07-29-2015 10:17 PM
I have a phase 2 mismatch I cannot sniff out, please help!
Below are the relevant configs.
ASA <---> cisco 891F router using site to site vpn settings. I have the crypto maps applied on the outgoing interfaces and PHASE 1 works fine, phase 2 fails and says there is no phase 2 match.
ASA
-------------
access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 10.112.10.0 255.255.255.0
crypto ipsec ikev1 transform-set esp-des esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Hollister esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set 3des-trans esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set test2 esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set test1 esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set test3 esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer 108.X
crypto map outside_map 1 set ikev1 transform-set 3des-trans test2 test1 test3
crypto map outside_map 1 set security-association lifetime seconds 43200
crypto map outside_map 1 set reverse-route
Router
--------------
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key XX address 71.X
!
!
crypto ipsec transform-set vpn_trans esp-aes esp-sha-hmac
mode transport
crypto ipsec transform-set phase2 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set IPSEC2 esp-aes esp-sha-hmac
mode tunnel
crypto ipsec transform-set ipsec3 esp-aes
mode tunnel
crypto ipsec transform-set ipsec4 esp-3des
mode tunnel
crypto ipsec transform-set test1 esp-aes
mode tunnel
crypto ipsec transform-set test2 esp-3des
mode tunnel
!
crypto map vpn_map 10 ipsec-isakmp
set peer 71.X
set security-association lifetime seconds 43200
match address 101
!
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.50.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.0.0.0 0.255.255.255
Solved! Go to Solution.
07-29-2015 11:21 PM
Add the follwing commands on router,
crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac
crypto map vpn_map 10 ipsec-isakmp
set transform-set 3des_sha
If this does not work , please share the output of "show run object-group id DM_INLINE_NETWORK_4" from ASA.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-29-2015 10:47 PM
Router's configuration does not have transform set configured under crypto map. Complete configuration should be like:-
crypto map vpn_map 10 ipsec-isakmp
set peer 71.X
set transform-set <transform set name>
set security-association lifetime seconds 43200
match address 101
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-29-2015 11:06 PM
I have added the following... Good catch. but this did not fix the issue
set transform-set test1 test2 ipsec3 ipsec4 phase2 IPSEC2
I see a QM FSM error and another error saying all phase 2 proposals are unacceptable in asdm
07-29-2015 11:21 PM
Add the follwing commands on router,
crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac
crypto map vpn_map 10 ipsec-isakmp
set transform-set 3des_sha
If this does not work , please share the output of "show run object-group id DM_INLINE_NETWORK_4" from ASA.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide