Can you remove the ISAKMP profile attached to the crypto map and give a try.
With regards Kings On Wed, Mar 23, 2011 at 7:54 AM, Eugene Pefti <[email protected]>wrote: > I tried it with pre-shared keys before switching to certificates and it > worked ;) > > That’s my point. I don’t understand what could be wrong with certificates. > After going through all authentication routines and confirming that the > transform set is acceptable router R3 bails out with IPSec policy > invalidation error. > > > > Mar 22 17:58:56: ISAKMP:(1041):Checking IPSec proposal 1 > > Mar 22 17:58:56: ISAKMP: transform 1, ESP_3DES > > Mar 22 17:58:56: ISAKMP: attributes in transform: > > Mar 22 17:58:56: ISAKMP: SA life type in seconds > > Mar 22 17:58:56: ISAKMP: SA life duration (basic) of 28800 > > Mar 22 17:58:56: ISAKMP: SA life type in kilobytes > > Mar 22 17:58:56: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 > > Mar 22 17:58:56: ISAKMP: encaps is 1 (Tunnel) > > Mar 22 17:58:56: ISAKMP: authenticator is HMAC-MD5 > > Mar 22 17:58:56: ISAKMP:(1041):atts are acceptable. > > Mar 22 17:58:56: ISAKMP:(1041): IPSec policy invalidated proposal with > error 32 > > Mar 22 17:58:56: ISAKMP:(1041): phase 2 SA policy not acceptable! (local > 192.168.6.3 remote 192.168.6.200) > > > > And why it works vice-versa ? When I send traffic from behind the router > everything is just OK. > > > > *From:* Bruno [mailto:[email protected]] > *Sent:* 22 March 2011 19:15 > *To:* Eugene Pefti > *Cc:* Tyson Scott; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > I ain't got time to see the files yet but did you try to convert this to > pre-shared key on both devices without changing any other parameters to see > what happens? > > If it works, your certificates and trustpoints are not working. Otherwise, > you know that nothing with certifications are bad > > On Tue, Mar 22, 2011 at 10:07 PM, Eugene Pefti <[email protected]> > wrote: > > The time stamps in the debug was different because “service timestamps > debug” was not set to local time (at least on the router) > > I attached two outputs of “debug crypto isakmp” run on both devices > simultaneously. > > I don’t understand why R3 router reports that it can’t accept SA policy – > “phase 2 SA policy not acceptable”. > > They are configured identically in terms of isakmp and ipsec policies. > > And yes, ASA stops at sending message 2 of Quick Mode. > > > > Eugene > > > > > > > > > > *From:* Tyson Scott [mailto:[email protected]] > *Sent:* 22 March 2011 17:07 > *To:* Eugene Pefti; 'Bruno' > > > *Cc:* [email protected] > > *Subject:* RE: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > According to you first debug on the ASA it is failing MSG2, not getting a > reply from the router > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > QM Initiator FSM error history (struct &0xccf3edb0) <state>, <event>: > QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, > NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, > EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, > EV_TIMEOUT-->QM_WAIT_MSG2, > NullEvent > > But this has a very different time stamp then the second debug. Is time > synchronized. You are using certificates so that is very important. If it > is then let's see the debug of both at the same time. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Eugene Pefti > *Sent:* Tuesday, March 22, 2011 1:37 PM > *To:* Bruno > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > These ones are the latest > > > > *From:* Bruno [mailto:[email protected]] > *Sent:* 22 March 2011 12:34 > *To:* Eugene Pefti > *Subject:* Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > I don't think you need it. > What have you got under isakmp profile? Can you post both full config from > ASA and router? The router's debug messages are clearer than ASA's one > > On Tue, Mar 22, 2011 at 2:32 PM, Eugene Pefti <[email protected]> > wrote: > > This is what I’ve got for tunnel-group on ASA: > > > > tunnel-group 192.168.6.3 type ipsec-l2l > > tunnel-group 192.168.6.3 ipsec-attributes > > peer-id-validate cert > > trust-point CA1 > > > > At some point I was thinking to add “chain” command to enable the ASA send > certificate chain. Found a reference to it in one of ASA books. > > Yusuf’s lab doesn’t have it though. > > > > *From:* Bruno [mailto:[email protected]] > *Sent:* Tuesday, March 22, 2011 6:28 AM > *To:* Eugene Pefti > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > what did you configure under tunnel-group? > > On Tue, Mar 22, 2011 at 2:19 AM, Eugene Pefti <[email protected]> > wrote: > > Hello folks, > > I’m at the point of questioning my sanity while doing this task. > > The design is very simple: > > > > Host1 ------- ASA--------Router--------Host2 > > > > ASA and Router are IPSec VPN gateways, enrolled with CA and got their > certificates. > > Trying to make the router check two attributes in the ASA certificate by > the certificate map. > > > > My problem is that when I initiate the traffic from Host1 I the tunnel goes > up but there’s no traffic. I see that main mode has been completed: > > > > ASA1(config)# sh crypto isa sa > > > > 1 IKE Peer: 192.168.6.3 > > Type : L2L Role : initiator > > Rekey : no State : MM_ACTIVE > > > > But there are no ipsec sa. > > > > On the other hand, when I initiate traffic from Host2 the tunnel > successfully comes up, ipsec sa are established and Host2 can reach Host1 > > > > I noticed that it takes a lot more time to see anything on the ASA while > debugging isakmp, “pitcher: received a key acquire message” shows a number > of times and then I see that Quick Mode can’t