07-16-2015 03:19 AM
Hi all,
I'm trying to configure a VPN between ASA 5505 (ip static side) and Digipoint VPN grps router (ip dynamic side). Of course I'm try to open the VPN from dynamic IP side to static IP side, but the debug crypto isakmp 255 show the message below.
Using sh crypto isakmp i see ONLY for 1 seconds on the VPN establised... before dropping
I already check the Local (static side 192.168.100.0/24) and Remote (dynamic side 172.18.0.0/16) LAB and match perfectly, have you got other suggestion?
Thanks in advance
Jul 15 20:34:10 [IKEv1]: IP = ***IP_DYNMIC_ADDRESS***, IKE_DECODE RECEIVED Message (msgid=9ff1a52) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 182
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing hash payload
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing SA payload
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing nonce payload
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing ID payload
Jul 15 20:34:10 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, ID_IPV4_ADDR_SUBNET ID received--172.18.0.0--255.255.0.0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Received remote IP Proxy Subnet data in ID Payload: Address 172.18.0.0, Mask 255.255.0.0, Protocol 0, Port 0
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing ID payload
Jul 15 20:34:10 [IKEv1 DECODE]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, ID_IPV4_ADDR_SUBNET ID received--192.168.100.0--255.255.255.0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Received local IP Proxy Subnet data in ID Payload: Address 192.168.100.0, Mask 255.255.255.0, Protocol 0, Port 0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, QM IsRekeyed old sa not found by addr
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Static Crypto Map check, checking map = abcmap, seq = 1...
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Static Crypto Map check, map = abcmap, seq = 1, ACL does not match proxy IDs src:172.18.0.0 dst:192.168.100.0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Static Crypto Map check, checking map = abcmap, seq = 2...
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, Static Crypto Map check, map = abcmap, seq = 2, ACL does not match proxy IDs src:172.18.0.0 dst:192.168.100.0
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, IKE Remote Peer configured for crypto map: abcmapdyn
Jul 15 20:34:10 [IKEv1 DEBUG]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, processing IPSec SA payload
Jul 15 20:34:10 [IKEv1]: Group = DefaultL2LGroup, IP = ***IP_DYNMIC_ADDRESS***, All IPSec SA proposals found unacceptable!
07-16-2015 05:18 AM
IPSEC SAs are not matching
Can you attach configs ?
Regards,
Puneesh
07-16-2015 07:29 AM
Hi,
here the extract configuration related to the VPN under investigation.
Best regards
ASA Version 8.2(1) ! ! ! interface Vlan3 nameif inside security-level 100 ip address 192.168.100.1 255.255.128.0 ! access-list nonat extended permit ip 192.168.100.0 255.255.255.0 172.18.0.0 255.255.0.0 ... access-list PingDebug extended permit icmp any any ... access-list l2l_list_4 extended permit ip 192.168.100.0 255.255.255.0 172.18.0.0 255.255.0.0 ... ... crypto ipsec transform-set FirstSet esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map abcmapdyn 4 set transform-set FirstSet crypto map abcmap 5 ipsec-isakmp dynamic abcmapdyn crypto map abcmap interface outside crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 43200 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal crypto isakmp am-disable ... ... ... tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key ******* ...
07-20-2015 02:15 AM
07-21-2015 07:25 AM
Hello,
could you suggest where I'm wrong IPSEC SAs?
thanks in advance
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide