Solved: Site to Site VPN Tunnel - Aggressive Mode

mario11584 · ‎10-25-2012

I have searched the community for answers to this and haven't quite found what I am looking for (or anything that makes sense to me). I have an ASA 5510 at site A with a Site to Site VPN tunnel to a SonicWall at site B. That is working great. I need to create a tunnel to site C from site A using an aggressive mode tunnel. I am not quite sure how to go about doing that. Any suggestions would be great!

NOTE: I've included the parts of the running config I believe are relevant. If I've missed something please let me know.

ASA Version 8.2(1)

interface Ethernet0/0

nameif outside

security-level 0

ip address 1.2.3.4 255.255.255.248

!

access-list site_B extended permit ip 10.5.2.0 255.255.255.0 10.205.2.0 255.255.255.128

access-list site_C extended permit ip 10.5.2.0 255.255.255.0 10.205.2.128 255.255.255.128

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3des-sha1 esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map VPN 30 match address site_B

crypto map VPN 30 set peer 4.3.2.1

crypto map VPN 30 set transform-set 3des-sha1

crypto map VPN 40 match address site_C

crypto map VPN 40 set peer 8.7.6.5

crypto map VPN 40 set transform-set 3des-sha1

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

crypto isakmp ipsec-over-tcp port 10000

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group 4.3.2.1 type ipsec-l2l

tunnel-group 4.3.2.1 ipsec-attributes

pre-shared-key *

tunnel-group 8.7.6.5 type ipsec-l2l

tunnel-group 8.7.6.5 ipsec-attributes

pre-shared-key *

Javier Portuguez · ‎10-27-2012

David,

Please try this then:

clear crypto ipsec sa peer site_c_IP

clear configure crypto map VPN 40

crypto map VPN 10 match address site_C

crypto map VPN 10 set peer 8.7.6.5

crypto map VPN 10 set transform-set 3des-sha1

logging buffered debugging

capture drop type asp all circular

capture capin interface inside match ip 10.5.2.0 255.255.255.0 10.205.2.128 255.255.255.128

After generating traffic from and INTERNAL machine behind the ASA:

show log | inc 10.205.2

show cap drop | inc 10.205.2

show cap capin

In case it still does not work:

a) show asp table classi crypto

b) show asp table vpn-context detail

c) show cry ipsec sa peer site_c

d) packet-tracer input inside icmp 10.5.2.15 8 0 10.205.2.130 detail

e) show crypto ipsec sa

All at the same time please.

Let me know how it goes.

Thanks,

Portu.

Please rate any helpful posts

View solution in original post

Javier Portuguez · ‎10-25-2012

Hi David,

This can be accomplished as following:

crypto map VPN 40 phase1-mode aggressive

tunnel-group SonicWall_ID type ipsec-l2l

tunnel-group SonicWall_ID ipsec-attributes

pre-shared-key *

!

*Assuming the SonicWall FW sends the Hostname instead of the IP address.

Any reason to use Aggressive mode? This implementation is not secure.

HTH.

Portu.

Please rate any helpful posts

mario11584 · ‎10-26-2012

Thanks for the information. Those configurations make sense to me and in fact is the best information I've been given while working on this issue. It's very much appreciated! However, they don't seem to be working. Maybe I am still missing something. The SonicWall shares it's unique Firewall Identifer which is it's MAC address. That's what I plugged in for the SonicWall_ID. I have my ISAKMP policy, transform-set, ACL, tunnel-group, crypto map attached to interface, and iskamp enabled on the interface. Any thoughts?

Here is my config (related to the VPN).

ASA Version 8.2(1)

access-list DP_VPN_Earn extended permit ip 10.5.2.0 255.255.255.0 10.205.2.128 255.255.255.128

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3des-sha1 esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map VPN 40 match address DP_VPN_Earn

crypto map VPN 40 set peer site_C

crypto map VPN 40 set transform-set 3des-sha1

crypto map VPN 40 set phase1-mode aggressive

crypto map VPN interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 0017C55FD082 type ipsec-l2l

tunnel-group 0017C55FD082 ipsec-attributes

pre-shared-key *

Javier Portuguez · ‎10-26-2012

David,

Please send me the following:

debug crypto isakmp 190

debug crypto ipsec 190

Let me know.

Thanks.

