Site to Site VPN Issue ASA5540 to Cisco router

maxsondcunha · ‎09-20-2011

HI,

Can some one help ..............

Topology

10.10.10.5-----VPN Router-------VPN--------ASA5540-----DMZ-------Real ip 192.168.202.2---- NAT ip 10.66.101.10

Requriment:-

ipsec vpn between vpn router (192.168.10.2) and ASA5540(192.168.160.2), 192.168.202.2, natted to 10.66.101.10 should connect to 10.10.10.5 over port 80

Problem :--- IPsec vpn is established both Phase1 and phase2 without nat, but as we do a source nat on ASA5540 phase-1 comes up but phase-2 doesnt come up.

Below is the debug output from cisco router.

Sep 19 13:33:32.639 UAE: ISAKMP: transform 1, ESP_3DES

Sep 19 13:33:32.639 UAE: ISAKMP: attributes in transform:

Sep 19 13:33:32.639 UAE: ISAKMP: SA life type in seconds

Sep 19 13:33:32.639 UAE: ISAKMP: SA life duration (basic) of 3600

Sep 19 13:33:32.639 UAE: ISAKMP: encaps is 1 (Tunnel)

Sep 19 13:33:32.639 UAE: ISAKMP: authenticator is HMAC-SHA

Sep 19 13:33:32.639 UAE: ISAKMP: group is 2

Sep 19 13:33:32.639 UAE: ISAKMP:(7055):atts are acceptable.

Sep 19 13:33:32.639 UAE: IPSEC(ipsec_process_proposal): proxy identities not supported

Sep 19 13:33:32.639 UAE: ISAKMP:(7055): IPSec policy invalidated proposal with error 32

Sep 19 13:33:32.639 UAE: ISAKMP:(7055): phase 2 SA policy not acceptable!

VPN router config

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto ipsec transform-set TEST-VPN esp-3des esp-sha-hmac

crypto map TEST-map 10 ipsec-isakmp

set peer 192.168.160.2

set transform-set TEST-VPN

match address REMOTE_VPN

Extended IP access list REMOTE_VPN

20 permit ip host 10.10.10.5 host 10.66.101.10

Site B ASA5540 configuration

object network Local_DMZ2

host 192.168.202.2

object network remotehost

host 10.10.10.5

object network Localnat

host 10.66.101.10

access-list Outside_1_cryptomap extended permit ip object Localnat object remotehost

nat (DMZ-2,Outside) source static Local_DMZ2 Localnat destination static remotehost remotehost

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 1 match address Outside_1_cryptomap

crypto map Outside_map 1 set peer 192.168.10.2

crypto map Outside_map 1 set transform-set ESP-3DES-SHA

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 192.168.10.2 type ipsec-l2l

tunnel-group 192.168.10.2 ipsec-attributes

pre-shared-key *****

crypto map Outside_map 1 match address Outside_1_cryptomap
crypto map Outside_map 1 set peer 192.168.10.2
crypto map Outside_map 1 set transform-set ESP-3DES-SHA
crypto map Outside_map interface Outside
crypto isakmp enable Outside

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 192.168.10.2 type ipsec-l2l
tunnel-group 192.168.10.2 ipsec-attributes
pre-shared-key *****

Marcin Latosiewicz · ‎09-20-2011

Hi,

Check what the prposals recived on IOS device are:

- 3DES

- SHA

- Tunnel mode

- PFS group 2

I would start there ;-)

M.

maxsondcunha · ‎09-21-2011

HI,

The issue has been solved. It was the overlapping access-list on the router. after the access-list was removed the issue is resolved.

Thanks for help..........