Task 4.1 - L2L VPN tunnel

I am having an odd problem where the tunnel comes up fine if sourced from R1 int e0/0 (162.1.19.1), but the tunnel won't establish if interesting traffic is source from the Test PC on vlan 3. Looking at the isakmp debugs on R1 when the ASA is trying to initiate the isakmp sa, the isakmp policies sent to R1 don't match what is configured. Below are the configs.

Here's the isakmp in the ASA config
Rack1ASA1(config)# sh run isak
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Here's an excerpt of the debug output:
Sep 4 04:35:42.293: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy
Sep 4 04:35:42.293: ISAKMP:
Rack1R1# default group 2
Sep 4 04:35:42.293: ISAKMP: encryption 3DES-CBC
Sep 4 04:35:42.293: ISAKMP: hash SHA
Sep 4 04:35:42.293: ISAKMP: auth pre-share
Sep 4 04:35:42.293: ISAKMP: life type in seconds
Sep 4 04:35:42.293: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Sep 4 04:35:42.293: ISAKMP (0:1): Hash algorithm offered does not match policy!
Sep 4 04:35:42.293: ISAKMP (0:1): atts are not acceptable. Next payload is 0
Sep 4 04:35:42.293: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policy
Sep 4 04:35:42.293: ISAKMP: default group 2
Sep 4 04:35:42.293: ISAKMP: encryption 3DES-CBC
Sep 4 04:35:42.293: ISAKMP: hash SHA
Sep 4 04:35:42.293: ISAKMP: auth pre-share
Sep 4 04:35:42.293: ISAKMP: life type in seconds
Sep 4 04:35:42.293: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Sep 4 04:35:42.297: ISAKMP (0:1): Encryption algorithm offered does not match policy!
Sep 4 04:35:42.297: ISAKMP (0:1): atts are not acceptable. Next payload is 0
Sep 4 04:35:42.297: ISAKMP (0:1): no offers accepted!
Sep 4 04:35:42.297: ISAKMP (0:1): phase 1 SA policy not acceptable! (local 162.1.13.1 remote 162.1.123.12)

R1
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable password cisco
!
clock timezone PT -7
clock summer-time PT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name test.lab
!
ip audit po max-events 100
!
crypto ca trustpoint lab02
enrollment mode ra
enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
crl optional
!
crypto ca certificate chain lab02
certificate 19348825000000000009
certificate ca 1E86A444DDF0D89D4E8F3D923574D5A2
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
ip ftp username guest
ip ftp password guest
!
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
!
!
crypto ipsec transform-set T1 esp-3des esp-md5-hmac
!
crypto map Map1 10 ipsec-isakmp
set peer 162.1.123.12
set transform-set T1
match address 139
!
!
!
!
interface Loopback0
ip address 150.1.1.1 255.255.255.0
!
interface Loopback99
ip address 99.99.99.1 255.255.255.0
!
interface FastEthernet0/0
ip address 162.1.19.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay
clock rate 64000
no fair-queue
no frame-relay inverse-arp
!
interface Serial0/0.13 point-to-point
ip address 162.1.13.1 255.255.255.0
frame-relay interface-dlci 406
crypto map Map1
!
interface Serial0/1
no ip address
shutdown
!
interface Serial0/2
no ip address
shutdown
!
router ospf 1
router-id 150.1.1.1
log-adjacency-changes
area 13 virtual-link 150.1.3.3 authentication message-digest
area 13 virtual-link 150.1.3.3 message-digest-key 1 md5 cisco
network 150.1.1.1 0.0.0.0 area 13
network 162.1.13.1 0.0.0.0 area 13
network 162.1.19.1 0.0.0.0 area 19
!
router bgp 100
no synchronization
bgp router-id 150.1.1.1
bgp log-neighbor-changes
neighbor 150.1.4.4 remote-as 100
neighbor 150.1.4.4 update-source Loopback0
neighbor 150.1.4.4 route-reflector-client
neighbor 150.1.6.6 remote-as 100
neighbor 150.1.6.6 update-source Loopback0
neighbor 150.1.6.6 password CISCO
no auto-summary
!
ip http server
no ip http secure-server
ip classless
ip route 10.35.35.0 255.255.255.0 162.1.13.3
!
!
access-list 139 permit ip 162.1.19.0 0.0.0.255 10.35.35.0 0.0.0.255
!
!
!
!
!
!
!
!
alias exec bu show ip interface brief | include up
alias exec a show access-list
alias exec b show ip interface brief
alias exec be sho ip int brie | exclude una
alias exec p show ip protocols
alias exec r show ip route
alias exec s sho int status
alias exec c conf t
alias exec sr show run
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
line vty 0 4
password cisco
login
transport output none
!
ntp authentication-key 1 md5 0802657D2A36 7
ntp authenticate
ntp trusted-key 1
ntp clock-period 17208473
ntp source Loopback0
ntp server 192.10.1.254
!
end

