip local_lan object remote_lan

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 213.226.133.162

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto map outside_map 1 set security-association lifetime seconds 86400

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

group-policy GroupPolicy_remote_ip internal

group-policy GroupPolicy_remote_ip attributes

ipv6-vpn-filter none

vpn-tunnel-protocol ikev1

tunnel-group remote_ip type ipsec-l2l

tunnel-group remote_ip general-attributes

default-group-policy GroupPolicy_remote_ip

tunnel-group remote_ip ipsec-attributes

ikev1 pre-shared-key *****

ASA:

sh crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

gw# sh crypto ipsec sa

There are no ipsec sas

If i try to test the tunnel from the routers end, i get entries in the ASA log:

5|Jun 30 2011|11:24:25|713904|||||IP = remote_ip, Received encrypted packet with no matching SA, dropping

4|Jun 30 2011|11:24:25|113019|||||Group = remote_ip, Username = remote_ip, IP =remote_ip, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

7|Jun 30 2011|11:24:25|746013|||||user-identity: Delete IP-User mapping remote_ip- LOCAL\remote_ip Failed - VPN user logout

5|Jun 30 2011|11:24:25|713259|||||Group = remote_ip, IP = remote_ip, Session is being torn down. Reason: Phase 2 Mismatch

7|Jun 30 2011|11:24:25|713236|||||IP = remote_ip, IKE_DECODE SENDING Message (msgid=92b5d2f9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

7|Jun 30 2011|11:24:25|715046|||||Group = remote_ip, IP = remote_ip, constructing qm hash payload

7|Jun 30 2011|11:24:25|715046|||||Group = remote_ip, IP = remote_ip, constructing IKE delete payload

7|Jun 30 2011|11:24:25|715046|||||Group = remote_ip, IP = remote_ip, constructing blank hash payload

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = remote_ip, sending delete/delete with reason message

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = remote_ip, IKE SA MM:3bba15da terminating:  flags 0x01018002, refcnt 0, tuncnt 0

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = remote_ip, IKE SA MM:3bba15da rcv'd Terminate: state MM_ACTIVE  flags 0x00018042, refcnt 1, tuncnt 0

3|Jun 30 2011|11:24:25|713902|||||Group = remote_ip, IP = 213.226.133.162, Removing peer from correlator table failed, no match!

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = 213.226.133.162, sending delete/delete with reason message

7|Jun 30 2011|11:24:25|715065|||||Group = remote_ip, IP = 213.226.133.162, IKE QM Responder FSM error history (struct &0x2446d720)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

3|Jun 30 2011|11:24:25|713902|||||Group = remote_ip, IP = remote_ip, QM FSM error (P2 struct &0x2446d720, mess id 0xc8d5ef77)!

7|Jun 30 2011|11:24:25|713236|||||IP = remote_ip, IKE_DECODE SENDING Message (msgid=37621ef6) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

7|Jun 30 2011|11:24:25|715046|||||Group = remote_ip, IP = remote_ip, constructing qm hash payload

7|Jun 30 2011|11:24:25|713906|||||Group = remote_ip, IP = remote_ip, constructing ipsec notify payload for msg id c8d5ef77

7|Jun 30 2011|11:24:20|715046|||||Group = remote_ip, IP = remote_ip, constructing blank hash payload

7|Jun 30 2011|11:24:20|713906|||||Group = remote_ip, IP = remote_ip, sending notify message

5|Jun 30 2011|11:24:20|713904|||||Group = remote_ip, IP = remote_ip, All IPSec SA proposals found unacceptable!

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing IPSec SA payload

7|Jun 30 2011|11:24:20|713066|||||Group = remote_ip, IP = remote_ip, IKE Remote Peer configured for crypto map: outside_map

7|Jun 30 2011|11:24:20|713225|||||Group = remote_ip, IP = remote_ip, Static Crypto Map check, map outside_map, seq = 1 is a successful match

7|Jun 30 2011|11:24:20|713221|||||Group = remote_ip, IP = remote_ip, Static Crypto Map check, checking map = outside_map, seq = 1...

7|Jun 30 2011|11:24:20|713906|||||Group = remote_ip, IP = remote_ip, QM IsRekeyed old sa not found by addr

7|Jun 30 2011|11:24:20|713034|||||Group = remote_ip, IP = remote_ip, Received local IP Proxy Subnet data in ID Payload:   Address local_lan, Mask 255.255.255.0, Protocol 0, Port 0

7|Jun 30 2011|11:24:20|714011|||||Group = remote_ip, IP = remote_ip, ID_IPV4_ADDR_SUBNET ID received--local_lan--255.255.255.0

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing ID payload

7|Jun 30 2011|11:24:20|713035|||||Group = remote_ip, IP = remote_ip, Received remote IP Proxy Subnet data in ID Payload:   Address remote_lan, Mask 255.255.255.0, Protocol 0, Port 0

7|Jun 30 2011|11:24:20|714011|||||Group = remote_ip, IP = remote_ip, ID_IPV4_ADDR_SUBNET ID received--remote_lan--255.255.255.0

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing ID payload

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing nonce payload

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing SA payload

7|Jun 30 2011|11:24:20|715047|||||Group = remote_ip, IP = remote_ip, processing hash payload

7|Jun 30 2011|11:24:20|713236|||||IP = remote_ip, IKE_DECODE RECEIVED Message (msgid=c8d5ef77) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168

7|Jun 30 2011|11:24:20|714003|||||IP = remote_ip, IKE Responder starting QM: msg id = c8d5ef77

7|Jun 30 2011|11:24:20|746012|||||user-identity: Add IP-User mapping remote_ip - LOCAL\remote_ip Succeeded - VPN user

7|Jun 30 2011|11:24:20|715080|||||Group = remote_ip, IP = remote_ip, Starting P1 rekey timer: 64800 seconds.

7|Jun 30 2011|11:24:20|713121|||||IP = remote_ip, Keep-alive type for this connection: DPD

5|Jun 30 2011|11:24:20|713119|||||Group = remote_ip, IP = remote_ip, PHASE 1 COMPLETED

Any ideas?

1 Accepted Solution

Accepted Solutions

You have Phase 2 Policy Mis-match :-

ASA :-

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Router :-

crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to81.20.146.51

set peer 81.20.146.51

set transform-set ASA-IPSEC

Either make a change on asa or router , so that they have same phase two policy.

for ex do the change only on ASA :-

asa(config)# no crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

asa(config)# crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA

Manish

View solution in original post

7 Replies 7

Preshank Saxena
Cisco Employee
Cisco Employee

Hey,

Please check the Router configuration and in crypto map configuration set peer should be ASA outside (public) IP.

And as a suggestion, try to match the crypto ACLs on both devices. They should be replica of each other with only change in source and destination.

Check and let me know. If it doesn't work try to post logs both from Router and ASA. Moreover, check the nat configuration too.

Changed the peer ip to asa outside ip.

What do you mean by matching the crypto ACL-s? Is there something different now? They can't be the same replica, as the commands are different.

But it's still not working.

Asa log is the same, here is the router one:

001696: *Jun  4 15:38:36.334 PCTime: ISAKMP:(2017):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

001697: *Jun  4 15:38:36.350 PCTime: ISAKMP (2017): received packet from asa_external_ip dport 500 sport 500 Global (I) QM_IDLE

001698: *Jun  4 15:38:36.350 PCTime: ISAKMP: set new node 1795450426 to QM_IDLE

001699: *Jun  4 15:38:36.350 PCTime: ISAKMP:(2017): processing HASH payload. message ID = 1795450426

001700: *Jun  4 15:38:36.350 PCTime: ISAKMP:(2017): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 0, message ID = 1795450426, sa = 84F25EC4

001701: *Jun  4 15:38:36.350 PCTime: ISAKMP:(2017):deleting node 1795450426 error FALSE reason "Informational (in) state 1"

001702: *Jun  4 15:38:36.350 PCTime: ISAKMP:(2017):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

