I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to- lan configuration, and am having trouble. I've had two different consultants look at and they haven't been able to solve it either. What we're seeing right now is that we see the IKE phase 1 negotiation start from our end, but it never completes. I suspect an incompatibility in the encryption or auth settings. They sent us an excerpt from their
3000 config, but i don't know how to translate the numbers to equivalent
5505 settings:
name=L2L: (our name) inheritance=1 authprotocol=2 authalgorithm=2 authkeysize=128 encrprotocol=2 encralgorithm=4 encrkeysize=168 compression=2 lifetimemode=1 lifetimekbytes=10000 lifetimeseconds=86400 gatewayaddress=(our peer ip address, which is correct) ikephase1mode=2 ikeauthmode=1 ikeauthalgorithm=2 ikeencralgorithm=2 ikelifetimemode=1 ikelifetimekbytes=10000 ikelifetimeseconds=86400 ikecerthandle=0 ikecertpathenab=2
Can somebody point me to a reference that will tell me what each of those settings mean, so I can compare them with our 5505's equivalents? I'm particularly suspect of the two dhgroup entries I've starred above, because they told me they use diffie-helman group 2, and don't use perfect forwarding secrecy.
That doesn't seem to have helped, though I'm not 100% certain I understood you correctly. Were you saying to add additional "crypto isakmp policy xx" sections with different settings, such as:
Verified this several times, including both typing it in, and copy/pasting it.
Here you go; I verified that the IP address of the peer was correct before *'ing it out; I hope you can read more from it than I can!
Mar 23 16:27:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE Initiator: New Phase
1, Intf inside, IKE Peer *************** local Proxy Address
10.98.5.252, remote Proxy Address 10.98.14.1, Crypto map (outside_map)
Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing ISAKMP SA payload
Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing Fragmentation VID + extended capabilities payload
Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 23 16:27:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 23 16:27:51 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Mar 23 16:27:54 [IKEv1]: IP = ***************, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 23 16:27:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 23 16:27:57 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Mar 23 16:28:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Mar 23 16:28:02 [IKEv1]: IP = ***************, Queuing KEY- ACQUIRE messages to be processed when P1 SA is complete.
Mar 23 16:28:02 [IKEv1]: IP = ***************, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 23 16:28:10 [IKEv1]: IP = ***************, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE MM Initiator FSM error history (struct &0x412fe28) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->
1) Crypto ACL
2) VPN traffic is getting blocked by ACL or some device
3) Incorrect P1 parameter
4) Incorrect NAT.. (if you have nat configured somewhere)
Best may be you should ask the VPN concentrator config Screen Shots and match that config on the ASA.
What we ended up doing was resetting the ASA back to out-of-the-box=20 factory config and rerunning the setup wizards, and then the tunnel came=20 up using the same settings we had in it before. Apparently something in=20 the ASA had gotten into some weird state that didn't go away until we=20 did the factory reset.
Now I have another question, but I'll start a new thread for it.
--=20 /~\\ The ASCII \\ / Ribbon Campaign X Against HTML / \\ Email!
Remove the ns_ from if replying by e-mail (but keep posts in the=20 newsgroups if possible).
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.