Re: LAN-to-LAN VPN using the ASDM on ASA5505 and a PIX515

From: Taiwo Efunogbon (taiwo.efunogbon@gmail.com)
Date: Mon May 07 2007 - 10:11:01 ART

here are the config

====

:
ASA Version 7.2(2)
!
hostname CamASA
domain-name default.domain.invalid

names
name 172.16.X.X cambridge
name 192.168.X.X smart26
!
interface Vlan1
 shutdown
 no nameif
 security-level 100
 no ip address
!
interface Vlan2
 shutdown
 no nameif
 security-level 0
 no ip address
!
interface Vlan10
 description Internet-connection
 nameif outside
 security-level 0
 ip address 62.231.X.X 255.255.255.248
!
interface Vlan20
 description Cambridge-LAN
 nameif inside
 security-level 100
 ip address 172.16.X.X 255.255.255.0

interface Ethernet0/0
 switchport access vlan 10
!
interface Ethernet0/1
 switchport access vlan 20
!
interface Ethernet0/2
 switchport access vlan 20
!
interface Ethernet0/3
 switchport access vlan 30
!
interface Ethernet0/4
 switchport access vlan 40
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

banner motd # If you are not Authorised to be in LCC.COM network,then you
must disconnect immediately
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
access-list icmp-allow extended permit icmp any interface outside
access-list tcp-allow extended permit tcp any any
access-list tcp-allow extended permit ip any any
access-list tcp-allow-telnet extended permit tcp any interface outside eq
telnet
access-list outside_20_cryptomap extended permit ip cambridge
255.255.255.0object-group lcc-networks
access-list inside_nat0_outbound extended permit ip cambridge
255.255.255.0object-group lcc-networks
access-list inside_nat0_outbound extended permit ip cambridge
255.255.255.0smart26
255.255.255.0
access-list inside_nat0_outbound extended permit ip interface outside host
62.173.x.x
access-list outside_120_cryptomap extended permit ip cambridge
255.255.255.0smart26
255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guest 1500
mtu dmz 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface guest
monitor-interface dmz
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (dmz,outside) 62.231.x.x 192.168.x.x netmask 255.255.255.255
access-group tcp-allow in interface outside
route outside 0.0.0.0 0.0.0.0 62.231.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 40 match address outside_120_cryptomap
crypto map outside_map 40 set pfs
crypto map outside_map 40 set peer 195.54.x.x
crypto map outside_map 40 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash md5
 group 5
 lifetime 86400

tunnel-group 195.54.x.x type ipsec-l2l
tunnel-group 195.54.x.x ipsec-attributes
 pre-shared-key *

telnet timeout 5

console timeout 0

=====

PIX Version 6.3(1)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
name 192.168.x.x VPNDialin
name 192.168.y.x smart26
access-list 101 permit ip smart26 255.255.255.0 VPNDialin 255.255.255.0
access-list 101 permit ip smart26 255.255.255.0 172.16.x.x 255.255.255.0
access-list 126 permit icmp any host 195.54.x.x
access-list 126 permit tcp any host 195.54.x.x
access-list 126 permit ip any host 195.54.x.x
access-list to_cambridge permit ip smart26 255.255.255.0 172.16.x.x
255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 195.54.x.x 255.255.255.248
ip address inside 192.168.x.x 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPNSmart26 192.168.x.x-192.168.x.x

arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 195.54.x.x 192.168.x.x netmask 255.255.255.255 0 0
access-group 126 in interface outside
route outside 0.0.0.0 0.0.0.0 195.54.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server AAAuser protocol radius
aaa-server AAAuser (inside) host 192.168.x.x smart26 timeout 5
http server enable
http 192.168.x.x 255.255.255.255 inside
http smart26 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
crypto ipsec transform-set AESset esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 50 set transform-set AESset
crypto dynamic-map dynAAA 51 set transform-set AESset
crypto map mapName 10 ipsec-isakmp dynamic dynmap
crypto map mapName 20 ipsec-isakmp
crypto map mapName 20 match address to_cambridge
crypto map mapName 20 set pfs
crypto map mapName 20 set peer 62.231.x.x
crypto map mapName 20 set transform-set 3des
crypto map mapName client configuration address initiate
crypto map mapName interface outside
isakmp enable outside
isakmp key ******** address 62.231.x.x netmask 255.255.255.255 no-xauth
no-config-mode
isakmp policy 7 authentication pre-share
isakmp policy 7 encryption aes-256
isakmp policy 7 hash md5
isakmp policy 7 group 2
isakmp policy 7 lifetime 86400
vpngroup vpnsmart26 address-pool VPNSmart26
vpngroup vpnsmart26 dns-server x.x.x.x
vpngroup vpnsmart26 wins-server x.x.x.x
vpngroup vpnsmart26 default-domain smart26.com
vpngroup vpnsmart26 split-tunnel 101
vpngroup vpnsmart26 idle-time 1800
telnet VPNDialin 255.255.255.0 outside
telnet smart26 255.255.255.0 inside
telnet VPNDialin 255.255.255.0 inside
telnet timeout 6
ssh timeout 5
console timeout 0

vpdn enable outside

On 07/05/07, Plank, Jason <Jason_Plank@condenast.com> wrote:
>
> Phase 2 mismatch. Post configs from both devices.
>
>
> Jason Plank, CCIE# 16560
> Senior Network Engineer
> Conde Nast Publications
> 1201 North Market St.
> Wilmington, DE 19808
> Email: Jason_Plank@CondeNast.com
> Office: 302-830-4910
> Cell: 302-290-0387
>
>
>
> -----Original Message-----
> From: Taiwo Efunogbon [mailto:taiwo.efunogbon@gmail.com]
> Sent: Monday, May 07, 2007 08:37 AM Eastern Standard Time
> To: ccielab@groupstudy.com
> Subject: LAN-to-LAN VPN using the ASDM on ASA5505 and a PIX515
>
> Hello GS,
>
> I am configuring a LAN-to-LAN VPN using the ASDM on ASA5505 and a PIX515.
>
> I do have a completed Phase 1. But the Phase 2 keeps coming up with the
> following error on the ASA:
>
> All IPSec SA proposals found unacceptable!
> QM FSM error (P2 struct &0x3bd89b0, mess id 0x46e2e95d)!
>
> I have checked the transform-sets and that seems OK, SA Lifetimes are OK
> as
> well.
>
> I'll appreciate an idea on how to fix this.
>
> --
> Rgds
> Taiwo Efunogbon
>
> Output from ASA:
>
> 4 May 07 2007 03:33:47 113019 Group = 195.54.x.x, Username = 195.54.x.x
> ,
> IP = 195.54.x.x, Session disconnected. Session Type: IPSecLAN2LAN,
> Duration:
> 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
> 3 May 07 2007 03:33:47 713902 Group = 195.54.x.x, IP = 195.54.x.x,
> Removing peer from correlator table failed, no match!
> 3 May 07 2007 03:33:47 713902 Group = 195.54.x.x, IP = 195.54.x.x, QM
> FSM
> error (P2 struct &0x3c48e70, mess id 0x9580a93e)!
> 5 May 07 2007 03:33:47 713904 Group = 195.54.x.x, IP = 195.54.x.x, All
> IPSec SA proposals found unacceptable!
> 3 May 07 2007 03:33:47 713119 Group = 195.54.x.x, IP = 195.54.x.x,
> PHASE
> 1 COMPLETED
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> 

-- 
Taiwo Efunogbon
Network Specialist
CCNA, CCNP, CCIP, CCIE (w)

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART