According to you first debug on the ASA it is failing MSG2, not getting a reply from the router
Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE QM Initiator FSM error history (struct &0xccf3edb0) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent But this has a very different time stamp then the second debug. Is time synchronized. You are using certificates so that is very important. If it is then let's see the debug of both at the same time. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com/> www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Eugene Pefti Sent: Tuesday, March 22, 2011 1:37 PM To: Bruno Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with RSA certificates, help please ! These ones are the latest From: Bruno [mailto:[email protected]] Sent: 22 March 2011 12:34 To: Eugene Pefti Subject: Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with RSA certificates, help please ! I don't think you need it. What have you got under isakmp profile? Can you post both full config from ASA and router? The router's debug messages are clearer than ASA's one On Tue, Mar 22, 2011 at 2:32 PM, Eugene Pefti <[email protected]> wrote: This is what I’ve got for tunnel-group on ASA: tunnel-group 192.168.6.3 type ipsec-l2l tunnel-group 192.168.6.3 ipsec-attributes peer-id-validate cert trust-point CA1 At some point I was thinking to add “chain” command to enable the ASA send certificate chain. Found a reference to it in one of ASA books. Yusuf’s lab doesn’t have it though. From: Bruno [mailto:[email protected]] Sent: Tuesday, March 22, 2011 6:28 AM To: Eugene Pefti Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with RSA certificates, help please ! what did you configure under tunnel-group? On Tue, Mar 22, 2011 at 2:19 AM, Eugene Pefti <[email protected]> wrote: Hello folks, I’m at the point of questioning my sanity while doing this task. The design is very simple: Host1 ------- ASA--------Router--------Host2 ASA and Router are IPSec VPN gateways, enrolled with CA and got their certificates. Trying to make the router check two attributes in the ASA certificate by the certificate map. My problem is that when I initiate the traffic from Host1 I the tunnel goes up but there’s no traffic. I see that main mode has been completed: ASA1(config)# sh crypto isa sa 1 IKE Peer: 192.168.6.3 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE But there are no ipsec sa. On the other hand, when I initiate traffic from Host2 the tunnel successfully comes up, ipsec sa are established and Host2 can reach Host1 I noticed that it takes a lot more time to see anything on the ASA while debugging isakmp, “pitcher: received a key acquire message” shows a number of times and then I see that Quick Mode can’t be constructed. “debug crypto isakmp 200” run on ASA ================================================================= Mar 21 21:08:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0 Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, QM FSM error (P2 struct &0xccf3edb0, mess id 0xc2b8e870)! Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE QM Initiator FSM error history (struct &0xccf3edb0) <state>, <event>: QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, sending delete/delete with reason message Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, constructing blank hash payload Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, constructing IPSec delete payload Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, constructing qm hash payload Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message (msgid=2f605835) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 64 Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE Deleting SA: Remote Proxy 192.168.5.0, Local Proxy 192.168.4.0 Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Removing peer from correlator table failed, no match! Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE SA MM:c3ed91f7 rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, tuncnt 0 Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE SA MM:c3ed91f7 terminating: flags 0x0100c022, refcnt 0, tuncnt 0 Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, sending delete/delete with reason message Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, constructing blank hash payload Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, constructing IKE delete payload Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, constructing qm hash payload Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message (msgid=e67eb622) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76 Mar 21 21:08:37 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0x43b5a2b0 Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Session is being torn down. Reason: Lost Service Mar 21 21:08:37 [IKEv1]: Ignoring msg to mark SA with dsID 118784 dead because SA deleted Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, Received encrypted packet with no matching SA, dropping ==================================================================== Now my question is if it has to do with ipsec proposals then why it works from Host2 ? I would understand that authentication phase completes and two peers establish isakmp tunnel in both cases. This is what I see on the router when debugging isakmp while sending traffic from Host1 ==================================================================== Mar 22 05:12:32.843: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE Mar 22 05:12:32.843: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE Mar 22 05:12:32.851: ISAKMP (1028): received packet from 192.168.6.200 dport 500 sport 500 Global (R) QM_IDLE Mar 22 05:12:32.851: ISAKMP: set new node -3974482 to QM_IDLE Mar 22 05:12:32.851: ISAKMP:(1028): processing HASH payload. message ID = -3974482 Mar 22 05:12:32.851: ISAKMP:(1028): processing SA payload. message ID = -3974482 Mar 22 05:12:32.851: ISAKMP:(1028):Checking IPSec proposal 1 Mar 22 05:12:32.851: ISAKMP: transform 1, ESP_3DES Mar 22 05:12:32.851: ISAKMP: attributes in transform: Mar 22 05:12:32.851: ISAKMP: SA life type in seconds Mar 22 05:12:32.851: ISAKMP: SA life duration (basic) of 28800 Mar 22 05:12:32.851: ISAKMP: SA life type in kilobytes Mar 22 05:12:32.851: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 Mar 22 05:12:32.855: ISAKMP: encaps is 1 (Tunnel) Mar 22 05:12:32.855: ISAKMP: authenticator is HMAC-MD5 Mar 22 05:12:32.855: ISAKMP:(1028):atts are acceptable. Mar 22 05:12:32.855: ISAKMP:(1028): IPSec policy invalidated proposal with error 32 Mar 22 05:12:32.855: ISAKMP:(1028): phase 2 SA policy not acceptable! (local 192.168.6.3 remote 192.168.6.200) Mar 22 05:12:32.855: ISAKMP: set new node 363315004 to QM_IDLE Mar 22 05:12:32.855: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 1173572576, message ID = 363315004 Mar 22 05:12:32.855: ISAKMP:(1028): sending packet to 192.168.6.200 my_port 500 peer_port 500 (R) QM_IDLE Mar 22 05:12:32.855: ISAKMP:(1028):Sending an IKE IPv4 Packet. Mar 22 05:12:32.855: ISAKMP:(1028):purging node 363315004 Mar 22 05:12:32.855: ISAKMP:(1028):deleting node -3974482 error TRUE reason "QM rejected" ======================================================================= If it has to do with crypto ACL then they are mirrored as they should be: Router: access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255 ASA: access-list 111 extended permit ip 192.168.4.0 255.255.255.0 192.168.5.0 255.255.255.0 ASA1(config)# sh run crypto map crypto map MAP1 10 match address 111 crypto map MAP1 10 set peer 192.168.6.3 crypto map MAP1 10 set transform-set ESP-3DES-MD5 crypto map MAP1 10 set trustpoint CA1 crypto map MAP1 interface outside crypto map MAP1 10 ipsec-isakmp set peer 192.168.6.200 set transform-set ESP-3DES-MD5 set isakmp-profile ISAKMP-PROFILE match address 111 crypto map MAP1 Help please !!! Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional -- Bruno Fagioli (by Jaunty Jackalope) Cisco Security Professional
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
