COMPGROUPS.NET | Search | Post Question | Groups | Stream | About | Register

Trouble connecting L2L using 5505 and 3000

  • Follow


I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to-
lan configuration, and am having trouble.  I've had two different 
consultants look at and they haven't been able to solve it either.  What 
we're seeing right now is that we see the IKE phase 1 negotiation start 
from our end, but it never completes.  I suspect an incompatibility in 
the encryption or auth settings.  They sent us an excerpt from their 
3000 config, but i don't know how to translate the numbers to equivalent 
5505 settings:

	name=L2L: (our name)
	inheritance=1
	authprotocol=2
	authalgorithm=2
	authkeysize=128
	encrprotocol=2
	encralgorithm=4
	encrkeysize=168
	compression=2
	lifetimemode=1
	lifetimekbytes=10000
	lifetimeseconds=86400
	gatewayaddress=(our peer ip address, which is correct)
	ikephase1mode=2
	ikeauthmode=1
	ikeauthalgorithm=2
	ikeencralgorithm=2
	ikelifetimemode=1
	ikelifetimekbytes=10000
	ikelifetimeseconds=86400
	ikecerthandle=0
	ikecertpathenab=2
*	ikedhgroup=3
	ipsecencapmode=2
*	pfsdhgroup=1
	replayprotection=2
	ikeproposal=1
	ikenattenable=2
	l2ltype=1
	l2lpeerlist=
	[securityassociation 30]
	rowstatus=1


Can somebody point me to a reference that will tell me what each of 
those settings mean, so I can compare them with our 5505's equivalents?  
I'm particularly suspect of the two dhgroup entries I've starred above, 
because they told me they use diffie-helman group 2, and don't use 
perfect forwarding secrecy.

-- 
/~\ The ASCII
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!

Remove the ns_ from if replying by e-mail (but keep posts in the 
newsgroups if possible).
0
Reply David 3/23/2009 1:06:34 PM 

try below command in Isakmp and Crypto map

isakmp policy x  group 1 -

you can have multiple P1 policies and during negotioation it will
choose matching on.

and

crypto map tesr 1 set pfs group1  - Enable PFS

and re-check the PSK


If you can send me the output of "debug Crypto ISAKMP 7 "  will  be
easy to troubleshoot.

Venkt
0
Reply venkatb76 3/23/2009 4:21:17 PM 


In article <26166a3e-f44b-4af7-bc64-b007fdb1aeb8
@c36g2000yqn.googlegroups.com>, venkatesha.bhat@gmail.com says...
> try below command in Isakmp and Crypto map
> 
> isakmp policy x  group 1 -
> 
> you can have multiple P1 policies and during negotioation it will
> choose matching on.

That doesn't seem to have helped, though I'm not 100% certain I 
understood you correctly.  Were you saying to add additional "crypto 
isakmp policy xx" sections with different settings, such as:

crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400

crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 5
 lifetime 86400


If so, that's what I did.




> and
> 
> crypto map tesr 1 set pfs group1  - Enable PFS

They insist they don't use pfs

 
> and re-check the PSK

Verified this several times, including both typing it in, and 
copy/pasting it.

> 
> 
> If you can send me the output of "debug Crypto ISAKMP 7 "  will  be
> easy to troubleshoot.


Here you go; I verified that the IP address of the peer was correct 
before *'ing it out; I hope you can read more from it than I can!

Mar 23 16:27:46 [IKEv1 DEBUG]: Pitcher: received a key acquire message, 
spi 0x0

Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE Initiator: New Phase 
1, Intf inside, IKE Peer ***************  local Proxy Address 
10.98.5.252, remote Proxy Address 10.98.14.1,  Crypto map (outside_map)

Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing ISAKMP 
SA payload

Mar 23 16:27:46 [IKEv1 DEBUG]: IP = ***************, constructing 
Fragmentation VID + extended capabilities payload

Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE_DECODE SENDING 
Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) 
total length : 108

Mar 23 16:27:51 [IKEv1 DEBUG]: Pitcher: received a key acquire message, 
spi 0x0

Mar 23 16:27:51 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE 
messages to be processed when P1 SA is complete.

