Site to Site VPN problem between ASA5500 & 1800 router

Discussion in 'Cisco' started by Young, Jan 9, 2008.

  1. Young

    Young Guest

    Hi,
    I configured Cisco ASA 5500 security appliance and cisco 1800 router,
    I want to enable site to site vpn tunnel between this two devices.
    But I keep getting error: All IPSec SA proposals found
    unacceptable!.
    Can someone take a look on the configuration and advise me how to
    resolve the problem, get site to site vpn work.
    Thank you,
    Young


    ASA 5500, 1800 router configuration and debug log as following:

    ASA5500 outside ip address: x.x.x.1 1800 router outside ip
    address: x.x.x.2
    -------------------------------------------------------------------------------------------------------
    ASA Version 7.2(3)
    !
    hostname ASA5500

    interface Ethernet0/0
    description WAN
    nameif WAN
    security-level 0
    ip address X.X.X.1 255.255.255.248
    !
    interface Ethernet0/1
    description LAN
    nameif LAN
    security-level 100
    ip address 192.168.0.55 255.255.255.0
    !
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet0/3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Management0/0
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    !
    passwd 2KFQnbNIdI.2KYOU encrypted

    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    access-list WAN_1_cryptomap extended permit ip 192.168.0.0
    255.255.255.0 192.168.20.0 255.255.255.0
    access-list testing_splitTunnelAcl standard permit 192.168.0.0
    255.255.255.0
    access-list TestVPN_splitTunnelAcl standard permit 192.168.0.0
    255.255.255.0
    access-list WAN_nat0_outbound extended permit ip 192.168.0.0
    255.255.255.0 192.168.20.0 255.255.255.0
    pager lines 24

    global (WAN) 101 interface
    nat (LAN) 0 access-list WAN_nat0_outbound
    nat (LAN) 101 192.168.0.0 255.255.255.0
    route WAN 0.0.0.0 0.0.0.0 outside_gateway_ip_address 1

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map WAN_map 1 match address WAN_1_cryptomap
    crypto map WAN_map 1 set pfs
    crypto map WAN_map 1 set peer X.X.X.2
    crypto map WAN_map 1 set transform-set ESP-3DES-SHA
    crypto map WAN_map interface WAN
    crypto isakmp enable WAN
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    !
    service-policy global_policy global
    webvpn
    customization customization1
    title text Test Group of Companies WebVPN Service

    tunnel-group X.X.X.2 type ipsec-l2l
    tunnel-group X.X.X.2 ipsec-attributes
    pre-shared-key *
    !
    : end

    ------------------------------------------------------------------------------------------
    Cisco 1800 router

    version 12.4

    hostname cisco1800
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 52000
    !
    no aaa new-model
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key Test address X.X.X.1
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel toX.X.X.1
    set peer X.X.X.1
    set transform-set ESP-3DES-SHA
    match address 100
    !
    interface FastEthernet0
    description $ETH-LAN$
    ip address X.X.X.2 255.255.255.248
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
    !
    interface FastEthernet1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    !
    interface FastEthernet5
    !
    interface FastEthernet6
    !
    interface FastEthernet7
    !
    interface FastEthernet8
    !
    interface FastEthernet9
    !
    interface Dot11Radio0
    no ip address
    !
    ssid Cisco1800
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
    36.0 48.0 54.0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Dot11Radio1
    no ip address
    !
    ssid Cisco1800
    !
    speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
    no ip address
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface Async1
    no ip address
    encapsulation slip
    !
    interface BVI1
    description $ES_LAN$
    ip address 192.168.20.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    !
    ip route 0.0.0.0 0.0.0.0 207.245.34.49
    !
    ip nat pool office X.X.X.2 X.X.X.2 netmask 255.255.255.248
    ip nat inside source route-map SDM_RMAP_1 pool office overload

    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.20.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 remark IPSec Rule
    access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 101 remark SDM_ACL Category=2
    access-list 101 remark IPSec Rule
    access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 101 permit ip 192.168.20.0 0.0.0.255 any
    no cdp run
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 101
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    line con 0
    login local
    line 1
    modem InOut
    stopbits 1
    speed 115200
    flowcontrol hardware
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    line vty 5 15
    privilege level 15
    login local
    transport input telnet ssh
    !
    webvpn cef
    end

    ----------------------------------------------------------------------------------
    Debug Log on ASA 5500 (Latest log on the top)

    .Notice %ASA-5-713904: IP = X.X.X.2, Received encrypted packet with
    no matching SA, dropping
    .Warning %ASA-4-113019: Group = X.X.X.2, Username = X.X.X.2, IP =
    X.X.X.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration:
    0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
    .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message
    (msgid=f0c3875d) with payloads : HDR + HASH (8) + DELETE (12) + NONE
    (0) total length : 80
    .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    qm hash payload
    .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    IKE delete payload
    .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    blank hash payload
    .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending delete/
    delete with reason message
    .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, IKE SA MM:
    1328f233 terminating: flags 0x0101c002, refcnt 0, tuncnt 0
    .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, IKE SA MM:
    1328f233 rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1,
    tuncnt 0
    .Error %ASA-3-713902: Group = X.X.X.2, IP = X.X.X.2, Removing peer
    from correlator table failed, no match!
    .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending delete/
    delete with reason message
    .Debug %ASA-7-715065: Group = X.X.X.2, IP = X.X.X.2, IKE QM
    Responder FSM error history (struct &0x494ec78) <state>, <event>:
    QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2,
    EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG--
    >QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2,

    EV_COMP_HASH
    .Error %ASA-3-713902: Group = X.X.X.2, IP = X.X.X.2, QM FSM error
    (P2 struct &0x494ec78, mess id 0xd13ce919)!
    .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message
    (msgid=7f875ac9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE
    (0) total length : 84
    .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    qm hash payload
    .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, constructing
    ipsec notify payload for msg id d13ce919
    .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    blank hash payload
    .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending notify
    message
    .Notice %ASA-5-713904: Group = X.X.X.2, IP = X.X.X.2, All IPSec SA
    proposals found unacceptable!
    .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing
    IPSec SA payload
    .Debug %ASA-7-713066: Group = X.X.X.2, IP = X.X.X.2, IKE Remote
    Peer configured for crypto map: WAN_map
    .Debug %ASA-7-713225: Group = X.X.X.2, IP = X.X.X.2, Static Crypto
    Map check, map WAN_map, seq = 1 is a successful match
    .Debug %ASA-7-713221: Group = X.X.X.2, IP = X.X.X.2, Static Crypto
    Map check, checking map = WAN_map, seq = 1...
    .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, QM IsRekeyed
    old sa not found by addr
    .Debug %ASA-7-713034: Group = X.X.X.2, IP = X.X.X.2, Received local
    IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask
    255.255.255.0, Protocol 0, Port 0
    .Debug %ASA-7-714011: Group = X.X.X.2, IP = X.X.X.2,
    ID_IPV4_ADDR_SUBNET ID received--192.168.0.0--255.255.255.0
    .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing ID
    payload
    .Debug %ASA-7-713035: Group = X.X.X.2, IP = X.X.X.2, Received
    remote IP Proxy Subnet data in ID Payload: Address 192.168.20.0,
    Mask 255.255.255.0, Protocol 0, Port 0
    .Debug %ASA-7-714011: Group = X.X.X.2, IP = X.X.X.2,
    ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0
    .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing ID
    payload
    .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing
    nonce payload
    .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing SA
    payload
    .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing
    hash payload
    .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE RECEIVED Message
    (msgid=d13ce919) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
    + ID (5) + ID (5) + NONE (0) total length : 168
    .Debug %ASA-7-714003: IP = X.X.X.2, IKE Responder starting QM: msg
    id = d13ce919
    .Debug %ASA-7-715080: Group = X.X.X.2, IP = X.X.X.2, Starting P1
    rekey timer: 82080 seconds.
    .Debug %ASA-7-713121: IP = X.X.X.2, Keep-alive type for this
    connection: DPD
    .Error %ASA-3-713119: Group = X.X.X.2, IP = X.X.X.2, PHASE 1
    COMPLETED
    .Info %ASA-6-113009: AAA retrieved default group policy
    (DfltGrpPolicy) for user = X.X.X.2
    .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message
    (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE
    (128) + VENDOR (13) + NONE (0) total length : 96
    Young, Jan 9, 2008
    #1
    1. Advertising

  2. Young

    Town Dummy Guest

    Here's a better config example for you to follow using an ASA and an IOS
    router.