be constructed. > > > > “debug crypto isakmp 200” run on ASA > > ================================================================= > > Mar 21 21:08:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, QM FSM > error (P2 struct &0xccf3edb0, mess id 0xc2b8e870)! > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > QM Initiator FSM error history (struct &0xccf3edb0) <state>, <event>: > QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, > NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, > EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, > EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > sending delete/delete with reason message > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing blank hash payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing IPSec delete payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing qm hash payload > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message > (msgid=2f605835) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) > total length : 64 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > Deleting SA: Remote Proxy 192.168.5.0, Local Proxy 192.168.4.0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Removing > peer from correlator table failed, no match! > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > SA MM:c3ed91f7 rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, > tuncnt 0 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > SA MM:c3ed91f7 terminating: flags 0x0100c022, refcnt 0, tuncnt 0 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > sending delete/delete with reason message > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing blank hash payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing IKE delete payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing qm hash payload > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message > (msgid=e67eb622) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) > total length : 76 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi > 0x43b5a2b0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Session is > being torn down. Reason: Lost Service > > Mar 21 21:08:37 [IKEv1]: Ignoring msg to mark SA with dsID 118784 dead > because SA deleted > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, Received encrypted packet with > no matching SA, dropping > > ==================================================================== > > > > Now my question is if it has to do with ipsec proposals then why it works > from Host2 ? I would understand that authentication phase completes and two > peers establish isakmp tunnel in both cases. > > > > This is what I see on the router when debugging isakmp while sending > traffic from Host1 > > > > ==================================================================== > > > > Mar 22 05:12:32.843: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, > IKE_PHASE1_COMPLETE > > Mar 22 05:12:32.843: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = > IKE_P1_COMPLETE > > > > Mar 22 05:12:32.851: ISAKMP (1028): received packet from 192.168.6.200 > dport 500 sport 500 Global (R) QM_IDLE > > Mar 22 05:12:32.851: ISAKMP: set new node -3974482 to QM_IDLE > > Mar 22 05:12:32.851: ISAKMP:(1028): processing HASH payload. message ID = > -3974482 > > Mar 22 05:12:32.851: ISAKMP:(1028): processing SA payload. message ID = > -3974482 > > Mar 22 05:12:32.851: ISAKMP:(1028):Checking IPSec proposal 1 > > Mar 22 05:12:32.851: ISAKMP: transform 1, ESP_3DES > > Mar 22 05:12:32.851: ISAKMP: attributes in transform: > > Mar 22 05:12:32.851: ISAKMP: SA life type in seconds > > Mar 22 05:12:32.851: ISAKMP: SA life duration (basic) of 28800 > > Mar 22 05:12:32.851: ISAKMP: SA life type in kilobytes > > Mar 22 05:12:32.851: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 > 0x0 > > Mar 22 05:12:32.855: ISAKMP: encaps is 1 (Tunnel) > > Mar 22 05:12:32.855: ISAKMP: authenticator is HMAC-MD5 > > Mar 22 05:12:32.855: ISAKMP:(1028):atts are acceptable. > > Mar 22 05:12:32.855: ISAKMP:(1028): IPSec policy invalidated proposal with > error 32 > > Mar 22 05:12:32.855: ISAKMP:(1028): phase 2 SA policy not acceptable! > (local 192.168.6.3 remote 192.168.6.200) > > Mar 22 05:12:32.855: ISAKMP: set new node 363315004 to QM_IDLE > > Mar 22 05:12:32.855: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN > protocol 3 > > spi 1173572576, message ID = 363315004 > > Mar 22 05:12:32.855: ISAKMP:(1028): sending packet to 192.168.6.200 my_port > 500 peer_port 500 (R) QM_IDLE > > Mar 22 05:12:32.855: ISAKMP:(1028):Sending an IKE IPv4 Packet. > > Mar 22 05:12:32.855: ISAKMP:(1028):purging node 363315004 > > Mar 22 05:12:32.855: ISAKMP:(1028):deleting node -3974482 error TRUE reason > "QM rejected" > > ======================================================================= > > > > If it has to do with crypto ACL then they are mirrored as they should be: > > > > Router: access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 > 0.0.0.255 > > ASA: access-list 111 extended permit ip 192.168.4.0 255.255.255.0 > 192.168.5.0 255.255.255.0 > > > > ASA1(config)# sh run crypto map > > crypto map MAP1 10 match address 111 > > crypto map MAP1 10 set peer 192.168.6.3 > > crypto map MAP1 10 set transform-set ESP-3DES-MD5 > > crypto map MAP1 10 set trustpoint CA1 > > crypto map MAP1 interface outside > > > > crypto map MAP1 10 ipsec-isakmp > > set peer 192.168.6.200 > > set transform-set ESP-3DES-MD5 > > set isakmp-profile ISAKMP-PROFILE > > match address 111 > > crypto map MAP1 > > > > Help please !!! > > > > Eugene > > > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