Please rate any helpful posts

mario11584 · ‎10-26-2012

debug crypto isakmp 190

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing SA payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Oakley proposal is acceptable

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Received NAT-Traversal RFC VID

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Received NAT-Traversal ver 03 VID

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Received NAT-Traversal ver 02 VID

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing IKE SA payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 3

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing ISAKMP SA payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing NAT-Traversal VID ver 02 payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing Fragmentation VID + extended capabilities payload

Oct 26 00:01:02 [IKEv1]: IP = site_C, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

Oct 26 00:01:02 [IKEv1]: IP = site_C, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NAT-D (130) + NAT-D (130) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 288

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing ke payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing ISA_KE payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing NAT-Discovery payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, computing NAT Discovery hash

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing NAT-Discovery payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, computing NAT Discovery hash

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing nonce payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Received xauth V6 VID

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, processing VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Received DPD VID

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing ke payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing nonce payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing Cisco Unity VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing xauth V6 VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Send IOS VID

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing VID payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing NAT-Discovery payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, computing NAT Discovery hash

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, constructing NAT-Discovery payload

Oct 26 00:01:02 [IKEv1 DEBUG]: IP = site_C, computing NAT Discovery hash

Oct 26 00:01:02 [IKEv1]: Group = site_C, IP = site_C, Can't find a valid tunnel group, aborting...!

Oct 26 00:01:02 [IKEv1 DEBUG]: Group = site_C, IP = site_C, IKE MM Responder FSM error history (struct &0xdaf2b690) , : MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY

Oct 26 00:01:02 [IKEv1 DEBUG]: Group = site_C, IP = site_C, IKE SA MM:745d6d84 terminating: flags 0x01008002, refcnt 0, tuncnt 0

Oct 26 00:01:02 [IKEv1 DEBUG]: Group = site_C, IP = site_C, sending delete/delete with reason message

Oct 26 00:01:02 [IKEv1]: Group = site_C, IP = site_C, Removing peer from peer table failed, no match!

Oct 26 00:01:02 [IKEv1]: Group = site_C, IP = site_C, Error: Unable to remove PeerTblEntry

Oct 26 00:01:09 [IKEv1]: IP = site_C, Header invalid, missing SA payload! (next payload = 4)

Oct 26 00:01:09 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Oct 26 00:01:21 [IKEv1]: IP = site_C, Header invalid, missing SA payload! (next payload = 4)

Oct 26 00:01:21 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Oct 26 00:01:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

debug crypto ipsec 190

(crypto_map_check): crypto map VPN 10 does not hole match for ACL DP_VPN_ESN.

IPSEC(crypto_map_check): crypto map VPN 10 does not hole match for ACL DP_VPN_ESN.

mario11584 · ‎10-26-2012

I don't know if this helps but the "debug crypto isakmp 127" command provides the following information.

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, processing ke payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, processing ISA_KE payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, processing NAT-Discovery payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, computing NAT Discovery hash

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, processing NAT-Discovery payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, computing NAT Discovery hash

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, processing nonce payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, processing VID payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, Received xauth V6 VID

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, processing VID payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, Received DPD VID

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, constructing ke payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, constructing nonce payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, constructing Cisco Unity VID payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, constructing xauth V6 VID payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, Send IOS VID

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, constructing VID payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, constructing NAT-Discovery payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, computing NAT Discovery hash

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, constructing NAT-Discovery payload

Oct 25 23:11:47 [IKEv1 DEBUG]: IP = site_C, computing NAT Discovery hash

Oct 25 23:11:47 [IKEv1]: Group = site_C, IP = site_C, Can't find a valid tunnel group, aborting...!

Oct 25 23:11:47 [IKEv1 DEBUG]: Group = site_C, IP = site_C, IKE MM Responder FSM error history (struct &0xdac33580) , : MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY

Oct 25 23:11:47 [IKEv1 DEBUG]: Group = site_C, IP = site_C, IKE SA MM:782e0853 terminating: flags 0x01008002, refcnt 0, tuncnt 0

Oct 25 23:11:47 [IKEv1 DEBUG]: Group = site_C, IP = site_C, sending delete/delete with reason message

Oct 25 23:11:47 [IKEv1]: Group = site_C, IP = site_C, Removing peer from peer table failed, no match!