ASA1
ASA Version 7.2(2)
!
hostname Rack1ASA1
domain-name test.lab
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan123
nameif outside
security-level 0
ip address 162.1.123.12 255.255.255.0
ospf message-digest-key 1 md5 <removed>
ospf authentication message-digest
!
interface Vlan128
nameif inside
security-level 100
ip address 162.1.128.12 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 123
!
interface Ethernet0/1
switchport access vlan 128
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
clock timezone PT -7
clock summer-time PT recurring
dns server-group DefaultDNS
domain-name test.lab
same-security-traffic permit intra-interface
access-list Out extended permit icmp any any
access-list Out extended permit tcp any host 10.0.0.100 eq www
access-list Out extended permit ip 10.35.35.0 255.255.255.0 162.1.19.0 255.255.255.0
access-list To19 extended permit ip 10.35.35.0 255.255.255.0 162.1.19.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group Out in interface outside
route outside 10.35.35.0 255.255.255.0 162.1.123.3 1
!
router ospf 1
network 162.1.123.0 255.255.255.0 area 0
router-id 162.1.123.12
log-adj-changes
redistribute rip subnets
!
router rip
network 162.1.0.0
passive-interface outside
redistribute ospf 1 metric 3
default-information originate
version 2
no auto-summary
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set T1 esp-3des esp-md5-hmac
crypto map Map1 10 match address To19
crypto map Map1 10 set peer 162.1.13.1
crypto map Map1 10 set transform-set T1
crypto map Map1 interface outside
crypto ca trustpoint lab02
revocation-check crl none
enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
crl configure
crypto ca certificate chain lab02
certificate 18a26a33000000000007
! removed
quit
certificate ca 1e86a444ddf0d89d4e8f3d923574d5a2
!removed
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group 162.1.13.1 type ipsec-l2l
tunnel-group 162.1.13.1 ipsec-attributes
trust-point lab02
telnet timeout 5
ssh timeout 5
console timeout 0

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
ntp authentication-key 1 md5 *
ntp authenticate
ntp trusted-key 1
ntp server 192.10.1.254
prompt hostname context

any ideas???
Thanks,
Howie Feinsilber

Comments

  • Howie - check my post on 4.1 (I should have just piggybacked off your post), and I think that was your problem. I had the same issue until I updated the outside ACL on the ASA to allow whatever traffic type I wanted to be passed over the tunnel since we are not doing a sysopt to bypass the VPN traffic (so it needs to be explicitly allowed on the applied interface ACL - outside).

    Regards,
    Nick
  • hi nick i got this working in the first shot.
    on the asa by default sysopt connection permit vpn is enabled.

    so i guess u wouldn;t need that acl in there and first of all the packets after decrypting is not going inside of asa . it;s going to R3 right.

    so the packets are decrypting on the outside are going out again pointing to R3 out of the same interface.

    all u need is same-security-traffic permit intra-interface and it will work smoothly.

    it worked for me that way.

    regards

    sebastan
Sign In or Register to comment.