1. Home
  2. Cisco Systems
  3. Site to Site VPN problem between ASA5500 & 1800 router

Site to Site VPN problem between ASA5500 & 1800 router

Hi, I configured Cisco ASA 5500 security appliance and cisco 1800 router, I want to enable site to site vpn tunnel between this two devices. But I keep getting error: All IPSec SA proposals found unacceptable!. Can someone take a look on the configuration and advise me how to resolve the problem, get site to site vpn work. Thank you, Young

ASA 5500, 1800 router configuration and debug log as following:

ASA5500 outside ip address: x.x.x.1 1800 router outside ip address: x.x.x.2

------------------------------------------------------------------------------------------------------- ASA Version 7.2(3) ! hostname ASA5500

interface Ethernet0/0 description WAN nameif WAN security-level 0 ip address X.X.X.1 255.255.255.248 ! interface Ethernet0/1 description LAN nameif LAN security-level 100 ip address 192.168.0.55 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted

same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list WAN_1_cryptomap extended permit ip 192.168.0.0

255.255.255.0 192.168.20.0 255.255.255.0 access-list testing_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list TestVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 pager lines 24

global (WAN) 101 interface nat (LAN) 0 access-list WAN_nat0_outbound nat (LAN) 101 192.168.0.0 255.255.255.0 route WAN 0.0.0.0 0.0.0.0 outside_gateway_ip_address 1

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 1 set peer X.X.X.2 crypto map WAN_map 1 set transform-set ESP-3DES-SHA crypto map WAN_map interface WAN crypto isakmp enable WAN crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! service-policy global_policy global webvpn customization customization1 title text Test Group of Companies WebVPN Service

tunnel-group X.X.X.2 type ipsec-l2l tunnel-group X.X.X.2 ipsec-attributes pre-shared-key * ! : end

------------------------------------------------------------------------------------------ Cisco 1800 router

version 12.4

hostname cisco1800 ! boot-start-marker boot-end-marker ! logging buffered 52000 ! no aaa new-model ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Test address X.X.X.1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toX.X.X.1 set peer X.X.X.1 set transform-set ESP-3DES-SHA match address 100 ! interface FastEthernet0 description $ETH-LAN$ ip address X.X.X.2 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Dot11Radio0 no ip address ! ssid Cisco1800 ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0

36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address ! ssid Cisco1800 ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$ no ip address ip tcp adjust-mss 1452 bridge-group 1 ! interface Async1 no ip address encapsulation slip ! interface BVI1 description $ES_LAN$ ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 207.245.34.49 ! ip nat pool office X.X.X.2 X.X.X.2 netmask 255.255.255.248 ip nat inside source route-map SDM_RMAP_1 pool office overload

access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 remark SDM_ACL Category=2 access-list 101 remark IPSec Rule access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 permit ip 192.168.20.0 0.0.0.255 any no cdp run ! route-map SDM_RMAP_1 permit 1 match ip address 101 ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 login local line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! webvpn cef end

---------------------------------------------------------------------------------- Debug Log on ASA 5500 (Latest log on the top)

.Notice %ASA-5-713904: IP = X.X.X.2, Received encrypted packet with no matching SA, dropping .Warning %ASA-4-113019: Group = X.X.X.2, Username = X.X.X.2, IP = X.X.X.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration:

0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message (msgid=f0c3875d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing qm hash payload .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing IKE delete payload .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing blank hash payload .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending delete/ delete with reason message .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, IKE SA MM: 1328f233 terminating: flags 0x0101c002, refcnt 0, tuncnt 0 .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, IKE SA MM: 1328f233 rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0 .Error %ASA-3-713902: Group = X.X.X.2, IP = X.X.X.2, Removing peer from correlator table failed, no match! .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending delete/ delete with reason message .Debug %ASA-7-715065: Group = X.X.X.2, IP = X.X.X.2, IKE QM Responder FSM error history (struct &0x494ec78) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG--
QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2,

EV_COMP_HASH .Error %ASA-3-713902: Group = X.X.X.2, IP = X.X.X.2, QM FSM error (P2 struct &0x494ec78, mess id 0xd13ce919)! .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message (msgid=7f875ac9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing qm hash payload .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, constructing ipsec notify payload for msg id d13ce919 .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing blank hash payload .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending notify message .Notice %ASA-5-713904: Group = X.X.X.2, IP = X.X.X.2, All IPSec SA proposals found unacceptable! .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing IPSec SA payload .Debug %ASA-7-713066: Group = X.X.X.2, IP = X.X.X.2, IKE Remote Peer configured for crypto map: WAN_map .Debug %ASA-7-713225: Group = X.X.X.2, IP = X.X.X.2, Static Crypto Map check, map WAN_map, seq = 1 is a successful match .Debug %ASA-7-713221: Group = X.X.X.2, IP = X.X.X.2, Static Crypto Map check, checking map = WAN_map, seq = 1... .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, QM IsRekeyed old sa not found by addr .Debug %ASA-7-713034: Group = X.X.X.2, IP = X.X.X.2, Received local IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask

255.255.255.0, Protocol 0, Port 0 .Debug %ASA-7-714011: Group = X.X.X.2, IP = X.X.X.2, ID_IPV4_ADDR_SUBNET ID received--192.168.0.0--255.255.255.0 .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing ID payload .Debug %ASA-7-713035: Group = X.X.X.2, IP = X.X.X.2, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.20.0, Mask 255.255.255.0, Protocol 0, Port 0 .Debug %ASA-7-714011: Group = X.X.X.2, IP = X.X.X.2, ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0 .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing ID payload .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing nonce payload .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing SA payload .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing hash payload .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE RECEIVED Message (msgid=d13ce919) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
  • ID (5) + ID (5) + NONE (0) total length : 168 .Debug %ASA-7-714003: IP = X.X.X.2, IKE Responder starting QM: msg id = d13ce919 .Debug %ASA-7-715080: Group = X.X.X.2, IP = X.X.X.2, Starting P1 rekey timer: 82080 seconds. .Debug %ASA-7-713121: IP = X.X.X.2, Keep-alive type for this connection: DPD .Error %ASA-3-713119: Group = X.X.X.2, IP = X.X.X.2, PHASE 1 COMPLETED .Info %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = X.X.X.2 .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96
Reply to
Young
Loading thread data ...

Here's a better config example for you to follow using an ASA and an IOS router.

I took this straight from the link at cisco.

formatting link

HQPIX(config)#show run PIX Version 7.0(0)102 names ! interface Ethernet0 description WAN interface nameif outside security-level 0 ip address 172.17.63.229 255.255.255.240 ! interface Ethernet1 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname HQPIX domain-name cisco.com ftp mode passive clock timezone AEST 10 access-list 100 extended permit ip any any access-list 150 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0

255.255.255.0 access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0 255.255.255.0 pager lines 24 logging enable logging buffered debugging mtu inside 1500 mtu outside 1500 no failover monitor-interface inside monitor-interface outside asdm image flash:/asdmfile.50073 no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list nonat nat (inside) 1 10.1.1.0 255.255.255.0 access-group 100 in interface inside route outside 0.0.0.0 0.0.0.0 172.17.63.230 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server partner protocol tacacs+ username cisco password 3USUcOPFUiMCO4Jk encrypted http server enable http 10.1.1.2 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public snmp-server enable traps snmp

crypto ipsec transform-set avalanche esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 3600 crypto ipsec df-bit clear-df outside crypto map forsberg 21 match address nonat crypto map forsberg 21 set peer 172.17.63.230 crypto map forsberg 21 set transform-set avalanche crypto map forsberg interface outside isakmp identity address isakmp enable outside isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 isakmp policy 65535 authentication pre-share isakmp policy 65535 encryption 3des isakmp policy 65535 hash sha isakmp policy 65535 group 2 isakmp policy 65535 lifetime 86400 telnet timeout 5 ssh timeout 5 console timeout 0 tunnel-group 172.17.63.230 type ipsec-l2l tunnel-group 172.17.63.230 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map asa_global_fw_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp inspect http ! service-policy asa_global_fw_policy global Cryptochecksum:3a5851f7310d14e82bdf17e64d638738 : end SV-2-8#

Branch Router

BranchRouter#show run Building configuration...

Current configuration : 1719 bytes ! ! Last configuration change at 13:03:25 AEST Tue Apr 5 2005 ! NVRAM config last updated at 13:03:44 AEST Tue Apr 5 2005 ! version 12.2 service timestamps debug datetime msec service timestamps log uptime no service password-encryption ! hostname BranchRouter ! logging queue-limit 100 logging buffered 4096 debugging ! username cisco privilege 15 password 0 cisco memory-size iomem 15 clock timezone AEST 10 ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ! ! ! crypto isakmp policy 11 encr 3des authentication pre-share group 2 crypto isakmp key cisco123 address 172.17.63.229 ! ! crypto ipsec transform-set sharks esp-des esp-md5-hmac ! crypto map nolan 11 ipsec-isakmp set peer 172.17.63.229 set transform-set sharks match address 120 ! ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! ! interface Ethernet0/0 ip address 172.17.63.230 255.255.255.240 ip nat outside no ip route-cache no ip mroute-cache half-duplex crypto map nolan ! interface Ethernet0/1 ip address 10.2.2.1 255.255.255.0 ip nat inside half-duplex ! ip nat pool branch 172.17.63.230 172.17.63.230 netmask 255.255.255.0 ip nat inside source route-map nonat pool branch overload no ip http server no ip http secure-server ip classless ip route 10.1.1.0 255.255.255.0 172.17.63.229 ! ! ! access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 130 permit ip 10.2.2.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 130 ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! ! end

"Young" wrote in message news: snipped-for-privacy@u10g2000prn.googlegroups.com...

-------------------------------------------------------------------------------------------------------

------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------

Reply to
Town Dummy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.