[OSL | CCIE_Security] IPSec site-to-site VPN tunnel with RSA certificates, help please !

Eugene Pefti Mon, 21 Mar 2011 22:37:54 -0700

Hello folks,
I'm at the point of questioning my sanity while doing this task.
The design is very simple:


Host1 ------- ASA--------Router--------Host2

ASA and Router are IPSec VPN gateways, enrolled with CA and got their 
certificates.
Trying to make the router check two attributes in the ASA certificate by the 
certificate map.

My problem is that when I initiate the traffic from Host1 I the tunnel goes up 
but there's no traffic. I see that main mode has been completed:

ASA1(config)# sh crypto isa sa

1   IKE Peer: 192.168.6.3
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

But there are no ipsec sa.

On the other hand, when I initiate traffic from Host2 the tunnel successfully 
comes up, ipsec sa are established and Host2 can reach Host1

I noticed that it takes a lot more time to see anything on the ASA while 
debugging isakmp, "pitcher: received a key acquire message" shows a number of 
times and then I see that Quick Mode can't be constructed.

"debug crypto isakmp 200" run on ASA
=================================================================
Mar 21 21:08:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, QM FSM error 
(P2 struct &0xccf3edb0, mess id 0xc2b8e870)!
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE QM 
Initiator FSM error history (struct &0xccf3edb0)  <state>, <event>:  QM_DONE, 
EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, 
EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, 
EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, sending 
delete/delete with reason message
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, 
constructing blank hash payload
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, 
constructing IPSec delete payload
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, 
constructing qm hash payload
Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message 
(msgid=2f605835) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total 
length : 64
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE 
Deleting SA: Remote Proxy 192.168.5.0, Local Proxy 192.168.4.0
Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Removing peer 
from correlator table failed, no match!
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE SA 
MM:c3ed91f7 rcv'd Terminate: state MM_ACTIVE  flags 0x0000c062, refcnt 1, 
tuncnt 0
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE SA 
MM:c3ed91f7 terminating:  flags 0x0100c022, refcnt 0, tuncnt 0
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, sending 
delete/delete with reason message
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, 
constructing blank hash payload
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, 
constructing IKE delete payload
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, 
constructing qm hash payload
Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message 
(msgid=e67eb622) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total 
length : 76
Mar 21 21:08:37 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x43b5a2b0
Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Session is 
being torn down. Reason: Lost Service
Mar 21 21:08:37 [IKEv1]: Ignoring msg to mark SA with dsID 118784 dead because 
SA deleted
Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, Received encrypted packet with no 
matching SA, dropping
====================================================================

Now my question is if it has to do with ipsec proposals then why it works from 
Host2 ? I would understand that authentication phase completes and two peers 
establish isakmp tunnel in both cases.

This is what I see on the router when debugging isakmp while sending traffic 
from Host1

====================================================================

Mar 22 05:12:32.843: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, 
IKE_PHASE1_COMPLETE
Mar 22 05:12:32.843: ISAKMP:(1028):Old State = IKE_P1_COMPLETE  New State = 
IKE_P1_COMPLETE

Mar 22 05:12:32.851: ISAKMP (1028): received packet from 192.168.6.200 dport 
500 sport 500 Global (R) QM_IDLE
Mar 22 05:12:32.851: ISAKMP: set new node -3974482 to QM_IDLE
Mar 22 05:12:32.851: ISAKMP:(1028): processing HASH payload. message ID = 
-3974482
Mar 22 05:12:32.851: ISAKMP:(1028): processing SA payload. message ID = -3974482
Mar 22 05:12:32.851: ISAKMP:(1028):Checking IPSec proposal 1
Mar 22 05:12:32.851: ISAKMP: transform 1, ESP_3DES
Mar 22 05:12:32.851: ISAKMP:   attributes in transform:
Mar 22 05:12:32.851: ISAKMP:      SA life type in seconds
Mar 22 05:12:32.851: ISAKMP:      SA life duration (basic) of 28800
Mar 22 05:12:32.851: ISAKMP:      SA life type in kilobytes
Mar 22 05:12:32.851: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Mar 22 05:12:32.855: ISAKMP:      encaps is 1 (Tunnel)
Mar 22 05:12:32.855: ISAKMP:      authenticator is HMAC-MD5
Mar 22 05:12:32.855: ISAKMP:(1028):atts are acceptable.
Mar 22 05:12:32.855: ISAKMP:(1028): IPSec policy invalidated proposal with 
error 32
Mar 22 05:12:32.855: ISAKMP:(1028): phase 2 SA policy not acceptable! (local 
192.168.6.3 remote 192.168.6.200)
Mar 22 05:12:32.855: ISAKMP: set new node 363315004 to QM_IDLE
Mar 22 05:12:32.855: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 1173572576, message ID = 363315004
Mar 22 05:12:32.855: ISAKMP:(1028): sending packet to 192.168.6.200 my_port 500 
peer_port 500 (R) QM_IDLE
Mar 22 05:12:32.855: ISAKMP:(1028):Sending an IKE IPv4 Packet.
Mar 22 05:12:32.855: ISAKMP:(1028):purging node 363315004
Mar 22 05:12:32.855: ISAKMP:(1028):deleting node -3974482 error TRUE reason "QM 
rejected"
=======================================================================

If it has to do with crypto ACL then they are mirrored as they should be:

Router: access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
ASA: access-list 111 extended permit ip 192.168.4.0 255.255.255.0 192.168.5.0 
255.255.255.0

ASA1(config)# sh run crypto map
crypto map MAP1 10 match address 111
crypto map MAP1 10 set peer 192.168.6.3
crypto map MAP1 10 set transform-set ESP-3DES-MD5
crypto map MAP1 10 set trustpoint CA1
crypto map MAP1 interface outside

crypto map MAP1 10 ipsec-isakmp
 set peer 192.168.6.200
set transform-set ESP-3DES-MD5
 set isakmp-profile ISAKMP-PROFILE
match address 111
crypto map MAP1

Help please !!!

Eugene

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

[OSL | CCIE_Security] IPSec site-to-site VPN tunnel with RSA certificates, help please !

Reply via email to