i'm not sure i understand what could be wrong yet but i like tyson's idea of focusing on the time... you can do 'debug crypto ca 250' or similar and maybe you'll catch some cert activity around the time of that phase 1 QM failure.
it may end up that one side can do revocation checking or something like that and not vice versa. perhaps you can try it without the 'revocation crl' from under the trustpoints on R3? maybe you can try to verify the time and then reenroll the ASA? andrew On Tue, Mar 22, 2011 at 7:24 PM, Eugene Pefti <[email protected]>wrote: > I tried it with pre-shared keys before switching to certificates and it > worked ;) > > That’s my point. I don’t understand what could be wrong with certificates. > After going through all authentication routines and confirming that the > transform set is acceptable router R3 bails out with IPSec policy > invalidation error. > > > > Mar 22 17:58:56: ISAKMP:(1041):Checking IPSec proposal 1 > > Mar 22 17:58:56: ISAKMP: transform 1, ESP_3DES > > Mar 22 17:58:56: ISAKMP: attributes in transform: > > Mar 22 17:58:56: ISAKMP: SA life type in seconds > > Mar 22 17:58:56: ISAKMP: SA life duration (basic) of 28800 > > Mar 22 17:58:56: ISAKMP: SA life type in kilobytes > > Mar 22 17:58:56: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 > > Mar 22 17:58:56: ISAKMP: encaps is 1 (Tunnel) > > Mar 22 17:58:56: ISAKMP: authenticator is HMAC-MD5 > > Mar 22 17:58:56: ISAKMP:(1041):atts are acceptable. > > Mar 22 17:58:56: ISAKMP:(1041): IPSec policy invalidated proposal with > error 32 > > Mar 22 17:58:56: ISAKMP:(1041): phase 2 SA policy not acceptable! (local > 192.168.6.3 remote 192.168.6.200) > > > > And why it works vice-versa ? When I send traffic from behind the router > everything is just OK. > > > > *From:* Bruno [mailto:[email protected]] > *Sent:* 22 March 2011 19:15 > *To:* Eugene Pefti > *Cc:* Tyson Scott; [email protected] > > *Subject:* Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > I ain't got time to see the files yet but did you try to convert this to > pre-shared key on both devices without changing any other parameters to see > what happens? > > If it works, your certificates and trustpoints are not working. Otherwise, > you know that nothing with certifications are bad > > On Tue, Mar 22, 2011 at 10:07 PM, Eugene Pefti <[email protected]> > wrote: > > The time stamps in the debug was different because “service timestamps > debug” was not set to local time (at least on the router) > > I attached two outputs of “debug crypto isakmp” run on both devices > simultaneously. > > I don’t understand why R3 router reports that it can’t accept SA policy – > “phase 2 SA policy not acceptable”. > > They are configured identically in terms of isakmp and ipsec policies. > > And yes, ASA stops at sending message 2 of Quick Mode. > > > > Eugene > > > > > > > > > > *From:* Tyson Scott [mailto:[email protected]] > *Sent:* 22 March 2011 17:07 > *To:* Eugene Pefti; 'Bruno' > > > *Cc:* [email protected] > > *Subject:* RE: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > According to you first debug on the ASA it is failing MSG2, not getting a > reply from the router > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > QM Initiator FSM error history (struct &0xccf3edb0) <state>, <event>: > QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, > NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, > EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, > EV_TIMEOUT-->QM_WAIT_MSG2, > NullEvent > > But this has a very different time stamp then the second debug. Is time > synchronized. You are using certificates so that is very important. If it > is then let's see the debug of both at the same time. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > Managing Partner / Sr. Instructor - IPexpert, Inc. > Mailto: [email protected] > Telephone: +1.810.326.1444, ext. 208 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Eugene Pefti > *Sent:* Tuesday, March 22, 2011 1:37 PM > *To:* Bruno > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > These ones are the latest > > > > *From:* Bruno [mailto:[email protected]] > *Sent:* 22 March 2011 12:34 > *To:* Eugene Pefti > *Subject:* Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > I don't think you need it. > What have you got under isakmp profile? Can you post both full config from > ASA and router? The router's debug messages are clearer than ASA's one > > On Tue, Mar 22, 2011 at 2:32 PM, Eugene Pefti <[email protected]> > wrote: > > This is what I’ve got for tunnel-group on ASA: > > > > tunnel-group 192.168.6.3 type ipsec-l2l > > tunnel-group 192.168.6.3 ipsec-attributes > > peer-id-validate cert > > trust-point CA1 > > > > At some point I was thinking to add “chain” command to enable the ASA send > certificate chain. Found a reference to it in one of ASA books. > > Yusuf’s lab doesn’t have it though. > > > > *From:* Bruno [mailto:[email protected]] > *Sent:* Tuesday, March 22, 2011 6:28 AM > *To:* Eugene Pefti > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IPSec site-to-site VPN tunnel with > RSA certificates, help please ! > > > > what did you configure under tunnel-group? > > On Tue, Mar 22, 2011 at 2:19 AM, Eugene Pefti <[email protected]> > wrote: > > Hello folks, > > I’m at the point of questioning my sanity while doing this task. > > The design is very simple: > > > > Host1 ------- ASA--------Router--------Host2 > > > > ASA and Router are IPSec VPN gateways, enrolled with CA and got their > certificates. > > Trying to make the router check two attributes in the ASA certificate by > the certificate map. > > > > My problem is that when I initiate the traffic from Host1 I the tunnel goes > up but there’s no traffic. I see that main mode has been completed: > > > > ASA1(config)# sh crypto isa sa > > > > 1 IKE Peer: 192.168.6.3 > > Type : L2L Role : initiator > > Rekey : no State : MM_ACTIVE > > > > But there are no ipsec sa. > > > > On the other hand, when I initiate traffic from Host2 the tunnel > successfully comes up, ipsec sa are established and Host2 can reach Host1 > > > > I noticed that it takes a lot more time to see anything on the ASA while > debugging isakmp, “pitcher: received a key acquire message” shows a number > of times and then I see that Quick Mode can’t be constructed. > > > > “debug crypto isakmp 200” run on ASA > > ================================================================= > > Mar 21 21:08:06 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:08 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:10 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:12 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:16 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:18 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:20 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:22 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi > 0x0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, QM FSM > error (P2 struct &0xccf3edb0, mess id 0xc2b8e870)! > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > QM Initiator FSM error history (struct &0xccf3edb0) <state>, <event>: > QM_DONE, EV_ERROR-->QM_WAIT_MSG2, EV_TIMEOUT-->QM_WAIT_MSG2, > NullEvent-->QM_SND_MSG1, EV_SND_MSG-->QM_SND_MSG1, > EV_START_TMR-->QM_SND_MSG1, EV_RESEND_MSG-->QM_WAIT_MSG2, > EV_TIMEOUT-->QM_WAIT_MSG2, NullEvent > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > sending delete/delete with reason message > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing blank hash payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing IPSec delete payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing qm hash payload > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message > (msgid=2f605835) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) > total length : 64 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > Deleting SA: Remote Proxy 192.168.5.0, Local Proxy 192.168.4.0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Removing > peer from correlator table failed, no match! > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > SA MM:c3ed91f7 rcv'd Terminate: state MM_ACTIVE flags 0x0000c062, refcnt 1, > tuncnt 0 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, IKE > SA MM:c3ed91f7 terminating: flags 0x0100c022, refcnt 0, tuncnt 0 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > sending delete/delete with reason message > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing blank hash payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing IKE delete payload > > Mar 21 21:08:37 [IKEv1 DEBUG]: Group = 192.168.6.3, IP = 192.168.6.3, > constructing qm hash payload > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, IKE_DECODE SENDING Message > (msgid=e67eb622) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) > total length : 76 > > Mar 21 21:08:37 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi > 0x43b5a2b0 > > Mar 21 21:08:37 [IKEv1]: Group = 192.168.6.3, IP = 192.168.6.3, Session is > being torn down. Reason: Lost Service > > Mar 21 21:08:37 [IKEv1]: Ignoring msg to mark SA with dsID 118784 dead > because SA deleted > > Mar 21 21:08:37 [IKEv1]: IP = 192.168.6.3, Received encrypted packet with > no matching SA, dropping > > ==================================================================== > > > > Now my question is if it has to do with ipsec proposals then why it works > from Host2 ? I would understand that authentication phase completes and two > peers establish isakmp tunnel in both cases. > > > > This is what I see on the router when debugging isakmp while sending > traffic from Host1 > > > > ==================================================================== > > > > Mar 22 05:12:32.843: ISAKMP:(1028):Input = IKE_MESG_INTERNAL, > IKE_PHASE1_COMPLETE > > Mar 22 05:12:32.843: ISAKMP:(1028):Old State = IKE_P1_COMPLETE New State = > IKE_P1_COMPLETE > > > > Mar 22 05:12:32.851: ISAKMP (1028): received packet from 192.168.6.200 > dport 500 sport 500 Global (R) QM_IDLE > > Mar 22 05:12:32.851: ISAKMP: set new node -3974482 to QM_IDLE > > Mar 22 05:12:32.851: ISAKMP:(1028): processing HASH payload. message ID = > -3974482 > > Mar 22 05:12:32.851: ISAKMP:(1028): processing SA payload. message ID = > -3974482 > > Mar 22 05:12:32.851: ISAKMP:(1028):Checking IPSec proposal 1 > > Mar 22 05:12:32.851: ISAKMP: transform 1, ESP_3DES > > Mar 22 05:12:32.851: ISAKMP: attributes in transform: > > Mar 22 05:12:32.851: ISAKMP: SA life type in seconds > > Mar 22 05:12:32.851: ISAKMP: SA life duration (basic) of 28800 > > Mar 22 05:12:32.851: ISAKMP: SA life type in kilobytes > > Mar 22 05:12:32.851: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 > 0x0 > > Mar 22 05:12:32.855: ISAKMP: encaps is 1 (Tunnel) > > Mar 22 05:12:32.855: ISAKMP: authenticator is HMAC-MD5 > > Mar 22 05:12:32.855: ISAKMP:(1028):atts are acceptable. > > Mar 22 05:12:32.855: ISAKMP:(1028): IPSec policy invalidated proposal with > error 32 > > Mar 22 05:12:32.855: ISAKMP:(1028): phase 2 SA policy not acceptable! > (local 192.168.6.3 remote 192.168.6.200) > > Mar 22 05:12:32.855: ISAKMP: set new node 363315004 to QM_IDLE > > Mar 22 05:12:32.855: ISAKMP:(1028):Sending NOTIFY PROPOSAL_NOT_CHOSEN > protocol 3 > > spi 1173572576, message ID = 363315004 > > Mar 22 05:12:32.855: ISAKMP:(1028): sending packet to 192.168.6.200 my_port > 500 peer_port 500 (R) QM_IDLE > > Mar 22 05:12:32.855: ISAKMP:(1028):Sending an IKE IPv4 Packet. > > Mar 22 05:12:32.855: ISAKMP:(1028):purging node 363315004 > > Mar 22 05:12:32.855: ISAKMP:(1028):deleting node -3974482 error TRUE reason > "QM rejected" > > ======================================================================= > > > > If it has to do with crypto ACL then they are mirrored as they should be: > > > > Router: access-list 111 permit ip 192.168.5.0 0.0.0.255 192.168.4.0 > 0.0.0.255 > > ASA: access-list 111 extended permit ip 192.168.4.0 255.255.255.0 > 192.168.5.0 255.255.255.0 > > > > ASA1(config)# sh run crypto map > > crypto map MAP1 10 match address 111 > > crypto map MAP1 10 set peer 192.168.6.3 > > crypto map MAP1 10 set transform-set ESP-3DES-MD5 > > crypto map MAP1 10 set trustpoint CA1 > > crypto map MAP1 interface outside > > > > crypto map MAP1 10 ipsec-isakmp > > set peer 192.168.6.200 > > set transform-set ESP-3DES-MD5 > > set isakmp-profile ISAKMP-PROFILE > > match address 111 > > crypto map MAP1 > > > > Help please !!! > > > > Eugene > > > > > > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > > > > -- > Bruno Fagioli (by Jaunty Jackalope) > Cisco Security Professional > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
