Hi,

alberto-pesce · ‎07-16-2015

Hi all,

I'm trying to configure a VPN between ASA 5505 (ip static side) and Digipoint VPN grps router (ip dynamic side). Of course I'm try to open the VPN from dynamic IP side to static IP side, but the debug crypto isakmp 255 show the message below.

Using sh crypto isakmp i see ONLY for 1 seconds on the VPN establised... before dropping

I already check the Local (static side 192.168.100.0/24) and Remote (dynamic side 172.18.0.0/16) LAB and match perfectly, have you got other suggestion?

Thanks in advance

Jul 15 20:34:10 [IKEv1]: IP = ***IP_DYNMIC_ADDRESS***, IKE_DECODE RECEIVED Message (msgid=9ff1a52) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 182
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing hash payload
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing SA payload
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing nonce payload
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing ID payload
Jul 15 20:34:10 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, ID_IPV4_ADDR_SUBNET ID received--172.18.0.0--255.255.0.0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Received remote IP Proxy Subnet data in ID Payload:   Address 172.18.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing ID payload
Jul 15 20:34:10 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, ID_IPV4_ADDR_SUBNET ID received--192.168.100.0--255.255.255.0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.100.0, Mask 255.255.255.0, Protocol 0, Port 0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, QM IsRekeyed old sa not found by addr
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Static Crypto Map check, checking map = abcmap, seq = 1...
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Static Crypto Map check, map = abcmap, seq = 1, ACL does not match proxy IDs src:172.18.0.0 dst:192.168.100.0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Static Crypto Map check, checking map = abcmap, seq = 2...
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Static Crypto Map check, map = abcmap, seq = 2, ACL does not match proxy IDs src:172.18.0.0 dst:192.168.100.0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, IKE Remote Peer configured for crypto map: abcmapdyn
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing IPSec SA payload
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, All IPSec SA proposals found unacceptable!

Puneesh Chhabra · ‎07-16-2015

IPSEC SAs are not matching

Can you attach configs ?

Regards,

Puneesh

alberto-pesce · ‎07-16-2015

Hi,

here the extract configuration related to the VPN under investigation.

Best regards

ASA Version 8.2(1) 
!
!
!
interface Vlan3
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.128.0 
!
access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.18.0.0 255.255.0.0 
...
access-list PingDebug extended permit icmp any any 
...
access-list l2l_list_4 extended permit ip 192.168.100.0 255.255.255.0 172.18.0.0 255.255.0.0 
...
...
crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map abcmapdyn 4 set transform-set FirstSet
crypto map abcmap 5 ipsec-isakmp dynamic abcmapdyn
crypto map abcmap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
crypto isakmp am-disable
...
...
...
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *******
...

alberto-pesce · ‎07-20-2015

Hi,

those are the only available IPSEC SA attributes on Digicom VPN router. Could you suggest any better matching?

Thanks in advance.

Best Regards

alberto-pesce · ‎07-21-2015

Hello,

could you suggest where I'm wrong IPSEC SAs?

thanks in advance

Best Regards

VPN between ASA 5505 and Digipoint VPN router