Hi, I configured Cisco ASA 5500 security appliance and cisco 1800 router, I want to enable site to site vpn tunnel between this two devices. But I keep getting error: All IPSec SA proposals found unacceptable!. Can someone take a look on the configuration and advise me how to resolve the problem, get site to site vpn work. Thank you, Young
ASA 5500, 1800 router configuration and debug log as following:
ASA5500 outside ip address: x.x.x.1 1800 router outside ip address: x.x.x.2
------------------------------------------------------------------------------------------------------- ASA Version 7.2(3) ! hostname ASA5500
interface Ethernet0/0 description WAN nameif WAN security-level 0 ip address X.X.X.1 255.255.255.248 ! interface Ethernet0/1 description LAN nameif LAN security-level 100 ip address 192.168.0.55 255.255.255.0 ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd 2KFQnbNIdI.2KYOU encrypted
same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list WAN_1_cryptomap extended permit ip 192.168.0.0
255.255.255.0 192.168.20.0 255.255.255.0 access-list testing_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list TestVPN_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0 access-list WAN_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 pager lines 24global (WAN) 101 interface nat (LAN) 0 access-list WAN_nat0_outbound nat (LAN) 101 192.168.0.0 255.255.255.0 route WAN 0.0.0.0 0.0.0.0 outside_gateway_ip_address 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto map WAN_map 1 match address WAN_1_cryptomap crypto map WAN_map 1 set pfs crypto map WAN_map 1 set peer X.X.X.2 crypto map WAN_map 1 set transform-set ESP-3DES-SHA crypto map WAN_map interface WAN crypto isakmp enable WAN crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 ! service-policy global_policy global webvpn customization customization1 title text Test Group of Companies WebVPN Service
tunnel-group X.X.X.2 type ipsec-l2l tunnel-group X.X.X.2 ipsec-attributes pre-shared-key * ! : end
------------------------------------------------------------------------------------------ Cisco 1800 router
version 12.4
hostname cisco1800 ! boot-start-marker boot-end-marker ! logging buffered 52000 ! no aaa new-model ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key Test address X.X.X.1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toX.X.X.1 set peer X.X.X.1 set transform-set ESP-3DES-SHA match address 100 ! interface FastEthernet0 description $ETH-LAN$ ip address X.X.X.2 255.255.255.248 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Dot11Radio0 no ip address ! ssid Cisco1800 ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio1 no ip address ! ssid Cisco1800 ! speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$ no ip address ip tcp adjust-mss 1452 bridge-group 1 ! interface Async1 no ip address encapsulation slip ! interface BVI1 description $ES_LAN$ ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip route 0.0.0.0 0.0.0.0 207.245.34.49 ! ip nat pool office X.X.X.2 X.X.X.2 netmask 255.255.255.248 ip nat inside source route-map SDM_RMAP_1 pool office overloadaccess-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.20.0 0.0.0.255 access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 remark SDM_ACL Category=2 access-list 101 remark IPSec Rule access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 permit ip 192.168.20.0 0.0.0.255 any no cdp run ! route-map SDM_RMAP_1 permit 1 match ip address 101 ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 login local line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh line vty 5 15 privilege level 15 login local transport input telnet ssh ! webvpn cef end
---------------------------------------------------------------------------------- Debug Log on ASA 5500 (Latest log on the top)
.Notice %ASA-5-713904: IP = X.X.X.2, Received encrypted packet with no matching SA, dropping .Warning %ASA-4-113019: Group = X.X.X.2, Username = X.X.X.2, IP = X.X.X.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration:
0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message (msgid=f0c3875d) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing qm hash payload .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing IKE delete payload .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing blank hash payload .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending delete/ delete with reason message .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, IKE SA MM: 1328f233 terminating: flags 0x0101c002, refcnt 0, tuncnt 0 .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, IKE SA MM: 1328f233 rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1, tuncnt 0 .Error %ASA-3-713902: Group = X.X.X.2, IP = X.X.X.2, Removing peer from correlator table failed, no match! .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending delete/ delete with reason message .Debug %ASA-7-715065: Group = X.X.X.2, IP = X.X.X.2, IKE QM Responder FSM error history (struct &0x494ec78) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG--EV_COMP_HASH .Error %ASA-3-713902: Group = X.X.X.2, IP = X.X.X.2, QM FSM error (P2 struct &0x494ec78, mess id 0xd13ce919)! .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message (msgid=7f875ac9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing qm hash payload .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, constructing ipsec notify payload for msg id d13ce919 .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing blank hash payload .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending notify message .Notice %ASA-5-713904: Group = X.X.X.2, IP = X.X.X.2, All IPSec SA proposals found unacceptable! .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing IPSec SA payload .Debug %ASA-7-713066: Group = X.X.X.2, IP = X.X.X.2, IKE Remote Peer configured for crypto map: WAN_map .Debug %ASA-7-713225: Group = X.X.X.2, IP = X.X.X.2, Static Crypto Map check, map WAN_map, seq = 1 is a successful match .Debug %ASA-7-713221: Group = X.X.X.2, IP = X.X.X.2, Static Crypto Map check, checking map = WAN_map, seq = 1... .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, QM IsRekeyed old sa not found by addr .Debug %ASA-7-713034: Group = X.X.X.2, IP = X.X.X.2, Received local IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask
255.255.255.0, Protocol 0, Port 0 .Debug %ASA-7-714011: Group = X.X.X.2, IP = X.X.X.2, ID_IPV4_ADDR_SUBNET ID received--192.168.0.0--255.255.255.0 .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing ID payload .Debug %ASA-7-713035: Group = X.X.X.2, IP = X.X.X.2, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.20.0, Mask 255.255.255.0, Protocol 0, Port 0 .Debug %ASA-7-714011: Group = X.X.X.2, IP = X.X.X.2, ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0 .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing ID payload .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing nonce payload .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing SA payload .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing hash payload .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE RECEIVED Message (msgid=d13ce919) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)- ID (5) + ID (5) + NONE (0) total length : 168 .Debug %ASA-7-714003: IP = X.X.X.2, IKE Responder starting QM: msg id = d13ce919 .Debug %ASA-7-715080: Group = X.X.X.2, IP = X.X.X.2, Starting P1 rekey timer: 82080 seconds. .Debug %ASA-7-713121: IP = X.X.X.2, Keep-alive type for this connection: DPD .Error %ASA-3-713119: Group = X.X.X.2, IP = X.X.X.2, PHASE 1 COMPLETED .Info %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = X.X.X.2 .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96