Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7279
Views
4
Helpful
7
Replies

Trouble establishing vpn site to site 8.2 to 9.x ASA's

Go to solution
ken.montgomery
Level 1
Level 1

‎04-15-2013 12:14 PM

I have a problem configuring a site to site VPN between two sites, one is an ASA5540 with version 8.2, the other is an ASA5545X with version 9.0

I'll try to include the relevant portions of the configs here... the tunnel will not establish and nothing shows on debug logs that I can find. 

I know the outside addresses for both work, as clients can connect into both.

ASA5540:

: Saved

:

ASA Version 8.2(5)

object-group network VEYANCE_NET

network-object <ASA5540NetworkObject>

object-group network LAN_NETWORKS

network-object <ASA5540AllLocalNetworks>

bject-group network ASA5545X_NETWORKS

network-object <ASA5545XNetwork>

access-list ASA5545X_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group ASA5545X_NETWORKS

access-list ASA5545X_VPN_ACL extended permit ip object-group ASA5545X_NETWORKS object-group LAN_NETWORKS

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map mymap 1 match address outside_1_cryptomap

crypto map mymap 1 set pfs

crypto map mymap 1 set peer <ASA5545XexternalIP>

crypto map mymap 1 set transform-set ESP-3DES-MD5

crypto map ASA5545X_VPN_CRYPTO_MAP 1 match address ASA5545X_VPN_ACL

crypto map ASA5545X_VPN_CRYPTO_MAP 1 set peer <ASA5545XexternalIP>

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

tunnel-group <ASA5545XexternalIP> type ipsec-l2l

tunnel-group <ASA5545XexternalIP> ipsec-attributes

pre-shared-key <key>

!

ASA5545X:

ASA Version 9.0(1)

!

object network ASA5540

range <Networks on ASA5540 LAN>

object-group network LAN_NETWORKS

<all networks on internal LAN>

access-list ASA5540_VPN_ACL extended permit ip object-group ASA5540_Networks object-group LAN_NETWORKS

access-list ASA5540_VPN_ACL extended permit ip object-group LAN_NETWORKS object-group ASA5540_Networks

access-list OUTSIDE_cryptomap_1 extended permit ip object-group LAN_NETWORKS object-group ASA5540_Networks

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map ASA5540_VPN_CRYPTO_MAP 3 set peer <ASA5540 External IP>

crypto map ASA5540_VPN_CRYPTO_MAP 3 set ikev2 ipsec-proposal 3DES

crypto map ASA5540_VPN_CRYPTO_MAP 3 set ikev2 pre-shared-key *****

crypto ca trustpoint _SmartCallHome_ServerCA

crl configure

crypto ca trustpoint localtrust

enrollment self

keypair VPNClientKey

crl configure

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 3

encryption 3des

integrity md5

group 2

prf md5

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable OUTSIDE client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable OUTSIDE

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

dns-server value <dns server>

group-policy GroupPolicy_<ExternalIP of 5540> internal

group-policy GroupPolicy_<ExternalIP of 5540> attributes

vpn-tunnel-protocol ikev2

tunnel-group <ExternalIP of 5540> type ipsec-l2l

tunnel-group <ExternalIP of 5540> general-attributes

default-group-policy GroupPolicy_<ExternalIP of 5540>

tunnel-group <ExternalIP of 5540> ipsec-attributes

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

Any thoughts are appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Phirsov
Level 7
Level 7

‎04-15-2013 10:47 PM

Your 5545 is configured for IKEv2 negotiation (see crypto-map and relevant config), while 5540 is trying to use IKEv1, when connecting to 5545. Those two are incompartable, so you have to modify config on 5545 to use IKEv1.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-15-2013 08:56 PM

A debug usually highlights pretty quickly where site-site VPN runnel establishment is failing:

debug crypto condition peer

debug crypto isakmp 7

... and then introduce interesting traffic. The log should higlight the point of failure.

Note the second command is changed on the 9.x end to:

debug crypto ikev1 7

Go to solution
ken.montgomery
Level 1
Level 1
In response to Marvin Rhoads

‎04-16-2013 08:19 AM

This did help, with troubleshooting, once I followed the step below.  I was able to capture enough now to have some idea what to fix.

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7

‎04-15-2013 10:47 PM

Your 5545 is configured for IKEv2 negotiation (see crypto-map and relevant config), while 5540 is trying to use IKEv1, when connecting to 5545. Those two are incompartable, so you have to modify config on 5545 to use IKEv1.