Oct 25 23:11:47 [IKEv1]: Group = site_C, IP =site_C, Error: Unable to remove PeerTblEntry

Javier Portuguez · ‎10-26-2012

David,

We should not see this:

Oct 25 23:11:47 [IKEv1 DEBUG]: Group = site_C, IP = site_C, IKE MM Responder FSM error history (struct &0xdac33580) , : MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY

In agressive mode you only exchange 3 messages, the Sonic Wall is trying Main mode instead.

Could you please check this out on the Sonic Wall FW?

Portu.

Please rate any helpful posts

mario11584 · ‎10-26-2012

This is embarrassing to say but that was it! The SonicWall was in Main Mode. The tunnel is up now according to both devices but it doesn't seem to be passing traffic (at least pings).

sh crypto ipsec sa

interface: outside

Crypto map tag: VPN, seq num: 40, local addr: site_A

access-list DP_VPN_Earn permit ip 10.5.2.0 255.255.255.0 10.205.2.128 255.255.255.128

local ident (addr/mask/prot/port): (10.5.2.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.205.2.128/255.255.255.128/0/0)

current_peer: site_C

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: site_A, remote crypto endpt.: site_C

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: C49BF948

inbound esp sas:

spi: 0xD149CF15 (3511275285)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 147456, crypto-map: VPN

sa timing: remaining key lifetime (sec): 28458

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xC49BF948 (3298556232)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 147456, crypto-map: VPN

sa timing: remaining key lifetime (sec): 28458

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

Javier Portuguez · ‎10-26-2012

David,

Could you please run a packet-tracer on the ASA side?

packet-tracer input inside icmp 10.5.2.15 8 0 10.205.2.130 detail

Please attach the output.

Portu.

Please rate any helpful posts

mario11584 · ‎10-26-2012

Here ya go! Packet trace is attached. Thanks again.

Javier Portuguez · ‎10-26-2012

Thanks for that information.

It looks very good.

Please run the same packet-tracer two different times and let me know if the VPN allows the encryption.

Also please try some traffic from the inside and attach the "show crypto ipsec sa".

Thanks.

Please rate any helpful posts

mario11584 · ‎10-26-2012

No, there is still no encryption. Attached is the crypto ipsec sa output. Packet-tracer is showing a drop on phase 9 now (phase 10 in the document I attached previously).

Javier Portuguez · ‎10-27-2012

David,

Please try this then:

clear crypto ipsec sa peer site_c_IP

clear configure crypto map VPN 40

crypto map VPN 10 match address site_C

crypto map VPN 10 set peer 8.7.6.5

crypto map VPN 10 set transform-set 3des-sha1

logging buffered debugging

capture drop type asp all circular

capture capin interface inside match ip 10.5.2.0 255.255.255.0 10.205.2.128 255.255.255.128

After generating traffic from and INTERNAL machine behind the ASA:

show log | inc 10.205.2

show cap drop | inc 10.205.2

show cap capin

In case it still does not work:

a) show asp table classi crypto

b) show asp table vpn-context detail

c) show cry ipsec sa peer site_c

d) packet-tracer input inside icmp 10.5.2.15 8 0 10.205.2.130 detail

e) show crypto ipsec sa

All at the same time please.

Let me know how it goes.

Thanks,

Portu.

Please rate any helpful posts

mario11584 · ‎10-29-2012

Clearing out the VPN 40 crypto map and reconfiguring VPN 10 crypto map did the trick. I still can't ping from the ASA but a server behind the ASA can ping to site_C and I confirmed other traffic from behind the ASA to site_C was working as well. I honestly don't care at this point if I can ping from the ASA or not. Just glad it's working! Thanks!

I am not quite sure why this fixed the issue though. Why does the tunnel prefer crypto map VPN 10 instead of crypto map VPN 40?

Javier Portuguez · ‎10-29-2012

David,

It is not recommended to make changes to an active crypto map, it is a best practice to remove the specific crypto map and then apply it back with any new settings.

Since we worked on the crypto map while it was still applied, I made the decision to remove the crypto map and put it back in a different sequence number, to reinitialize the whole instance.

I am glad to know that it works fine now

Please mark this post as answered.

Have a good one.