Greetings All,
I'm trying to setup a static LAN-to-LAN tunnel between a Cisco ASA5540 and a remote firewall connection (which I believe to be a Netascq U250 VPN Firewall) and I'm having some trouble and would appreciate some assistance.
The connection is initated from the Netascq end of the VPN and we have IP connectivity between the two but it seems to be failing on IKE Phase 1 with the following output on a debug crypto isakmp and debug crypto ipsec:
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713236: IP = [REMOTE-IP], IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 144
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-715047: IP = [REMOTE-IP], processing SA payload
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713236: IP = [REMOTE-IP], IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713906: IP = [REMOTE-IP], All SA proposals found unacceptable
<163>:Nov 09 11:59:22 AEST: %ASA-vpn-3-713048: IP = [REMOTE-IP], Error processing payload: Payload ID: 1
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-715065: IP = [REMOTE-IP], IKE MM Responder FSM error history (struct &0x4b83688) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713906: IP = [REMOTE-IP], IKE SA MM:a7905079 terminating: flags 0x01000002, refcnt 0, tuncnt 0
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713906: IP = [REMOTE-IP], sending delete/delete with reason message
<163>:Nov 09 11:59:22 AEST: %ASA-vpn-3-713902: IP = [REMOTE-IP], Removing peer from peer table failed, no match!
<164>:Nov 09 11:59:22 AEST: %ASA-vpn-4-713903: IP = [REMOTE-IP], Error: Unable to remove PeerTblEntry
: IP = [REMOTE-IP], Removing peer from peer table failed, no match!
Nov 09 11:59:22 [IKEv1]: IP = [REMOTE-IP], Error: Unable to remove PeerTblEntry
The output that stands out is:
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713906: IP = [REMOTE-IP], All SA proposals found unacceptable
...which to me means that it's failing on processing the SA but I've been assured that the configuration is sound on the far end.
All then necessary routes and ports are permissioned (the fact that they are hitting is a good indication
From the remaining VPN configuration perspective on the ASA end, it's pretty straightforward:
tunnel-group [REMOTE-IP] type ipsec-l2l
tunnel-group [REMOTE-IP] ipsec-attributes
pre-shared-key *
Note: The pre-shared doesn't appear to be a password issue as I'd expect to see log errors such as:
[IKEv1]: Group = [REMOTE-IP], IP = [REMOTE-IP], Received encrypted Oakley Main Mode packet with invalid payloads,
[IKEv1]: Group = [REMOTE-IP], IP = [REMOTE-IP], ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
...in the debug which we are not.
From the crypto/SA side, we have set:
crypto map outside_map 2 set peer [REMOTE-IP]
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 set phase1-mode aggressive group5
We've tried downing the transform set to ESP-3DES-MD5 on both ends and still no joy.
Does anyone have any suggestions on what to do to bring this up? I'd REALLY appreciate some input or pointers (I'm far from a VPN wizard)
Thanks in advance.
bdx
I'm trying to setup a static LAN-to-LAN tunnel between a Cisco ASA5540 and a remote firewall connection (which I believe to be a Netascq U250 VPN Firewall) and I'm having some trouble and would appreciate some assistance.
The connection is initated from the Netascq end of the VPN and we have IP connectivity between the two but it seems to be failing on IKE Phase 1 with the following output on a debug crypto isakmp and debug crypto ipsec:
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713236: IP = [REMOTE-IP], IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 144
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-715047: IP = [REMOTE-IP], processing SA payload
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713236: IP = [REMOTE-IP], IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 96
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713906: IP = [REMOTE-IP], All SA proposals found unacceptable
<163>:Nov 09 11:59:22 AEST: %ASA-vpn-3-713048: IP = [REMOTE-IP], Error processing payload: Payload ID: 1
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-715065: IP = [REMOTE-IP], IKE MM Responder FSM error history (struct &0x4b83688) <state>, <event>: MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713906: IP = [REMOTE-IP], IKE SA MM:a7905079 terminating: flags 0x01000002, refcnt 0, tuncnt 0
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713906: IP = [REMOTE-IP], sending delete/delete with reason message
<163>:Nov 09 11:59:22 AEST: %ASA-vpn-3-713902: IP = [REMOTE-IP], Removing peer from peer table failed, no match!
<164>:Nov 09 11:59:22 AEST: %ASA-vpn-4-713903: IP = [REMOTE-IP], Error: Unable to remove PeerTblEntry
: IP = [REMOTE-IP], Removing peer from peer table failed, no match!
Nov 09 11:59:22 [IKEv1]: IP = [REMOTE-IP], Error: Unable to remove PeerTblEntry
The output that stands out is:
<167>:Nov 09 11:59:22 AEST: %ASA-vpn-7-713906: IP = [REMOTE-IP], All SA proposals found unacceptable
...which to me means that it's failing on processing the SA but I've been assured that the configuration is sound on the far end.
All then necessary routes and ports are permissioned (the fact that they are hitting is a good indication
From the remaining VPN configuration perspective on the ASA end, it's pretty straightforward:tunnel-group [REMOTE-IP] type ipsec-l2l
tunnel-group [REMOTE-IP] ipsec-attributes
pre-shared-key *
Note: The pre-shared doesn't appear to be a password issue as I'd expect to see log errors such as:
[IKEv1]: Group = [REMOTE-IP], IP = [REMOTE-IP], Received encrypted Oakley Main Mode packet with invalid payloads,
[IKEv1]: Group = [REMOTE-IP], IP = [REMOTE-IP], ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
...in the debug which we are not.
From the crypto/SA side, we have set:
crypto map outside_map 2 set peer [REMOTE-IP]
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 set phase1-mode aggressive group5
We've tried downing the transform set to ESP-3DES-MD5 on both ends and still no joy.
Does anyone have any suggestions on what to do to bring this up? I'd REALLY appreciate some input or pointers (I'm far from a VPN wizard)
Thanks in advance.
bdx