I followed the instructions for interconnecting 2 LANs using VPN (I am using GNS3 simulating 2 ASA 5510 - one on each side to build the VPN) but I am receiving the following error (unfortunately, I am not an expert in terms of ASA.
ciscoasa2# Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, QM FSM error (P2 struct &0xbc396bb8, mess id 0x65d3a659)!
Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, Removing peer from correlator table failed, no match!
Apr 02 06:12:42 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, Session is being torn down. Reason: Phase 2 Mismatch
Apr 02 06:12:44 [IKEv1]Group = 67.94.1.2, IP = 67.94.1.2, QM FSM error (P2 struct &0xbc146df0, mess id 0x2709556c)!
The diagram is something like:
PC1-LAN1--ASA1---WAN---ASA2--LAN2---PC2
Before applying VPN, I could make Ping from PC1 to the OUTSIDE of ASA2 and viceversa.
The configuration for the ASA are:
SITE 1
ASA Version 8.4(2)
!
hostname ciscoasa2
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
description CONEXION A ROUTER # 2
nameif outside
security-level 0
ip address 50.1.1.2 255.255.255.0
!
interface GigabitEthernet1
description CONEXION SWITCH # 2
nameif inside
security-level 100
ip address 10.1.1.1 255.255.255.0
!
SOME INTERFACES WERE OMITTED
!
ftp mode passive
object network INTERNAL_LAN
subnet 10.1.1.0 255.255.255.0
object network NETWORK-LOCAL
subnet 10.1.1.0 255.255.255.0
object network NETWORK-REMOTE
subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN remark Traffic from Outside (Internet) to Internal LAN
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list VPN-TO-ASA1 extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static NETWORK-LOCAL NETWORK-LOCAL destination static NETWORK-REMOTE NETWORK-REMOTE
!
object network INTERNAL_LAN
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 50.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set espSHA3DESproto esp-des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-ASA1
crypto map IPSEC 10 set peer 67.94.1.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 67.94.1.2 type ipsec-l2l
tunnel-group 67.94.1.2 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:e96b9102c0afc699ca39df978dd1096b
: end
ciscoasa2#
SITE 2
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
description CONEXION HACIA INTERNET 67.94.1.0 / 28
nameif outside
security-level 0
ip address 67.94.1.2 255.255.255.240
!
interface GigabitEthernet1
description CONEXION LAN INTERNA 172.16.1.0 / 24
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
!
ftp mode passive
object network Network-Local
subnet 172.16.1.0 255.255.255.0
object network Network-Remota
subnet 10.1.1.0 255.255.255.0
object network INTERNAL-LAN
subnet 172.16.1.0 255.255.255.0
access-list OUTSIDE_IN remark Traffic from Outside (Internet) to Internal LAN
access-list OUTSIDE_IN extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
access-list VPN-TO-ASA2 extended permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static Network-Local Network-Local destination static Network-Remota Network-Remota
!
object network INTERNAL-LAN
nat (inside,outside) dynamic interface
access-group OUTSIDE_IN in interface outside
route outside 0.0.0.0 0.0.0.0 67.94.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-hmac
crypto map IPSEC 10 match address VPN-TO-ASA2
crypto map IPSEC 10 set peer 50.1.1.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside
crypto isakmp identity address
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 50.1.1.2 type ipsec-l2l
tunnel-group 50.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 30 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable
Cryptochecksum:7f6998d87d35c9fab97d2c41f00c7d95
: end
ciscoasa#
VERSION OF IOS in the GNS ASA
ciscoasa2# show flash
--#-- --length-- -----date/time------ path
5 4096 Mar 31 2012 20:28:08 log
10 4096 Mar 31 2012 20:28:12 coredumpinfo
11 59 Mar 31 2012 20:28:12 coredumpinfo/coredump.cfg
78 196 Mar 31 2012 20:28:12 upgrade_startup_errors_201203312028.log
74 0 Mar 31 2012 21:13:36 nat_ident_migrate
268136448 bytes total (267767808 bytes free)
ciscoasa2# show ver
Cisco Adaptive Security Appliance Software Version 8.4(2)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "Unknown, monitor mode tftp booted image"
Config file at boot was "startup-config"
ciscoasa2 up 2 hours 59 mins
Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash unknown @ 0x0, 0KB
0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0
1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0
2: Ext: GigabitEthernet2 : address is 0000.ab96.ba02, irq 0
3: Ext: GigabitEthernet3 : address is 0000.abc5.8a03, irq 0
4: Ext: GigabitEthernet4 : address is 0000.ab7a.4604, irq 0
5: Ext: GigabitEthernet5 : address is 0000.abd9.1205, irq 0
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 100 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Disabled perpetual
VPN-3DES-AES : Disabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 5000 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 5000 perpetual
Total VPN Peers : 0 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has an ASA 5520 VPN Plus license.
Serial Number: 123456789AB
Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x0
Configuration last modified by enable_15 at 06:07:30.389 UTC Mon Apr 2 2012
ciscoasa2#
IN ADDITION TO THAT, I try to configure the isakmp policy, but I only have the following options:
ciscoasa(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ciscoasa(config)# crypto is
ciscoasa(config)# crypto isakmp ?
configure mode commands/options:
disconnect-notify Enable disconnect notification to peers
identity Set identity type (address, hostname or key-id)
nat-traversal Enable and configure nat-traversal
reload-wait Wait for voluntary termination of existing connections
before reboot
ciscoasa(config)#
ciscoasa(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ciscoasa(config)# crypto ike
ciscoasa(config)# crypto ikev1 ?
configure mode commands/options:
am-disable Disable inbound aggressive mode connections
enable Enable IKEv1 on the specified interface
ipsec-over-tcp Enable and configure IPSec over TCP
policy Set IKEv1 policy suite
ciscoasa(config)# crypto ikev1 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ciscoasa(config)#
That is the reason because I was able only to configure:
crypto ikev1 policy 10
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
There is not SA established between both ENDS
Thank you in advance for your orientation regarding this issue!!