    I took this straight from the link at cisco.

    http://www.cisco.com/en/US/customer...s_configuration_example09186a00805e8c80.shtml


    HQPIX(config)#show run
    PIX Version 7.0(0)102
    names
    !
    interface Ethernet0
    description WAN interface
    nameif outside
    security-level 0
    ip address 172.17.63.229 255.255.255.240
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.1.1.1 255.255.255.0
    !
    interface Ethernet2
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet3
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet4
    shutdown
    no nameif
    no security-level
    no ip address
    !
    interface Ethernet5
    shutdown
    no nameif
    no security-level
    no ip address
    !
    enable password 8Ry2YjIyt7RRXU24 encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    hostname HQPIX
    domain-name cisco.com
    ftp mode passive
    clock timezone AEST 10
    access-list 100 extended permit ip any any
    access-list 150 extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0
    255.255.255.0
    access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.2.2.0
    255.255.255.0
    pager lines 24
    logging enable
    logging buffered debugging
    mtu inside 1500
    mtu outside 1500
    no failover
    monitor-interface inside
    monitor-interface outside
    asdm image flash:/asdmfile.50073
    no asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 10.1.1.0 255.255.255.0
    access-group 100 in interface inside
    route outside 0.0.0.0 0.0.0.0 172.17.63.230 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server partner protocol tacacs+
    username cisco password 3USUcOPFUiMCO4Jk encrypted
    http server enable
    http 10.1.1.2 255.255.255.255 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp

    crypto ipsec transform-set avalanche esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 3600
    crypto ipsec df-bit clear-df outside
    crypto map forsberg 21 match address nonat
    crypto map forsberg 21 set peer 172.17.63.230
    crypto map forsberg 21 set transform-set avalanche
    crypto map forsberg interface outside
    isakmp identity address
    isakmp enable outside
    isakmp policy 1 authentication pre-share
    isakmp policy 1 encryption 3des
    isakmp policy 1 hash sha
    isakmp policy 1 group 2
    isakmp policy 1 lifetime 86400
    isakmp policy 65535 authentication pre-share
    isakmp policy 65535 encryption 3des
    isakmp policy 65535 hash sha
    isakmp policy 65535 group 2
    isakmp policy 65535 lifetime 86400
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    tunnel-group 172.17.63.230 type ipsec-l2l
    tunnel-group 172.17.63.230 ipsec-attributes
    pre-shared-key *
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map asa_global_fw_policy
    class inspection_default
    inspect dns maximum-length 512
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    inspect http
    !
    service-policy asa_global_fw_policy global
    Cryptochecksum:3a5851f7310d14e82bdf17e64d638738
    : end
    SV-2-8#

    Branch Router

    BranchRouter#show run
    Building configuration...

    Current configuration : 1719 bytes
    !
    ! Last configuration change at 13:03:25 AEST Tue Apr 5 2005
    ! NVRAM config last updated at 13:03:44 AEST Tue Apr 5 2005
    !
    version 12.2
    service timestamps debug datetime msec
    service timestamps log uptime
    no service password-encryption
    !
    hostname BranchRouter
    !
    logging queue-limit 100
    logging buffered 4096 debugging
    !
    username cisco privilege 15 password 0 cisco
    memory-size iomem 15
    clock timezone AEST 10
    ip subnet-zero
    !
    !
    !
    ip audit notify log
    ip audit po max-events 100
    !
    !
    !
    crypto isakmp policy 11
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key cisco123 address 172.17.63.229
    !
    !
    crypto ipsec transform-set sharks esp-des esp-md5-hmac
    !
    crypto map nolan 11 ipsec-isakmp
    set peer 172.17.63.229
    set transform-set sharks
    match address 120
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    no voice hpi capture buffer
    no voice hpi capture destination
    !
    !
    mta receive maximum-recipients 0
    !
    !
    !
    !
    interface Ethernet0/0
    ip address 172.17.63.230 255.255.255.240
    ip nat outside
    no ip route-cache
    no ip mroute-cache
    half-duplex
    crypto map nolan
    !
    interface Ethernet0/1
    ip address 10.2.2.1 255.255.255.0
    ip nat inside
    half-duplex
    !
    ip nat pool branch 172.17.63.230 172.17.63.230 netmask 255.255.255.0
    ip nat inside source route-map nonat pool branch overload
    no ip http server
    no ip http secure-server
    ip classless
    ip route 10.1.1.0 255.255.255.0 172.17.63.229
    !
    !
    !
    access-list 120 permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 130 deny ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 130 permit ip 10.2.2.0 0.0.0.255 any
    !
    route-map nonat permit 10
    match ip address 130
    !
    call rsvp-sync
    !
    !
    mgcp profile default
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    !
    end