Mar 23 16:27:54 [IKEv1]: IP = ***************, IKE_DECODE RESENDING 
Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) 
total length : 108

Mar 23 16:27:57 [IKEv1 DEBUG]: Pitcher: received a key acquire message, 
spi 0x0

Mar 23 16:27:57 [IKEv1]: IP = ***************, Queuing KEY-ACQUIRE 
messages to be processed when P1 SA is complete.

Mar 23 16:28:02 [IKEv1 DEBUG]: Pitcher: received a key acquire message, 
spi 0x0Mar 23 16:28:02 [IKEv1]: IP = ***************, Queuing KEY-
ACQUIRE messages to be processed when P1 SA is complete.

Mar 23 16:28:02 [IKEv1]: IP = ***************, IKE_DECODE RESENDING 
Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) 
total length : 108

Mar 23 16:28:10 [IKEv1]: IP = ***************, IKE_DECODE RESENDING 
Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) 
total length : 108

Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE MM Initiator 
FSM error history (struct &0x412fe28)  <state>, <event>:  MM_DONE, 
EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->
MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, 
EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY

Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, IKE SA MM:1663dcb5 
terminating:  flags 0x01000022, refcnt 0, tuncnt 0

Mar 23 16:28:18 [IKEv1 DEBUG]: IP = ***************, sending 
delete/delete with reason message

Mar 23 16:28:18 [IKEv1]: IP = ***************, Removing peer from peer 
table failed, no match!

Mar 23 16:28:18 [IKEv1]: IP = ***************, Error: Unable to remove 
PeerTblEntry



-- 
/~\ The ASCII
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!

Remove the ns_ from if replying by e-mail (but keep posts in the 
newsgroups if possible).
0
Reply David 3/23/2009 8:44:58 PM 

David Kerber wrote:
> In article <26166a3e-f44b-4af7-bc64-b007fdb1aeb8

> Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE Initiator: New Phase 
> 1, Intf inside, IKE Peer ***************  local Proxy Address 
> 10.98.5.252, remote Proxy Address 10.98.14.1,  Crypto map (outside_map)


Remote address is a private address? IS the other end NAT'ing the VPN 
connection to the 3000? Is this across a private link or over the internet?
0
Reply Artie 3/23/2009 9:54:29 PM 

Artie Lange wrote:
> David Kerber wrote:
>> In article <26166a3e-f44b-4af7-bc64-b007fdb1aeb8
> 
>> Mar 23 16:27:46 [IKEv1]: IP = ***************, IKE Initiator: New 
>> Phase 1, Intf inside, IKE Peer ***************  local Proxy Address 
>> 10.98.5.252, remote Proxy Address 10.98.14.1,  Crypto map (outside_map)
> 
> 
> Remote address is a private address? IS the other end NAT'ing the VPN 
> connection to the 3000? Is this across a private link or over the internet?


Nevermind, just looked at my logs and see I was wrong...
0
Reply Artie 3/23/2009 9:56:29 PM 

