vpn on asa - no matching crypto map entry problem
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by anonymous on April 28, 2006, 8:52 am
Please log in for more thread options I'm setting up a vpn on an ASA 5510 7.0(4)12 but it doesn't seem to be getting past completion of phase I. I'm getting this message in my logs (take a look at the line I marked with "***"): LOGS ======================================================================== 6|Apr 28 2006 12:21:41|713172: Group = my-Group, IP = 192.168.10.10, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device 6|Apr 28 2006 12:21:53|113012: AAA user authentication Successful : local database : user = testuser 6|Apr 28 2006 12:21:53|113003: AAA group policy for user testuser is being set to my-Group 6|Apr 28 2006 12:21:53|113011: AAA retrieved user specific group policy (my-Group) for user = testuser 6|Apr 28 2006 12:21:53|113009: AAA retrieved default group policy (my-Group) for user = testuser 6|Apr 28 2006 12:21:53|113008: AAA transaction status ACCEPT : user = testuser 5|Apr 28 2006 12:21:53|713130: Group = my-Group, Username = testuser, IP = 192.168.10.10, Received unsupported transaction mode attribute: 5 5|Apr 28 2006 12:21:53|713131: Group = my-Group, Username = testuser, IP = 192.168.10.10, Received unknown transaction mode attribute: 28683 6|Apr 28 2006 12:21:53|713184: Group = my-Group, Username = testuser, IP = 192.168.10.10, Client Type: WinNT Client Application Version: 4.6.00.0045 6|Apr 28 2006 12:21:53|713228: Group = my-Group, Username = testuser, IP = 192.168.10.10, Assigned private IP address 10.10.10.20 to remote user 3|Apr 28 2006 12:21:53|713119: Group = my-Group, Username = testuser, IP = 192.168.10.10, PHASE 1 COMPLETED ***************** ***3|Apr 28 2006 12:21:53|713061: Group = my-Group, Username = testuser, IP = 192.168.10.10, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.10.10.20/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside ***************** 3|Apr 28 2006 12:21:53|713902: Group = my-Group, Username = testuser, IP = 192.168.10.10, QM FSM error (P2 struct &0x388d2b0, mess id 0x71fb8a55)! 3|Apr 28 2006 12:21:53|713902: Group = my-Group, Username = testuser, IP = 192.168.10.10, Removing peer from correlator table failed, no match! 4|Apr 28 2006 12:21:53|113019: Group = my-Group, Username = testuser, IP = 192.168.10.10, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found 5|Apr 28 2006 12:21:53|713904: IP = 192.168.10.10, Received encrypted packet with no matching SA, dropping ======================================================================== I noticed this on Cisco's site: CISCO's EXPLANATION ======================================================================== Error Message %PIX|ASA-3-713061: Tunnel rejected: Crypto Map Policy not found for Src:source_address, Dst: dest_address! Explanation This message indicates that the Cisco ASA was not able to find security policy information for the private networks or hosts indicated in the message. These networks or hosts were sent by the initiator and do not match any crypto ACLs at the Cisco ASA . This is most likely a misconfiguration. Recommended Action Check the protected network configuration in the crypto ACLs on both sides and make sure that the local net on the initiator is the remote net on the responder and vice-versa. Pay special attention to wildcard masks, host addresses versus network addresses, etc. Non-Cisco implementations may have the private addresses labeled as proxy addresses or red networks. ======================================================================== AFAIK, I've done this. Is there something I'm missing here? ASA CONFIG ======================================================================== ciscoasa# show run : Saved : ASA Version 7.0(4)12 ! hostname ciscoasa names ! interface Ethernet0/0 speed 100 duplex full nameif outside security-level 0 ip address 172.16.1.37 255.255.255.0 ! interface Ethernet0/1 speed 100 duplex full nameif inside security-level 100 ip address 10.10.10.5 255.255.255.0 ! ftp mode passive access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 any access-list my-Group_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0 access-list outside_cryptomap_dyn_20 extended permit ip 10.10.10.0 255.255.255.0 any access-list outside_cryptomap_dyn_20 extended permit udp 10.10.10.0 255.255.255.0 eq isakmp any mtu management 1500 mtu inside 1500 mtu outside 1500 ip local pool pac-vpn-ip-pool 10.10.10.20-10.10.10.100 mask 255.255.255.0 asdm image disk0:/asdm-504.bin asdm history enable arp timeout 14400 nat (inside) 0 access-list inside_nat0_outbound nat (inside) 0 0.0.0.0 0.0.0.0 route outside 0.0.0.0 0.0.0.0 172.16.1.33 1 group-policy my-Group internal group-policy my-Group attributes wins-server value 10.10.10.58 dns-server value 10.10.10.82 vpn-tunnel-protocol IPSec ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value my-Group_splitTunnelAcl client-firewall none webvpn username testuser password XXXXXXX encrypted privilege 1 username testuser attributes vpn-group-policy my-Group webvpn aaa authentication ssh console LOCAL aaa authentication enable console LOCAL crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA crypto dynamic-map outside_dyn_map 20 set reverse-route crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside crypto ca certificate map 10 subject-name attr ip eq 172.16.1.37 isakmp identity address isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp nat-traversal 20 isakmp ipsec-over-tcp port 10000 tunnel-group my-Group type ipsec-ra tunnel-group my-Group general-attributes address-pool pac-vpn-ip-pool authentication-server-group none default-group-policy my-Group tunnel-group my-Group ipsec-attributes pre-shared-key * tunnel-group-map default-group my-Group tunnel-group-map 10 my-Group no vpn-addr-assign aaa no vpn-addr-assign dhcp ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global client-update enable : end ======================================================================== Thanks, STU ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =---- | |||||||||||||
|
Posted by anonymous on April 28, 2006, 10:20 am
Please log in for more thread options were backwards: access-list outside_cryptomap_dyn_20 extended permit ip 10.10.10.0 255.255.255.0 any should be: access-list outside_cryptomap_dyn_20 extended permit ip any 10.10.10.0 255.255.255.0 anonymous wrote: ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =---- | |||||||||||||
>
> I'm setting up a vpn on an ASA 5510 7.0(4)12 but it doesn't seem to be
> getting past completion of phase I. I'm getting this message in my logs
> (take a look at the line I marked with "***"):
>
> LOGS
> ========================================================================
> 6|Apr 28 2006 12:21:41|713172: Group = my-Group, IP = 192.168.10.10,
> Automatic NAT Detection Status: Remote end IS behind a NAT
> device This end is NOT behind a NAT device
> 6|Apr 28 2006 12:21:53|113012: AAA user authentication Successful :
> local database : user = testuser
> 6|Apr 28 2006 12:21:53|113003: AAA group policy for user testuser is
> being set to my-Group
> 6|Apr 28 2006 12:21:53|113011: AAA retrieved user specific group policy
> (my-Group) for user = testuser
> 6|Apr 28 2006 12:21:53|113009: AAA retrieved default group policy
> (my-Group) for user = testuser
> 6|Apr 28 2006 12:21:53|113008: AAA transaction status ACCEPT : user =
> testuser
> 5|Apr 28 2006 12:21:53|713130: Group = my-Group, Username = testuser, IP
> = 192.168.10.10, Received unsupported transaction mode attribute: 5
> 5|Apr 28 2006 12:21:53|713131: Group = my-Group, Username = testuser, IP
> = 192.168.10.10, Received unknown transaction mode attribute: 28683
> 6|Apr 28 2006 12:21:53|713184: Group = my-Group, Username = testuser, IP
> = 192.168.10.10, Client Type: WinNT Client Application Version:
> 4.6.00.0045
> 6|Apr 28 2006 12:21:53|713228: Group = my-Group, Username = testuser, IP
> = 192.168.10.10, Assigned private IP address 10.10.10.20 to remote user
> 3|Apr 28 2006 12:21:53|713119: Group = my-Group, Username = testuser, IP
> = 192.168.10.10, PHASE 1 COMPLETED
> *****************
> ***3|Apr 28 2006 12:21:53|713061: Group = my-Group, Username = testuser,
> IP = 192.168.10.10, Rejecting IPSec tunnel: no matching crypto map entry
> for remote proxy 10.10.10.20/255.255.255.255/0/0 local proxy
> 0.0.0.0/0.0.0.0/0/0 on interface outside
> *****************
> 3|Apr 28 2006 12:21:53|713902: Group = my-Group, Username = testuser, IP
> = 192.168.10.10, QM FSM error (P2 struct &0x388d2b0, mess id 0x71fb8a55)!
> 3|Apr 28 2006 12:21:53|713902: Group = my-Group, Username = testuser, IP
> = 192.168.10.10, Removing peer from correlator table failed, no match!
