Trouble connecting L2L using 5505 and 3000

I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to- lan configuration, and am having trouble. I've had two different consultants look at and they haven't been able to solve it either. What we're seeing right now is that we see the IKE phase 1 negotiation start from our end, but it never completes. I suspect an incompatibility in the encryption or auth settings. They sent us an excerpt from their

3000 config, but i don't know how to translate the numbers to equivalent 5505 settings:

name=L2L: (our name) inheritance=1 authprotocol=2 authalgorithm=2 authkeysize=128 encrprotocol=2 encralgorithm=4 encrkeysize=168 compression=2 lifetimemode=1 lifetimekbytes=10000 lifetimeseconds=86400 gatewayaddress=(our peer ip address, which is correct) ikephase1mode=2 ikeauthmode=1 ikeauthalgorithm=2 ikeencralgorithm=2 ikelifetimemode=1 ikelifetimekbytes=10000 ikelifetimeseconds=86400 ikecerthandle=0 ikecertpathenab=2

* ikedhgroup=3 ipsecencapmode=2 * pfsdhgroup=1 replayprotection=2 ikeproposal=1 ikenattenable=2 l2ltype=1 l2lpeerlist= [securityassociation 30] rowstatus=1

Can somebody point me to a reference that will tell me what each of those settings mean, so I can compare them with our 5505's equivalents? I'm particularly suspect of the two dhgroup entries I've starred above, because they told me they use diffie-helman group 2, and don't use perfect forwarding secrecy.

Reply to
David Kerber
Loading thread data ...

try below command in Isakmp and Crypto map

isakmp policy x group 1 -

you can have multiple P1 policies and during negotioation it will choose matching on.

and

crypto map tesr 1 set pfs group1 - Enable PFS

and re-check the PSK

If you can send me the output of "debug Crypto ISAKMP 7 " will be easy to troubleshoot.

Venkt

Reply to
venkatb76

That doesn't seem to have helped, though I'm not 100% certain I understood you correctly. Were you saying to add additional "crypto isakmp policy xx" sections with different settings, such as:

crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400

crypto isakmp policy 20 authentication pre-share encryption des hash sha group 2 lifetime 86400

crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 5 lifetime 86400

If so, that's what I did.

They insist they don't use pfs

Verified this several times, including both typing it in, and copy/pasting it.

Here you go; I verified that the IP address of the peer was correct before *'ing it out; I hope you can read more from it than I can!

Mar 23 16:27:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE Initiator: New Phase

1, Intf inside, IKE Peer *************** local Proxy Address 10.98.5.252, remote Proxy Address 10.98.14.1, Crypto map (outside_map)

Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing ISAKMP SA payload

Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing Fragmentation VID + extended capabilities payload

Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Mar 23 16:27:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Mar 23 16:27:51 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Mar 23 16:27:54 [IKEv1]: IP = ***************, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Mar 23 16:27:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0

Mar 23 16:27:57 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

Mar 23 16:28:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0Mar 23 16:28:02 [IKEv1]: IP = ***************, Queuing KEY- ACQUIRE messages to be processed when P1 SA is complete.

Mar 23 16:28:02 [IKEv1]: IP = ***************, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Mar 23 16:28:10 [IKEv1]: IP = ***************, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE MM Initiator FSM error history (struct &0x412fe28) , : MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->

MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE SA MM:1663dcb5 terminating: flags 0x01000022, refcnt 0, tuncnt 0

Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, sending delete/delete with reason message

Mar 23 16:28:18 [IKEv1]: IP = ***************, Removing peer from peer table failed, no match!

Mar 23 16:28:18 [IKEv1]: IP = ***************, Error: Unable to remove PeerTblEntry

Reply to
David Kerber

Remote address is a private address? IS the other end NAT'ing the VPN connection to the 3000? Is this across a private link or over the internet?

Reply to
Artie Lange

Nevermind, just looked at my logs and see I was wrong...

Reply to
Artie Lange

Hello,

MM_WAIT_MSG2 messge shows something wrong

1) Crypto ACL 2) VPN traffic is getting blocked by ACL or some device 3) Incorrect P1 parameter 4) Incorrect NAT.. (if you have nat configured somewhere)

Best may be you should ask the VPN concentrator config Screen Shots and match that config on the ASA.

Regards,

Venky

Reply to
venkatb76

...

...

I did that, and we matched. =20

What we ended up doing was resetting the ASA back to out-of-the-box=20 factory config and rerunning the setup wizards, and then the tunnel came=20 up using the same settings we had in it before. Apparently something in=20 the ASA had gotten into some weird state that didn't go away until we=20 did the factory reset.

Now I have another question, but I'll start a new thread for it.

--=20 /~\\ The ASCII \\ / Ribbon Campaign X Against HTML / \\ Email!

Remove the ns_ from if replying by e-mail (but keep posts in the=20 newsgroups if possible).

Reply to
David Kerber

Great.. Stranage ... never seen this issue before that required factory reset of the ASA.

Reply to
venkatb76

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.