Trouble connecting L2L using 5505 and 3000

Discussion in 'Cisco' started by David Kerber, Mar 23, 2009.

  1. David Kerber

    David Kerber Guest

    I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to-
    lan configuration, and am having trouble. I've had two different
    consultants look at and they haven't been able to solve it either. What
    we're seeing right now is that we see the IKE phase 1 negotiation start
    from our end, but it never completes. I suspect an incompatibility in
    the encryption or auth settings. They sent us an excerpt from their
    3000 config, but i don't know how to translate the numbers to equivalent
    5505 settings:

    name=L2L: (our name)
    inheritance=1
    authprotocol=2
    authalgorithm=2
    authkeysize=128
    encrprotocol=2
    encralgorithm=4
    encrkeysize=168
    compression=2
    lifetimemode=1
    lifetimekbytes=10000
    lifetimeseconds=86400
    gatewayaddress=(our peer ip address, which is correct)
    ikephase1mode=2
    ikeauthmode=1
    ikeauthalgorithm=2
    ikeencralgorithm=2
    ikelifetimemode=1
    ikelifetimekbytes=10000
    ikelifetimeseconds=86400
    ikecerthandle=0
    ikecertpathenab=2
    * ikedhgroup=3
    ipsecencapmode=2
    * pfsdhgroup=1
    replayprotection=2
    ikeproposal=1
    ikenattenable=2
    l2ltype=1
    l2lpeerlist=
    [securityassociation 30]
    rowstatus=1


    Can somebody point me to a reference that will tell me what each of
    those settings mean, so I can compare them with our 5505's equivalents?
    I'm particularly suspect of the two dhgroup entries I've starred above,
    because they told me they use diffie-helman group 2, and don't use
    perfect forwarding secrecy.

    --
    /~\ The ASCII
    \ / Ribbon Campaign
    X Against HTML
    / \ Email!

    Remove the ns_ from if replying by e-mail (but keep posts in the
    newsgroups if possible).
     
    David Kerber, Mar 23, 2009
    #1
    1. Advertisements

  2. David Kerber

    venkatb76 Guest

    try below command in Isakmp and Crypto map

    isakmp policy x group 1 -

    you can have multiple P1 policies and during negotioation it will
    choose matching on.

    and

    crypto map tesr 1 set pfs group1 - Enable PFS

    and re-check the PSK


    If you can send me the output of "debug Crypto ISAKMP 7 " will be
    easy to troubleshoot.

    Venkt
     
    venkatb76, Mar 23, 2009
    #2
    1. Advertisements

  3. David Kerber

    David Kerber Guest

    That doesn't seem to have helped, though I'm not 100% certain I
    understood you correctly. Were you saying to add additional "crypto
    isakmp policy xx" sections with different settings, such as:

    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400

    crypto isakmp policy 20
    authentication pre-share
    encryption des
    hash sha
    group 2
    lifetime 86400

    crypto isakmp policy 30
    authentication pre-share
    encryption 3des
    hash sha
    group 5
    lifetime 86400


    If so, that's what I did.



    They insist they don't use pfs

    Verified this several times, including both typing it in, and
    copy/pasting it.

    Here you go; I verified that the IP address of the peer was correct
    before *'ing it out; I hope you can read more from it than I can!

    Mar 23 16:27:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
    spi 0x0

    Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE Initiator: New Phase
    1, Intf inside, IKE Peer *************** local Proxy Address
    10.98.5.252, remote Proxy Address 10.98.14.1, Crypto map (outside_map)

    Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing ISAKMP
    SA payload

    Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing
    Fragmentation VID + extended capabilities payload

    Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE_DECODE SENDING
    Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
    total length : 108

    Mar 23 16:27:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
    spi 0x0

    Mar 23 16:27:51 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE
    messages to be processed when P1 SA is complete.

    Mar 23 16:27:54 [IKEv1]: IP = ***************, IKE_DECODE RESENDING
    Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
    total length : 108

    Mar 23 16:27:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
    spi 0x0

    Mar 23 16:27:57 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE
    messages to be processed when P1 SA is complete.

    Mar 23 16:28:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message,
    spi 0x0Mar 23 16:28:02 [IKEv1]: IP = ***************, Queuing KEY-
    ACQUIRE messages to be processed when P1 SA is complete.

    Mar 23 16:28:02 [IKEv1]: IP = ***************, IKE_DECODE RESENDING
    Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
    total length : 108

    Mar 23 16:28:10 [IKEv1]: IP = ***************, IKE_DECODE RESENDING
    Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0)
    total length : 108

    Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE MM Initiator
    FSM error history (struct &0x412fe28) <state>, <event>: MM_DONE,
    EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->
    MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1,
    EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

    Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE SA MM:1663dcb5
    terminating: flags 0x01000022, refcnt 0, tuncnt 0

    Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, sending
    delete/delete with reason message

    Mar 23 16:28:18 [IKEv1]: IP = ***************, Removing peer from peer
    table failed, no match!

    Mar 23 16:28:18 [IKEv1]: IP = ***************, Error: Unable to remove
    PeerTblEntry



    --
    /~\ The ASCII
    \ / Ribbon Campaign
    X Against HTML
    / \ Email!

    Remove the ns_ from if replying by e-mail (but keep posts in the
    newsgroups if possible).
     
    David Kerber, Mar 23, 2009
    #3
  4. David Kerber

    venkatb76 Guest

    Hello,

    MM_WAIT_MSG2 messge shows something wrong
    1) Crypto ACL
    2) VPN traffic is getting blocked by ACL or some device
    3) Incorrect P1 parameter
    4) Incorrect NAT.. (if you have nat configured somewhere)

    Best may be you should ask the VPN concentrator config Screen Shots
    and match that config on the ASA.

    Regards,

    Venky
     
    venkatb76, Mar 26, 2009
    #4
  5. David Kerber

    venkatb76 Guest

    Great.. Stranage ... never seen this issue before that required
    factory reset of the ASA.
     
    venkatb76, Mar 27, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.