    "Young" <> wrote in message
    news:...
    > Hi,
    > I configured Cisco ASA 5500 security appliance and cisco 1800 router,
    > I want to enable site to site vpn tunnel between this two devices.
    > But I keep getting error: All IPSec SA proposals found
    > unacceptable!.
    > Can someone take a look on the configuration and advise me how to
    > resolve the problem, get site to site vpn work.
    > Thank you,
    > Young
    >
    >
    > ASA 5500, 1800 router configuration and debug log as following:
    >
    > ASA5500 outside ip address: x.x.x.1 1800 router outside ip
    > address: x.x.x.2
    > -------------------------------------------------------------------------------------------------------
    > ASA Version 7.2(3)
    > !
    > hostname ASA5500
    >
    > interface Ethernet0/0
    > description WAN
    > nameif WAN
    > security-level 0
    > ip address X.X.X.1 255.255.255.248
    > !
    > interface Ethernet0/1
    > description LAN
    > nameif LAN
    > security-level 100
    > ip address 192.168.0.55 255.255.255.0
    > !
    > interface Ethernet0/2
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Ethernet0/3
    > shutdown
    > no nameif
    > no security-level
    > no ip address
    > !
    > interface Management0/0
    > nameif management
    > security-level 100
    > ip address 192.168.1.1 255.255.255.0
    > management-only
    > !
    > passwd 2KFQnbNIdI.2KYOU encrypted
    >
    > same-security-traffic permit inter-interface
    > same-security-traffic permit intra-interface
    > access-list WAN_1_cryptomap extended permit ip 192.168.0.0
    > 255.255.255.0 192.168.20.0 255.255.255.0
    > access-list testing_splitTunnelAcl standard permit 192.168.0.0
    > 255.255.255.0
    > access-list TestVPN_splitTunnelAcl standard permit 192.168.0.0
    > 255.255.255.0
    > access-list WAN_nat0_outbound extended permit ip 192.168.0.0
    > 255.255.255.0 192.168.20.0 255.255.255.0
    > pager lines 24
    >
    > global (WAN) 101 interface
    > nat (LAN) 0 access-list WAN_nat0_outbound
    > nat (LAN) 101 192.168.0.0 255.255.255.0
    > route WAN 0.0.0.0 0.0.0.0 outside_gateway_ip_address 1
    >
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > crypto map WAN_map 1 match address WAN_1_cryptomap
    > crypto map WAN_map 1 set pfs
    > crypto map WAN_map 1 set peer X.X.X.2
    > crypto map WAN_map 1 set transform-set ESP-3DES-SHA
    > crypto map WAN_map interface WAN
    > crypto isakmp enable WAN
    > crypto isakmp policy 10
    > authentication pre-share
    > encryption 3des
    > hash sha
    > group 2
    > lifetime 86400
    > !
    > service-policy global_policy global
    > webvpn
    > customization customization1
    > title text Test Group of Companies WebVPN Service
    >
    > tunnel-group X.X.X.2 type ipsec-l2l
    > tunnel-group X.X.X.2 ipsec-attributes
    > pre-shared-key *
    > !
    > : end
    >
    > ------------------------------------------------------------------------------------------
    > Cisco 1800 router
    >
    > version 12.4
    >
    > hostname cisco1800
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > logging buffered 52000
    > !
    > no aaa new-model
    > !
    > !
    > crypto isakmp policy 1
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp key Test address X.X.X.1
    > !
    > !
    > crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    > !
    > crypto map SDM_CMAP_1 1 ipsec-isakmp
    > description Tunnel toX.X.X.1
    > set peer X.X.X.1
    > set transform-set ESP-3DES-SHA
    > match address 100
    > !
    > interface FastEthernet0
    > description $ETH-LAN$
    > ip address X.X.X.2 255.255.255.248
    > ip nat outside
    > ip virtual-reassembly
    > duplex auto
    > speed auto
    > crypto map SDM_CMAP_1
    > !
    > interface FastEthernet1
    > no ip address
    > shutdown
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet2
    > !
    > interface FastEthernet3
    > !
    > interface FastEthernet4
    > !
    > interface FastEthernet5
    > !
    > interface FastEthernet6
    > !
    > interface FastEthernet7
    > !
    > interface FastEthernet8
    > !
    > interface FastEthernet9
    > !
    > interface Dot11Radio0
    > no ip address
    > !
    > ssid Cisco1800