On Mar 23, 6:06=A0pm, David Kerber <ns_dkerber@ns_wraenviro.com> wrote:
> I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to-
> lan configuration, and am having trouble. =A0I've had two different
> consultants look at and they haven't been able to solve it either. =A0Wha=
t
> we're seeing right now is that we see the IKE phase 1 negotiation start
> from our end, but it never completes. =A0I suspect an incompatibility in
> the encryption or auth settings. =A0They sent us an excerpt from their
> 3000 config, but i don't know how to translate the numbers to equivalent
> 5505 settings:
>
> =A0 =A0 =A0 =A0 name=3DL2L: (our name)
> =A0 =A0 =A0 =A0 inheritance=3D1
> =A0 =A0 =A0 =A0 authprotocol=3D2
> =A0 =A0 =A0 =A0 authalgorithm=3D2
> =A0 =A0 =A0 =A0 authkeysize=3D128
> =A0 =A0 =A0 =A0 encrprotocol=3D2
> =A0 =A0 =A0 =A0 encralgorithm=3D4
> =A0 =A0 =A0 =A0 encrkeysize=3D168
> =A0 =A0 =A0 =A0 compression=3D2
> =A0 =A0 =A0 =A0 lifetimemode=3D1
> =A0 =A0 =A0 =A0 lifetimekbytes=3D10000
> =A0 =A0 =A0 =A0 lifetimeseconds=3D86400
> =A0 =A0 =A0 =A0 gatewayaddress=3D(our peer ip address, which is correct)
> =A0 =A0 =A0 =A0 ikephase1mode=3D2
> =A0 =A0 =A0 =A0 ikeauthmode=3D1
> =A0 =A0 =A0 =A0 ikeauthalgorithm=3D2
> =A0 =A0 =A0 =A0 ikeencralgorithm=3D2
> =A0 =A0 =A0 =A0 ikelifetimemode=3D1
> =A0 =A0 =A0 =A0 ikelifetimekbytes=3D10000
> =A0 =A0 =A0 =A0 ikelifetimeseconds=3D86400
> =A0 =A0 =A0 =A0 ikecerthandle=3D0
> =A0 =A0 =A0 =A0 ikecertpathenab=3D2
> * =A0 =A0 =A0 ikedhgroup=3D3
> =A0 =A0 =A0 =A0 ipsecencapmode=3D2
> * =A0 =A0 =A0 pfsdhgroup=3D1
> =A0 =A0 =A0 =A0 replayprotection=3D2
> =A0 =A0 =A0 =A0 ikeproposal=3D1
> =A0 =A0 =A0 =A0 ikenattenable=3D2
> =A0 =A0 =A0 =A0 l2ltype=3D1
> =A0 =A0 =A0 =A0 l2lpeerlist=3D
> =A0 =A0 =A0 =A0 [securityassociation 30]
> =A0 =A0 =A0 =A0 rowstatus=3D1
>
> Can somebody point me to a reference that will tell me what each of
> those settings mean, so I can compare them with our 5505's equivalents? =
=A0
> I'm particularly suspect of the two dhgroup entries I've starred above,
> because they told me they use diffie-helman group 2, and don't use
> perfect forwarding secrecy.
>
> --
> /~\ The ASCII
> \ / Ribbon Campaign
> =A0X =A0Against HTML
> / \ Email!
>
> Remove the ns_ from if replying by e-mail (but keep posts in the
> newsgroups if possible).

Hello,

MM_WAIT_MSG2 messge shows something wrong
1) Crypto ACL
2) VPN traffic is getting blocked by ACL or some device
3) Incorrect P1 parameter
4) Incorrect NAT.. (if you have nat configured somewhere)

Best may be you should ask the VPN concentrator config Screen Shots
and match that config on the ASA.

Regards,

Venky
0
Reply venkatb76 3/26/2009 11:58:50 AM 

In article <2997c6ec-d4ac-449b-a3b8-1e29e850f468
@l13g2000vba.googlegroups.com>, venkatesha.bhat@gmail.com says...

....

>=20
> >
> > Can somebody point me to a reference that will tell me what each of
> > those settings mean, so I can compare them with our 5505's equivalents?=
 =A0
> > I'm particularly suspect of the two dhgroup entries I've starred above,
> > because they told me they use diffie-helman group 2, and don't use
> > perfect forwarding secrecy.

....

>=20
> Hello,
>=20
> MM_WAIT_MSG2 messge shows something wrong
> 1) Crypto ACL
> 2) VPN traffic is getting blocked by ACL or some device
> 3) Incorrect P1 parameter
> 4) Incorrect NAT.. (if you have nat configured somewhere)
>=20
> Best may be you should ask the VPN concentrator config Screen Shots
> and match that config on the ASA.

