Trouble connecting L2L using 5505 and 3000

Discussion in 'Cisco' started by David Kerber, Mar 23, 2009.

  1. David Kerber

    David Kerber Guest

    I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to-
    lan configuration, and am having trouble. I've had two different
    consultants look at and they haven't been able to solve it either. What
    we're seeing right now is that we see the IKE phase 1 negotiation start
    from our end, but it never completes. I suspect an incompatibility in
    the encryption or auth settings. They sent us an excerpt from their
    3000 config, but i don't know how to translate the numbers to equivalent
    5505 settings:

    name=L2L: (our name)
    inheritance=1
    authprotocol=2
    authalgorithm=2
    authkeysize=128
    encrprotocol=2
    encralgorithm=4
    encrkeysize=168
    compression=2
    lifetimemode=1
    lifetimekbytes=10000
    lifetimeseconds=86400
    gatewayaddress=(our peer ip address, which is correct)
    ikephase1mode=2
    ikeauthmode=1
    ikeauthalgorithm=2
    ikeencralgorithm=2
    ikelifetimemode=1
    ikelifetimekbytes=10000
    ikelifetimeseconds=86400
    ikecerthandle=0
    ikecertpathenab=2
    * ikedhgroup=3
    ipsecencapmode=2
    * pfsdhgroup=1
    replayprotection=2
    ikeproposal=1
    ikenattenable=2
    l2ltype=1
    l2lpeerlist=
    [securityassociation 30]
    rowstatus=1


    Can somebody point me to a reference that will tell me what each of
    those settings mean, so I can compare them with our 5505's equivalents?
    I'm particularly suspect of the two dhgroup entries I've starred above,
    because they told me they use diffie-helman group 2, and don't use
    perfect forwarding secrecy.

    --
    /~\ The ASCII
    \ / Ribbon Campaign
    X Against HTML
    / \ Email!

    Remove the ns_ from if replying by e-mail (but keep posts in the
    newsgroups if possible).
     
    David Kerber, Mar 23, 2009
    #1
    1. Advertising

  2. David Kerber

    venkatb76 Guest

    try below command in Isakmp and Crypto map

    isakmp policy x group 1 -

    you can have multiple P1 policies and during negotioation it will
    choose matching on.

    and

    crypto map tesr 1 set pfs group1 - Enable PFS

    and re-check the PSK


    If you can send me the output of "debug Crypto ISAKMP 7 " will be
    easy to troubleshoot.

    Venkt
     
    venkatb76, Mar 23, 2009
    #2
    1. Advertising

  3. David Kerber

    David Kerber Guest

    In article <26166a3e-f44b-4af7-bc64-b007fdb1aeb8
    @c36g2000yqn.googlegroups.com>, says...
    > try below command in Isakmp and Crypto map
    >
    > isakmp policy x group 1 -
    >
    > you can have multiple P1 policies and during negotioation it will
    > choose matching on.


    That doesn't seem to have helped, though I'm not 100% certain I
    understood you correctly. Were you saying to add additional "crypto
    isakmp policy xx" sections with different settings, such as:

    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400

    crypto isakmp policy 20
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400

    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 5
    lifetime 86400


    If so, that's what I did.




    > and
    >
    > crypto map tesr 1 set pfs group1 - Enable PFS


    They insist they don't use pfs


    > and re-check the PSK


    Verified this several times, including both typing it in, and
    copy/pasting it.

    >
    >
    > If you can send me the output of "debug Crypto ISAKMP 7 " will be
    > easy to troubleshoot.



    Here you go; I verified that the IP address of the peer was correct
    before *'ing it out; I hope you can read more from it than I can!

    Mar 23 16:27:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
    spi 0x0

    Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE Initiator: New Phase
    1, Intf inside, IKE Peer *************** local Proxy Address
    10.98.5.252, remote Proxy Address 10.98.14.1, Crypto map (outside_map)

    Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing ISAKMP
    SA payload

    Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing
    Fragmentation VID + extended capabilities payload

    Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE_DECODE SENDING
    Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
    total length : 108

    Mar 23 16:27:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
    spi 0x0

    Mar 23 16:27:51 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE
    messages to be processed when P1 SA is complete.

    Mar 23 16:27:54 [IKEv1]: IP = ***************, IKE_DECODE RESENDING
    Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
    total length : 108

    Mar 23 16:27:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
    spi 0x0

    Mar 23 16:27:57 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE
    messages to be processed when P1 SA is complete.

    Mar 23 16:28:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
    spi 0x0Mar 23 16:28:02 [IKEv1]: IP = ***************, Queuing KEY-
    ACQUIRE messages to be processed when P1 SA is complete.

    Mar 23 16:28:02 [IKEv1]: IP = ***************, IKE_DECODE RESENDING
    Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
    total length : 108

    Mar 23 16:28:10 [IKEv1]: IP = ***************, IKE_DECODE RESENDING
    Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
    total length : 108

    Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE MM Initiator
    FSM error history (struct &0x412fe28) <state>, <event>: MM_DONE,
    EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->
    MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1,
    EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

    Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE SA MM:1663dcb5
    terminating: flags 0x01000022, refcnt 0, tuncnt 0

    Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, sending
    delete/delete with reason message

    Mar 23 16:28:18 [IKEv1]: IP = ***************, Removing peer from peer
    table failed, no match!

    Mar 23 16:28:18 [IKEv1]: IP = ***************, Error: Unable to remove
    PeerTblEntry



    --
    /~\ The ASCII
    \ / Ribbon Campaign
    X Against HTML
    / \ Email!

    Remove the ns_ from if replying by e-mail (but keep posts in the
    newsgroups if possible).
     
    David Kerber, Mar 23, 2009
    #3
  4. David Kerber

    venkatb76 Guest

    On Mar 23, 6:06 pm, David Kerber <ns_dkerber@ns_wraenviro.com> wrote:
    > I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to-
    > lan configuration, and am having trouble.  I've had two different
    > consultants look at and they haven't been able to solve it either.  What
    > we're seeing right now is that we see the IKE phase 1 negotiation start
    > from our end, but it never completes.  I suspect an incompatibility in
    > the encryption or auth settings.  They sent us an excerpt from their
    > 3000 config, but i don't know how to translate the numbers to equivalent
    > 5505 settings:
    >
    >         name=L2L: (our name)
    >         inheritance=1
    >         authprotocol=2
    >         authalgorithm=2
    >         authkeysize=128
    >         encrprotocol=2
    >         encralgorithm=4
    >         encrkeysize=168
    >         compression=2
    >         lifetimemode=1
    >         lifetimekbytes=10000
    >         lifetimeseconds=86400
    >         gatewayaddress=(our peer ip address, which is correct)
    >         ikephase1mode=2
    >         ikeauthmode=1
    >         ikeauthalgorithm=2
    >         ikeencralgorithm=2
    >         ikelifetimemode=1
    >         ikelifetimekbytes=10000
    >         ikelifetimeseconds=86400
    >         ikecerthandle=0
    >         ikecertpathenab=2
    > *       ikedhgroup=3
    >         ipsecencapmode=2
    > *       pfsdhgroup=1
    >         replayprotection=2
    >         ikeproposal=1
    >         ikenattenable=2
    >         l2ltype=1
    >         l2lpeerlist=
    >         [securityassociation 30]
    >         rowstatus=1
    >
    > Can somebody point me to a reference that will tell me what each of
    > those settings mean, so I can compare them with our 5505's equivalents?  
    > I'm particularly suspect of the two dhgroup entries I've starred above,
    > because they told me they use diffie-helman group 2, and don't use
    > perfect forwarding secrecy.
    >
    > --
    > /~\ The ASCII
    > \ / Ribbon Campaign
    >  X  Against HTML
    > / \ Email!
    >
    > Remove the ns_ from if replying by e-mail (but keep posts in the
    > newsgroups if possible).


    Hello,

    MM_WAIT_MSG2 messge shows something wrong
    1) Crypto ACL
    2) VPN traffic is getting blocked by ACL or some device
    3) Incorrect P1 parameter
    4) Incorrect NAT.. (if you have nat configured somewhere)

    Best may be you should ask the VPN concentrator config Screen Shots
    and match that config on the ASA.

    Regards,

    Venky
     
    venkatb76, Mar 26, 2009
    #4
  5. David Kerber

    venkatb76 Guest

    On Mar 26, 7:37 pm, David Kerber
    <ns_dkerber@ns_WarrenRogersAssociates.com> wrote:
    > In article <2997c6ec-d4ac-449b-a3b8-1e29e850f468
    > @l13g2000vba.googlegroups.com>, says...
    >
    > ...
    >
    >
    >
    > > > Can somebody point me to a reference that will tell me what each of
    > > > those settings mean, so I can compare them with our 5505's equivalents?  
    > > > I'm particularly suspect of the two dhgroup entries I've starred above,
    > > > because they told me they use diffie-helman group 2, and don't use
    > > > perfect forwarding secrecy.

    >
    > ...
    >
    >
    >
    > > Hello,

    >
    > > MM_WAIT_MSG2 messge shows something wrong
    > > 1) Crypto ACL
    > > 2) VPN traffic is getting blocked by ACL or some device
    > > 3) Incorrect P1 parameter
    > > 4) Incorrect NAT.. (if you have nat configured somewhere)

    >
    > > Best may be you should ask the VPN concentrator config Screen Shots
    > > and match that config on the ASA.

    >
    > I did that, and we matched.  
    >
    > What we ended up doing was resetting the ASA back to out-of-the-box
    > factory config and rerunning the setup wizards, and then the tunnel came
    > up using the same settings we had in it before.  Apparently something in
    > the ASA had gotten into some weird state that didn't go away until we
    > did the factory reset.
    >
    > Now I have another question, but I'll start a new thread for it.
    >
    > --
    > /~\ The ASCII
    > \ / Ribbon Campaign
    >  X  Against HTML
    > / \ Email!
    >
    > Remove the ns_ from if replying by e-mail (but keep posts in the
    > newsgroups if possible).

    Great.. Stranage ... never seen this issue before that required
    factory reset of the ASA.
     
    venkatb76, Mar 27, 2009
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Rick B.

    Cisco 3000 L2L Tunnel Troubles

    Rick B., Dec 11, 2003, in forum: Cisco
    Replies:
    5
    Views:
    25,261
    Rick B.
    Dec 16, 2003
  2. jspr

    vpn 3000 pix L2L Trouble

    jspr, Feb 6, 2006, in forum: Cisco
    Replies:
    0
    Views:
    545
  3. mattsnow
    Replies:
    5
    Views:
    5,985
    mattsnow
    Apr 5, 2007
  4. Replies:
    1
    Views:
    568
    Martin Bilgrav
    May 1, 2008
  5. lesniak81
    Replies:
    0
    Views:
    2,242
    lesniak81
    Jan 13, 2009
Loading...

Share This Page