001703: *Jun  4 15:38:36.350 PCTime: ISAKMP:(2017):Old State = IKE_P1_COMPLETENew State = IKE_P1_COMPLETE

001704: *Jun  4 15:38:36.350 PCTime: ISAKMP (2017): received packet from asa_external_ip dport 500 sport 500 Global (I) QM_IDLE

001705: *Jun  4 15:38:36.350 PCTime: ISAKMP: set new node -1560894172 to QM_IDLE

001706: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017): processing HASH payload. message ID = -1560894172

001707: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017): processing DELETE payload. message ID = -1560894172

001708: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017):peer does not do paranoid keepalives.

001709: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017):deleting SA reason "No reason" state (I) QM_IDLE       (peer asa_external_ip)

001710: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017):deleting node -1560894172 error FALSE reason "Informational (in) state 1"

001711: *Jun  4 15:38:36.354 PCTime: ISAKMP: set new node 604809951 to QM_IDLE

001712: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017): sending packet to asa_external_ip my_port 500 peer_port 500 (I) QM_IDLE

001713: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017):Sending an IKE IPv4 Packet.

001714: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017):purging node 604809951

001715: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

001716: *Jun  4 15:38:36.354 PCTime: ISAKMP:(2017):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

001717: *Jun  4 15:38:36.358 PCTime: ISAKMP:(2017):deleting SA reason "No reason" state (I) QM_IDLE       (peer asa_external_ip)

001718: *Jun  4 15:38:36.358 PCTime: ISAKMP:(2017):deleting node 511122078 error FALSE reason "IKE deleted"

001719: *Jun  4 15:38:36.358 PCTime: ISAKMP:(2017):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

001720: *Jun  4 15:38:36.358 PCTime: ISAKMP:(2017):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Might the error be in the routers wrong clock settings?

What do You mean by NAT settings - both router and asa uses dynamic pat

Hi Karblane,

As, I can see from logs that there is NOTIFY PROPOSAL_NOT_CHOSEN  log message.This error message indicates that the transform sets or Access control lists (ACLs) do not match on the peers. Please check the parameters on both of them.

I am assuming that the configuration for isakmp and ipsec phase that you have done on Router and ASA is correct. I would just like to make check list of certian points that I think you would have already kept in your mind while planning for L2L VPN from ASA to Router.

1. ASA Checklist

    - Either ACLs should allow VPN traffic or sysopt connection permit-vpn command should be used for VPN traffic terminating on ASA.

    - In case of deployment of PAT, the VPN traffic should be exemted from the NAT translation.

    - It is always recommended to use mirrored ACLs for applying in crypto map.

     e.g. ASA(conf)# access-l abc exten permit ip 1.1.1.0 255.255.255.0  2.2.2.0  255.255.255.0

and on Router(conf)# access-l abc exten permit ip 2.2.2.0 0.0.0.255 1.1.1.0 0.0.0.255

2.Router Checklist

   - VPN Traffic is exempted from the PAT.

   - Check the ACL used for crypto map.

If it is still not working, please provide complete configuration including NAT, routing etc for both Router and ASA and do send the debug for ASA and Router.

Still the same. The ACL is the same, the traffic is excluded from PAT

debug entry from asa:

Jul 01 13:26:08 [IKEv1]Group = 213.226.133.162, IP = 213.226.

133.162, QM FSM error (P2 struct &0x2518eaf8, mess id 0xd437031c)!

Jul 01 13:26:08 [IKEv1]Group = 213.226.133.162, IP = 213.226.133.162, Removing p

eer from correlator table failed, no match!