    > !
    > speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
    > 36.0 48.0 54.0
    > station-role root
    > bridge-group 1
    > bridge-group 1 subscriber-loop-control
    > bridge-group 1 spanning-disabled
    > bridge-group 1 block-unknown-source
    > no bridge-group 1 source-learning
    > no bridge-group 1 unicast-flooding
    > !
    > interface Dot11Radio1
    > no ip address
    > !
    > ssid Cisco1800
    > !
    > speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
    > station-role root
    > bridge-group 1
    > bridge-group 1 subscriber-loop-control
    > bridge-group 1 spanning-disabled
    > bridge-group 1 block-unknown-source
    > no bridge-group 1 source-learning
    > no bridge-group 1 unicast-flooding
    > !
    > interface Vlan1
    > description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
    > no ip address
    > ip tcp adjust-mss 1452
    > bridge-group 1
    > !
    > interface Async1
    > no ip address
    > encapsulation slip
    > !
    > interface BVI1
    > description $ES_LAN$
    > ip address 192.168.20.1 255.255.255.0
    > ip nat inside
    > ip virtual-reassembly
    > !
    > ip route 0.0.0.0 0.0.0.0 207.245.34.49
    > !
    > ip nat pool office X.X.X.2 X.X.X.2 netmask 255.255.255.248
    > ip nat inside source route-map SDM_RMAP_1 pool office overload
    >
    > access-list 1 remark SDM_ACL Category=2
    > access-list 1 permit 192.168.20.0 0.0.0.255
    > access-list 100 remark SDM_ACL Category=4
    > access-list 100 remark IPSec Rule
    > access-list 100 permit ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255
    > access-list 101 remark SDM_ACL Category=2
    > access-list 101 remark IPSec Rule
    > access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.0.0 0.0.0.255
    > access-list 101 permit ip 192.168.20.0 0.0.0.255 any
    > no cdp run
    > !
    > route-map SDM_RMAP_1 permit 1
    > match ip address 101
    > !
    > control-plane
    > !
    > bridge 1 protocol ieee
    > bridge 1 route ip
    > !
    > line con 0
    > login local
    > line 1
    > modem InOut
    > stopbits 1
    > speed 115200
    > flowcontrol hardware
    > line aux 0
    > line vty 0 4
    > privilege level 15
    > login local
    > transport input telnet ssh
    > line vty 5 15
    > privilege level 15
    > login local
    > transport input telnet ssh
    > !
    > webvpn cef
    > end
    >
    > ----------------------------------------------------------------------------------
    > Debug Log on ASA 5500 (Latest log on the top)
    >
    > .Notice %ASA-5-713904: IP = X.X.X.2, Received encrypted packet with
    > no matching SA, dropping
    > .Warning %ASA-4-113019: Group = X.X.X.2, Username = X.X.X.2, IP =
    > X.X.X.2, Session disconnected. Session Type: IPSecLAN2LAN, Duration:
    > 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
    > .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message
    > (msgid=f0c3875d) with payloads : HDR + HASH (8) + DELETE (12) + NONE
    > (0) total length : 80
    > .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    > qm hash payload
    > .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    > IKE delete payload
    > .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    > blank hash payload
    > .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending delete/
    > delete with reason message
    > .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, IKE SA MM:
    > 1328f233 terminating: flags 0x0101c002, refcnt 0, tuncnt 0
    > .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, IKE SA MM:
    > 1328f233 rcv'd Terminate: state MM_ACTIVE flags 0x0001c042, refcnt 1,
    > tuncnt 0
    > .Error %ASA-3-713902: Group = X.X.X.2, IP = X.X.X.2, Removing peer
    > from correlator table failed, no match!
    > .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending delete/
    > delete with reason message
    > .Debug %ASA-7-715065: Group = X.X.X.2, IP = X.X.X.2, IKE QM
    > Responder FSM error history (struct &0x494ec78) <state>, <event>:
    > QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2,
    > EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG--
    >>QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2,

