VPN Site to site ASA 5550 -> 5506-X - Problem

dorcejose · ‎04-18-2016

Hello everyone!

I'm having some problems setting up a vpn tunnel between two cisco Asa's.

The scenario is as follows

One Asa 5506 (My side) and one 5550 (other side).

Tunnel properties are as follows :

Phase 1

Auth : Pre-shared key

Encryp : Ike

Group 2

Encrypt : 3DES

Hashing : SHA1

Main Mode Only

Timelife 86400

Phase 2

Encapsulation : ESP

Encrypt : AES128

Authentication ESP : NO

Authentication AH : SHA-1

PFS : NO

Timelife 3600

Host on my side is 10.1.2.198 and the remote side 10.112.8.34.

Now , the problem:

Phase 1 is completed successfully. But Phase 2 NO.

Try setting through the wizard(GUI ASDM) and through the console CLI. But the same problem occurs:

[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, PHASE 1 COMPLETED
[IKEv1]IP = 190.30.233.52, Keep-alive type for this connection: DPD
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, Starting P1 rekey timer: 82080 seconds.
[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, Add to IKEv1 Tunnel Table succeeded for SA with logical ID 589824
[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, Add to IKEv1 MIB Table succeeded for SA with logical ID 589824
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, IKE got SPI from key engine: SPI = 0x7c37d268
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, IKE got SPI from key engine: SPI = 0x50859caf
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, oakley constucting quick mode
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, constructing blank hash payload
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, constructing IPSec SA payload
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, constructing IPSec nonce payload
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, constructing proxy ID
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, Transmitting Proxy Id:
Local subnet: 10.1.2.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.112.8.0 Mask 255.255.255.0 Protocol 0 Port 0
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, constructing qm hash payload
[IKEv1]IP = 190.30.233.52, IKE_DECODE SENDING Message (msgid=ad5e593a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 248
[IKEv1]IP = 190.30.233.52, IKE_DECODE RECEIVED Message (msgid=5b7b1393) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 304
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, processing hash payload
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, processing notify payload
[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, Received non-routine Notify message: Invalid ID info (18)
[IKEv1]IP = 190.30.233.52, IKE_DECODE RECEIVED Message (msgid=c62d4d1e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, processing hash payload
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, processing delete
[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, Connection terminated for peer 190.30.233.52. Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 589824
[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, Remove from IKEv1 MIB Table succeeded for SA with logical ID 589824
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, sending delete/delete with reason message
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, constructing blank hash payload
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, constructing IPSec delete payload
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, constructing qm hash payload
[IKEv1]IP = 190.30.233.52, IKE_DECODE SENDING Message (msgid=e8f0164b) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, IKE Deleting SA: Remote Proxy 10.112.8.0, Local Proxy 10.1.2.0
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, IKE Deleting SA: Remote Proxy 10.112.8.0, Local Proxy 10.1.2.0
[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, Removing peer from correlator table failed, no match!
[IKEv1 DEBUG]Group = 190.30.233.52, IP = 190.30.233.52, IKE SA MM:5af65f62 terminating: flags 0x0100c822, refcnt 0, tuncnt 0
[IKEv1]Group = 190.30.233.52, IP = 190.30.233.52, Session is being torn down. Reason: User Requested

Settings on my side :

access-list vpn_traffic extended permit ip host 10.1.2.198 host 10.112.8.34
nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map VPN-MAP 1 match address vpn_traffic
crypto map VPN-MAP 1 set peer 190.30.233.52
crypto map VPN-MAP 1 set ikev1 transform-set ESP-AES128-SHA
crypto map VPN-MAP interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 190.30.233.52 type ipsec-l2l
tunnel-group 190.30.233.52 ipsec-attributes
ikev1 pre-shared-key *****

Maybe I'm not setting the parameters well. It's very frustrating..

I hope I can guide. Thank you very much

Michael Muenz · ‎04-18-2016

Have you tried to replace the host values in the ACL with subnets?

Local subnet: 10.1.2.0 mask 255.255.255.0 Protocol 0 Port 0
Remote subnet: 10.112.8.0 Mask 255.255.255.0 Protocol 0 Port 0

Michael Please rate all helpful posts

dorcejose · ‎04-18-2016

Thanks for the quick reply!!. That probe in different ways, but still the problem.