Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8294
Views
5
Helpful
3
Replies

VPN Phase 2 mismatch

Go to solution
chrisfore
Level 1
Level 1

‎07-29-2015 10:17 PM

I have a phase 2 mismatch I cannot sniff out, please help!

 

Below are the relevant configs.

 

ASA <---> cisco 891F router using site to site vpn settings.  I have the crypto maps applied on the outgoing interfaces and PHASE 1 works fine, phase 2 fails and says there is no phase 2 match.

 

ASA
-------------
access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 10.112.10.0 255.255.255.0 

crypto ipsec ikev1 transform-set esp-des esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set Hollister esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set 3des-trans esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set test2 esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set test1 esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set test3 esp-aes-256 esp-sha-hmac 

crypto map outside_map 1 match address outside_cryptomap_2
crypto map outside_map 1 set peer 108.X 
crypto map outside_map 1 set ikev1 transform-set 3des-trans test2 test1 test3
crypto map outside_map 1 set security-association lifetime seconds 43200
crypto map outside_map 1 set reverse-route


Router
--------------
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key XX address 71.X
!
!
crypto ipsec transform-set vpn_trans esp-aes esp-sha-hmac
 mode transport
crypto ipsec transform-set phase2 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set IPSEC2 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ipsec3 esp-aes
 mode tunnel
crypto ipsec transform-set ipsec4 esp-3des
 mode tunnel
crypto ipsec transform-set test1 esp-aes
 mode tunnel
crypto ipsec transform-set test2 esp-3des
 mode tunnel

!
crypto map vpn_map 10 ipsec-isakmp
 set peer 71.X
 set security-association lifetime seconds 43200
 match address 101
!

access-list 101 permit ip 10.112.10.0 0.0.0.255 10.11.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.40.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.50.0.0 0.0.255.255
access-list 101 permit ip 10.112.10.0 0.0.0.255 10.0.0.0 0.255.255.255

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to chrisfore

‎07-29-2015 11:21 PM

Add the follwing commands on router,

crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac
crypto map vpn_map 10 ipsec-isakmp
set transform-set 3des_sha 

If this does not work , please share the output of "show run object-group id DM_INLINE_NETWORK_4" from ASA.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

3 Replies 3

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-29-2015 10:47 PM

Router's configuration does not have transform set configured under crypto map. Complete configuration should be like:-

crypto map vpn_map 10 ipsec-isakmp
 set peer 71.X
 set transform-set  <transform set name>
 set security-association lifetime seconds 43200
 match address 101

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
chrisfore
Level 1
Level 1
In response to Dinesh Moudgil

‎07-29-2015 11:06 PM

I have added the following... Good catch. but this did not fix the issue

 

 set transform-set  test1 test2 ipsec3 ipsec4 phase2 IPSEC2

 

I see a QM FSM error and another error saying all phase 2 proposals are unacceptable in asdm

 

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to chrisfore

‎07-29-2015 11:21 PM

Add the follwing commands on router,

crypto ipsec transform-set 3des_sha esp-3des esp-sha-hmac
crypto map vpn_map 10 ipsec-isakmp
set transform-set 3des_sha 

If this does not work , please share the output of "show run object-group id DM_INLINE_NETWORK_4" from ASA.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Customers Also Viewed These Support Documents