> 4|Apr 28 2006 12:21:53|113019: Group = my-Group, Username = testuser, IP
> = 192.168.10.10, Session disconnected. Session Type: IPSec, Duration:
> 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found
> 5|Apr 28 2006 12:21:53|713904: IP = 192.168.10.10, Received encrypted
> packet with no matching SA, dropping
> ========================================================================
>
> I noticed this on Cisco's site:
>
> CISCO's EXPLANATION
> ========================================================================
> Error Message %PIX|ASA-3-713061: Tunnel rejected: Crypto Map Policy
> not found for Src:source_address, Dst: dest_address!
>
> Explanation This message indicates that the Cisco ASA was not able to
> find security policy information for the private networks or hosts
> indicated in the message. These networks
>
> or hosts were sent by the initiator and do not match any crypto ACLs at
> the Cisco ASA . This is most likely a misconfiguration.
>
> Recommended Action Check the protected network configuration in the
> crypto ACLs on both sides and make sure that the local net on the
> initiator is the remote net on the responder
>
> and vice-versa. Pay special attention to wildcard masks, host addresses
> versus network addresses, etc. Non-Cisco implementations may have the
> private addresses labeled as proxy addresses or red networks.
> ========================================================================
>
> AFAIK, I've done this. Is there something I'm missing here?
>
> ASA CONFIG
> ========================================================================
> ciscoasa# show run
> : Saved
> :
> ASA Version 7.0(4)12
> !
> hostname ciscoasa
>
> names
> !
> interface Ethernet0/0
> speed 100
> duplex full
> nameif outside
> security-level 0
> ip address 172.16.1.37 255.255.255.0
> !
> interface Ethernet0/1
> speed 100
> duplex full
> nameif inside
> security-level 100
> ip address 10.10.10.5 255.255.255.0
> !
>
> ftp mode passive
> access-list inside_nat0_outbound extended permit ip 10.10.10.0
> 255.255.255.0 any
> access-list my-Group_splitTunnelAcl standard permit 10.10.10.0
> 255.255.255.0
> access-list outside_cryptomap_dyn_20 extended permit ip 10.10.10.0
> 255.255.255.0 any
> access-list outside_cryptomap_dyn_20 extended permit udp 10.10.10.0
> 255.255.255.0 eq isakmp any
>
> mtu management 1500
> mtu inside 1500
> mtu outside 1500
> ip local pool pac-vpn-ip-pool 10.10.10.20-10.10.10.100 mask 255.255.255.0
> asdm image disk0:/asdm-504.bin
> asdm history enable
> arp timeout 14400
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 0 0.0.0.0 0.0.0.0
> route outside 0.0.0.0 0.0.0.0 172.16.1.33 1
> group-policy my-Group internal
> group-policy my-Group attributes
> wins-server value 10.10.10.58
> dns-server value 10.10.10.82
> vpn-tunnel-protocol IPSec
> ipsec-udp enable
> split-tunnel-policy tunnelspecified
> split-tunnel-network-list value my-Group_splitTunnelAcl
> client-firewall none
> webvpn
> username testuser password XXXXXXX encrypted privilege 1
> username testuser attributes
> vpn-group-policy my-Group
> webvpn
> aaa authentication ssh console LOCAL
> aaa authentication enable console LOCAL
>
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 match address
> outside_cryptomap_dyn_20
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
> crypto dynamic-map outside_dyn_map 20 set reverse-route
> crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> crypto ca certificate map 10
> subject-name attr ip eq 172.16.1.37
> isakmp identity address
> isakmp enable outside
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> isakmp nat-traversal 20
> isakmp ipsec-over-tcp port 10000
> tunnel-group my-Group type ipsec-ra
> tunnel-group my-Group general-attributes
> address-pool pac-vpn-ip-pool
> authentication-server-group none
> default-group-policy my-Group
> tunnel-group my-Group ipsec-attributes
> pre-shared-key *
> tunnel-group-map default-group my-Group
> tunnel-group-map 10 my-Group
> no vpn-addr-assign aaa
> no vpn-addr-assign dhcp
> !
> class-map inspection_default
> match default-inspection-traffic
> !
> !
> policy-map global_policy
> class inspection_default
> inspect dns maximum-length 512
> inspect ftp
> inspect h323 h225
> inspect h323 ras
> inspect rsh
> inspect rtsp
> inspect esmtp
> inspect sqlnet
> inspect skinny
> inspect sunrpc
> inspect xdmcp
> inspect sip
> inspect netbios
> inspect tftp
> !
> service-policy global_policy global
> client-update enable
> : end
> ========================================================================
>
> Thanks,
> STU
>
> ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet
> News==----
> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
> Newsgroups
> ----= East and West-Coast Server Farms - Total Privacy via Encryption =----