Jul 01 13:26:08 [IKEv1]Group = 213.226.133.162, IP = 213.226.133.162, Session is

being torn down. Reason: Phase 2 Mismatch

debug from router side:

State = IKE_QM_I_QM1

002616: Jul 31 13:27:31.914 PCTime: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

002617: Jul 31 13:27:31.914 PCTime: ISAKMP:(2028):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

002618: Jul 31 13:27:31.930 PCTime: ISAKMP:(2026):purging SA., sa=84F8DBC4, delme=84F8DBC4

002619: Jul 31 13:27:31.934 PCTime: ISAKMP (2028): received packet from 81.20.146.51 dport 500 sport 500 Global (I) QM_IDLE

002620: Jul 31 13:27:31.934 PCTime: ISAKMP: set new node 144822181 to QM_IDLE

002621: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028): processing HASH payload. mess

age ID = 144822181

002622: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

        spi 0, message ID = 144822181, sa = 85141810

002623: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028):deleting node 144822181 error FALSE reason "Informational (in) state 1"

002624: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

002625: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

002626: Jul 31 13:27:31.934 PCTime: ISAKMP (2028): received packet from 81.20.146.51 dport 500 sport 500 Global (I) QM_IDLE

002627: Jul 31 13:27:31.934 PCTime: ISAKMP: set new node -1116257224 to QM_IDLE

002628: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028): processing HASH payload. message ID = -1116257224

002629: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028): processing DELETE payload. message ID = -1116257224

002630: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028):peer does not do paranoid keepalives.

002631: Jul 31 13:27:31.934 PCTime: ISAKMP:(2028):deleting SA reason "No reason"

state (I) QM_IDLE       (peer 81.20.146.51)

002632: Jul 31 13:27:31.938 PCTime: ISAKMP:(2028):deleting node -1116257224 error FALSE reason "Informational (in) state 1"

002633: Jul 31 13:27:31.938 PCTime: ISAKMP: set new node 144906282 to QM_IDLE

002634: Jul 31 13:27:31.938 PCTime: ISAKMP:(2028): sending packet to 81.20.146.51 my_port 500 peer_port 500 (I) QM_IDLE

002635: Jul 31 13:27:31.938 PCTime: ISAKMP:(2028):Sending an IKE IPv4 Packet.

002636: Jul 31 13:27:31.938 PCTime: ISAKMP:(2028):purging node 144906282

002637: Jul 31 13:27:31.938 PCTime: ISAKMP:(2028):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

002638: Jul 31 13:27:31.942 PCTime: ISAKMP:(2028):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

002639: Jul 31 13:27:31.942 PCTime: ISAKMP:(2028):deleting SA reason "No reason" state (I) QM_IDLE       (peer 81.20.146.51)

002640: Jul 31 13:27:31.942 PCTime: ISAKMP:(2028):deleting node -1648774912 error FALSE reason "IKE deleted"

002641: Jul 31 13:27:31.942 PCTime: ISAKMP:(2028):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

002642: Jul 31 13:27:31.942 PCTime: ISAKMP:(2028):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

Any ideas?

You have Phase 2 Policy Mis-match :-

ASA :-

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

Router :-

crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to81.20.146.51

set peer 81.20.146.51

set transform-set ASA-IPSEC

Either make a change on asa or router , so that they have same phase two policy.

for ex do the change only on ASA :-

asa(config)# no crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA

asa(config)# crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA

Manish

Hey!

Changed the ipsec ikev1 trasformset, but still no luck. The log entries are the same

Got the vpn tunnel up-  the PFS and DH gr were missing on the router.

Then tried to ping from remote_lan segment to local_lan and go

t deny by access-group "outside_access_in"

Then made allow rule but got error message in the ASA (local fw)

5    Jul 05 2011    11:26:54    305013    10.113.212.2                Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.1.0.254 dst PROD-Mgmt:10.113.212.2 (type 8, code 0) denied due to NAT reverse path failure

Now i made a nat statement:

nat (PROD-Mgmt,outside) source static any any destination static leedu_sisev6rk leedu_sisev6rk

when i tried to make it a more detailed rule, the error was like this:

(config)# nat (PROD-Mgmt,outside) source static PROD-Mgmt-network PROD-Mgmt-network static........

ERROR: PROD-Mgmt-network doesn't match an existing object or object-group

Is there a possibility to solve the nat issue with 1 ACL? I mean, that i have several inside interfaces which traffic not to nat, when entering the vpn tunnel.