I did that, and we matched. =20

What we ended up doing was resetting the ASA back to out-of-the-box=20
factory config and rerunning the setup wizards, and then the tunnel came=20
up using the same settings we had in it before.  Apparently something in=20
the ASA had gotten into some weird state that didn't go away until we=20
did the factory reset.

Now I have another question, but I'll start a new thread for it.

--=20
/~\ The ASCII
\ / Ribbon Campaign
 X  Against HTML
/ \ Email!

Remove the ns_ from if replying by e-mail (but keep posts in the=20
newsgroups if possible).
0
Reply David 3/26/2009 2:37:32 PM 

On Mar 26, 7:37=A0pm, David Kerber
<ns_dkerber@ns_WarrenRogersAssociates.com> wrote:
> In article <2997c6ec-d4ac-449b-a3b8-1e29e850f468
> @l13g2000vba.googlegroups.com>, venkatesha.b...@gmail.com says...
>
> ...
>
>
>
> > > Can somebody point me to a reference that will tell me what each of
> > > those settings mean, so I can compare them with our 5505's equivalent=
s? =A0
> > > I'm particularly suspect of the two dhgroup entries I've starred abov=
e,
> > > because they told me they use diffie-helman group 2, and don't use
> > > perfect forwarding secrecy.
>
> ...
>
>
>
> > Hello,
>
> > MM_WAIT_MSG2 messge shows something wrong
> > 1) Crypto ACL
> > 2) VPN traffic is getting blocked by ACL or some device
> > 3) Incorrect P1 parameter
> > 4) Incorrect NAT.. (if you have nat configured somewhere)
>
> > Best may be you should ask the VPN concentrator config Screen Shots
> > and match that config on the ASA.
>
> I did that, and we matched. =A0
>
> What we ended up doing was resetting the ASA back to out-of-the-box
> factory config and rerunning the setup wizards, and then the tunnel came
> up using the same settings we had in it before. =A0Apparently something i=
n
> the ASA had gotten into some weird state that didn't go away until we
> did the factory reset.
>
> Now I have another question, but I'll start a new thread for it.
>
> --
> /~\ The ASCII
> \ / Ribbon Campaign
> =A0X =A0Against HTML
> / \ Email!
>
> Remove the ns_ from if replying by e-mail (but keep posts in the
> newsgroups if possible).
Great..  Stranage ... never seen this issue before that required
factory reset of the ASA.
0
Reply venkatb76 3/27/2009 11:19:35 AM
comp.dcom.sys.cisco 24755 articles. 23 followers.

7 Replies
266 Views

(page loaded in 0.108 seconds)

Similiar Articles:

Trouble connecting L2L using 5505 and 3000 - comp.dcom.sys.cisco ...
I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to- lan configuration, and am having trouble. I've had two different consultant...

PIX 6.3.4 - Hide NAT before VPN - comp.dcom.sys.cisco
Trouble connecting L2L using 5505 and 3000 - comp.dcom.sys.cisco ..... blocked by ACL or some device 3) Incorrect P1 parameter 4) Incorrect NAT.. ... the same settings ...

Cient VPN full tunnel on a Pix - comp.dcom.sys.cisco
... and google to no avail. This is trivial on a 3000... ... So if the client is connecting via a public network to the ... on the interfaces of the Pix could present a problem; I ...

Trouble connecting L2L using 5505 and 3000 - comp.dcom.sys.cisco ...
I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to- lan configuration, and am having trouble. I've had two different consultant...

Trouble connecting L2L using 5505 and 3000
I'm trying to connect our brand new 5505 to a customer's 3000 in lan-to-lan configuration, and am having trouble. I've had two different consultants look at and they ...

7/24/2012 4:24:10 AM


Reply:



Privacy Policy | All Times Are GMT(UTC) | powered by