    > EV_COMP_HASH
    > .Error %ASA-3-713902: Group = X.X.X.2, IP = X.X.X.2, QM FSM error
    > (P2 struct &0x494ec78, mess id 0xd13ce919)!
    > .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message
    > (msgid=7f875ac9) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE
    > (0) total length : 84
    > .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    > qm hash payload
    > .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, constructing
    > ipsec notify payload for msg id d13ce919
    > .Debug %ASA-7-715046: Group = X.X.X.2, IP = X.X.X.2, constructing
    > blank hash payload
    > .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, sending notify
    > message
    > .Notice %ASA-5-713904: Group = X.X.X.2, IP = X.X.X.2, All IPSec SA
    > proposals found unacceptable!
    > .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing
    > IPSec SA payload
    > .Debug %ASA-7-713066: Group = X.X.X.2, IP = X.X.X.2, IKE Remote
    > Peer configured for crypto map: WAN_map
    > .Debug %ASA-7-713225: Group = X.X.X.2, IP = X.X.X.2, Static Crypto
    > Map check, map WAN_map, seq = 1 is a successful match
    > .Debug %ASA-7-713221: Group = X.X.X.2, IP = X.X.X.2, Static Crypto
    > Map check, checking map = WAN_map, seq = 1...
    > .Debug %ASA-7-713906: Group = X.X.X.2, IP = X.X.X.2, QM IsRekeyed
    > old sa not found by addr
    > .Debug %ASA-7-713034: Group = X.X.X.2, IP = X.X.X.2, Received local
    > IP Proxy Subnet data in ID Payload: Address 192.168.0.0, Mask
    > 255.255.255.0, Protocol 0, Port 0
    > .Debug %ASA-7-714011: Group = X.X.X.2, IP = X.X.X.2,
    > ID_IPV4_ADDR_SUBNET ID received--192.168.0.0--255.255.255.0
    > .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing ID
    > payload
    > .Debug %ASA-7-713035: Group = X.X.X.2, IP = X.X.X.2, Received
    > remote IP Proxy Subnet data in ID Payload: Address 192.168.20.0,
    > Mask 255.255.255.0, Protocol 0, Port 0
    > .Debug %ASA-7-714011: Group = X.X.X.2, IP = X.X.X.2,
    > ID_IPV4_ADDR_SUBNET ID received--192.168.20.0--255.255.255.0
    > .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing ID
    > payload
    > .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing
    > nonce payload
    > .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing SA
    > payload
    > .Debug %ASA-7-715047: Group = X.X.X.2, IP = X.X.X.2, processing
    > hash payload
    > .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE RECEIVED Message
    > (msgid=d13ce919) with payloads : HDR + HASH (8) + SA (1) + NONCE (10)
    > + ID (5) + ID (5) + NONE (0) total length : 168
    > .Debug %ASA-7-714003: IP = X.X.X.2, IKE Responder starting QM: msg
    > id = d13ce919
    > .Debug %ASA-7-715080: Group = X.X.X.2, IP = X.X.X.2, Starting P1
    > rekey timer: 82080 seconds.
    > .Debug %ASA-7-713121: IP = X.X.X.2, Keep-alive type for this
    > connection: DPD
    > .Error %ASA-3-713119: Group = X.X.X.2, IP = X.X.X.2, PHASE 1
    > COMPLETED
    > .Info %ASA-6-113009: AAA retrieved default group policy
    > (DfltGrpPolicy) for user = X.X.X.2
    > .Debug %ASA-7-713236: IP = X.X.X.2, IKE_DECODE SENDING Message
    > (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE
    > (128) + VENDOR (13) + NONE (0) total length : 96
    Town Dummy, Jan 19, 2008
    #2
    1. Advertising

  3. Young

    nonameforyou

    Joined:
    Aug 22, 2012
    Messages:
    1
    If you're still looking for the answer, you are missing your hash for ISAKMP on the 1800. Phase 2 is failing because of this. Also your ASA does not have Diffie Helman Group 2 configured for ISAKMP.
    Last edited: Aug 22, 2012
    nonameforyou, Aug 22, 2012
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike Rahl
    Replies:
    1
    Views:
    603
  2. Young
    Replies:
    3
    Views:
    7,603
    CeykoVer
    Jan 9, 2008
  3. Young
    Replies:
    0
    Views:
    3,638
    Young
    Jan 17, 2008
  4. dave
    Replies:
    5
    Views:
    3,257
    Jens Haase
    Jan 21, 2008
  5. Mike
    Replies:
    1
    Views:
    640
    Jacques Virchaux
    Jan 14, 2009
Loading...

Share This Page