0 Helpful

Go to solution
ken.montgomery
Level 1
Level 1
In response to Andrew Phirsov

‎04-16-2013 08:20 AM

Thanks, this was a huge help, I couldn't see it (after looking at it for so long).  Didn't totally fix my problem, but put me on the right track.

0 Helpful

Go to solution
ken.montgomery
Level 1
Level 1
In response to ken.montgomery

‎04-16-2013 08:43 AM

Ok, so I have made some headway, and I have resolved a further key issue, but am still getting an issue in the debugs as follows:

Apr 16 11:38:11 [IKEv1]: Group = , IP = , Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Apr 16 11:38:12 [IKEv1]: IP = , IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , processing ID payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , processing hash payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , Computing hash for ISAKMP

Apr 16 11:38:12 [IKEv1 DEBUG]: IP = , Processing IOS keep alive payload: proposal=32767/32767 sec.

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , processing VID payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , Received DPD VID

Apr 16 11:38:12 [IKEv1]: IP = , Connection landed on tunnel_group

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , Oakley begin quick mode

Apr 16 11:38:12 [IKEv1]: Group = , IP = , PHASE 1 COMPLETED

Apr 16 11:38:12 [IKEv1]: IP = , Keep-alive type for this connection: DPD

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , Starting P1 rekey timer: 73440 seconds.

Apr 16 11:38:12 [IKEv1]: Group = , IP = , De-queuing KEY-ACQUIRE messages that were left pending.

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , IKE got SPI from key engine: SPI = 0x67693300

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , oakley constucting quick mode

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing blank hash payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing IPSec SA payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing IPSec nonce payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing pfs ke payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing proxy ID

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing qm hash payload

Apr 16 11:38:12 [IKEv1]: IP = , IKE_DECODE SENDING Message (msgid=9b4aed7c) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 332

Apr 16 11:38:12 [IKEv1]: IP = , IKE_DECODE RECEIVED Message (msgid=cbf15711) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 384

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , processing hash payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , processing notify payload

Apr 16 11:38:12 [IKEv1]: Group = , IP = , Received non-routine Notify message: Invalid ID info (18)

Apr 16 11:38:12 [IKEv1]: IP = , IKE_DECODE RECEIVED Message (msgid=333e2c27) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , processing hash payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , processing delete

Apr 16 11:38:12 [IKEv1]: Group = , IP = , Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy N/A, Local Proxy N/A

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , sending delete/delete with reason message

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing blank hash payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing IPSec delete payload

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , constructing qm hash payload

Apr 16 11:38:12 [IKEv1]: IP = , IKE_DECODE SENDING Message (msgid=165636ea) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , IKE Deleting SA: Remote Proxy 10.1.0.0, Local Proxy 10.0.0.0

Apr 16 11:38:12 [IKEv1]: Group = , IP = , Removing peer from correlator table failed, no match!

Apr 16 11:38:12 [IKEv1 DEBUG]: Group = , IP = , IKE SA MM:f204fb0a terminating:  flags 0x0100c822, refcnt 0, tuncnt 0

Apr 16 11:38:12 [IKEv1]: Group = , IP = , Session is being torn down. Reason: User Requested

Apr 16 11:38:12 [IKEv1]: IP = , IKE Initiator: New Phase 1, Intf NP Identity Ifc, IKE Peer   local Proxy Address 10.0.0.0, remote Proxy Address 10.1.0.0,  Crypto map (mymap)

Apr 16 11:38:12 [IKEv1 DEBUG]: IP = , constructing ISAKMP SA payload

Apr 16 11:38:12 [IKEv1 DEBUG]: IP = , constructing Fragmentation VID + extended capabilities payload

I'm wondering if the existing problem, why it is tearing it down, is the address space not matching?  Is that a possibilty, not good at doing this CLI only...

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7
In response to ken.montgomery

‎04-16-2013 09:22 AM

From the config, you provided above i don't see any proxy-IDs configured on 5545 (match statemet under crypto-map config), plus on 5540 the ACL referred in the crypto-ID is not present in the config.

So, configure proxy-IDs appropriately, so they'll be mirrored to each other on each site.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Andrew Phirsov

‎04-16-2013 09:29 AM

Right. Andrew's observation is supported by the failure shown in the debug:

     Removing peer from correlator table failed, no match!

That's usually an indication that crypto maps aren't set up to mirror each other. I think perhaps "outside_1_cryptomap" should instead refer to "ASA5545X_VPN_ACL" in your 5540 config.

0 Helpful
Customers Also Viewed These Support Documents