Re: LAN-to-LAN VPN using the ASDM on ASA5505 and a PIX515

From: Farrukh Haroon (farrukhharoon@gmail.com)
Date: Mon May 07 2007 - 13:36:33 ART

I would check you crypto ACLs once again, are your 'name
192.168.X.Xsmart26' identical on both ends?
I would suggest to remove the using of the 'name' command in your Crypto
ACL, the Cisco Documentation States:

The name command does not support assigning a name to a network mask. For
example, this command would be rejected:

*hostname(config)# name 255.255.255.0 class-C-mask
*

------------------------------

*Note *None of the commands in which a mask is required can process a name
as an accepted network mask."

Are you using the name smart26 command to define a host address or what?

Regards

Farrukh

On 5/7/07, Taiwo Efunogbon <taiwo.efunogbon@gmail.com> wrote:
>
> here are the config
>
> ====
>
>
> :
> ASA Version 7.2(2)
> !
> hostname CamASA
> domain-name default.domain.invalid
>
> names
> name 172.16.X.X cambridge
> name 192.168.X.X smart26
> !
> interface Vlan1
> shutdown
> no nameif
> security-level 100
> no ip address
> !
> interface Vlan2
> shutdown
> no nameif
> security-level 0
> no ip address
> !
> interface Vlan10
> description Internet-connection
> nameif outside
> security-level 0
> ip address 62.231.X.X 255.255.255.248
> !
> interface Vlan20
> description Cambridge-LAN
> nameif inside
> security-level 100
> ip address 172.16.X.X 255.255.255.0
>
> interface Ethernet0/0
> switchport access vlan 10
> !
> interface Ethernet0/1
> switchport access vlan 20
> !
> interface Ethernet0/2
> switchport access vlan 20
> !
> interface Ethernet0/3
> switchport access vlan 30
> !
> interface Ethernet0/4
> switchport access vlan 40
> !
> interface Ethernet0/5
> !
> interface Ethernet0/6
> !
> interface Ethernet0/7
> !
>
> banner motd # If you are not Authorised to be in LCC.COM network,then you
> must disconnect immediately
> ftp mode passive
> dns server-group DefaultDNS
> domain-name default.domain.invalid
> access-list icmp-allow extended permit icmp any interface outside
> access-list tcp-allow extended permit tcp any any
> access-list tcp-allow extended permit ip any any
> access-list tcp-allow-telnet extended permit tcp any interface outside eq
> telnet
> access-list outside_20_cryptomap extended permit ip cambridge
> 255.255.255.0object-group lcc-networks
> access-list inside_nat0_outbound extended permit ip cambridge
> 255.255.255.0object-group lcc-networks
> access-list inside_nat0_outbound extended permit ip cambridge
> 255.255.255.0smart26
> 255.255.255.0
> access-list inside_nat0_outbound extended permit ip interface outside host
> 62.173.x.x
> access-list outside_120_cryptomap extended permit ip cambridge
> 255.255.255.0smart26
> 255.255.255.0
> pager lines 24
> logging enable
> logging asdm informational
> mtu outside 1500
> mtu inside 1500
> mtu guest 1500
> mtu dmz 1500
> no failover
> monitor-interface outside
> monitor-interface inside
> monitor-interface guest
> monitor-interface dmz
> icmp unreachable rate-limit 1 burst-size 1
> asdm image disk0:/asdm-522.bin
> no asdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 0.0.0.0 0.0.0.0
> static (dmz,outside) 62.231.x.x 192.168.x.x netmask 255.255.255.255
> access-group tcp-allow in interface outside
> route outside 0.0.0.0 0.0.0.0 62.231.x.x 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
> timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
> 0:05:00
> timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
> 0:02:00
> timeout uauth 0:05:00 absolute
> http server enable
> http 0.0.0.0 0.0.0.0 outside
> no snmp-server location
> no snmp-server contact
> snmp-server enable traps snmp authentication linkup linkdown coldstart
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
> crypto map outside_map 40 match address outside_120_cryptomap
> crypto map outside_map 40 set pfs
> crypto map outside_map 40 set peer 195.54.x.x
> crypto map outside_map 40 set transform-set ESP-3DES-MD5
>
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption aes-256
> hash md5
> group 2
> lifetime 86400
> crypto isakmp policy 30
> authentication pre-share
> encryption aes-256
> hash md5
> group 5
> lifetime 86400
>
> tunnel-group 195.54.x.x type ipsec-l2l
> tunnel-group 195.54.x.x ipsec-attributes
> pre-shared-key *
>
> telnet timeout 5
>
> console timeout 0
>
>
>
> =====
>
>
>
> PIX Version 6.3(1)
> interface ethernet0 auto
> interface ethernet1 100full
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
>
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> name 192.168.x.x VPNDialin
> name 192.168.y.x smart26
> access-list 101 permit ip smart26 255.255.255.0 VPNDialin 255.255.255.0
> access-list 101 permit ip smart26 255.255.255.0 172.16.x.x 255.255.255.0
> access-list 126 permit icmp any host 195.54.x.x
> access-list 126 permit tcp any host 195.54.x.x
> access-list 126 permit ip any host 195.54.x.x
> access-list to_cambridge permit ip smart26 255.255.255.0 172.16.x.x
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> ip address outside 195.54.x.x 255.255.255.248
> ip address inside 192.168.x.x 255.255.255.0
> ip audit info action alarm
> ip audit attack action alarm
> ip local pool VPNSmart26 192.168.x.x-192.168.x.x
>
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 101
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> static (inside,outside) 195.54.x.x 192.168.x.x netmask 255.255.255.255 0 0
> access-group 126 in interface outside
> route outside 0.0.0.0 0.0.0.0 195.54.x.x 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> aaa-server AAAuser protocol radius
> aaa-server AAAuser (inside) host 192.168.x.x smart26 timeout 5
> http server enable
> http 192.168.x.x 255.255.255.255 inside
> http smart26 255.255.255.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt connection permit-pptp
> crypto ipsec transform-set AESset esp-aes-256 esp-sha-hmac
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
> crypto ipsec transform-set 3des esp-3des esp-md5-hmac
> crypto dynamic-map dynmap 50 set transform-set AESset
> crypto dynamic-map dynAAA 51 set transform-set AESset
> crypto map mapName 10 ipsec-isakmp dynamic dynmap
> crypto map mapName 20 ipsec-isakmp
> crypto map mapName 20 match address to_cambridge
> crypto map mapName 20 set pfs
> crypto map mapName 20 set peer 62.231.x.x
> crypto map mapName 20 set transform-set 3des
> crypto map mapName client configuration address initiate
> crypto map mapName interface outside
> isakmp enable outside
> isakmp key ******** address 62.231.x.x netmask 255.255.255.255 no-xauth
> no-config-mode
> isakmp policy 7 authentication pre-share
> isakmp policy 7 encryption aes-256
> isakmp policy 7 hash md5
> isakmp policy 7 group 2
> isakmp policy 7 lifetime 86400
> vpngroup vpnsmart26 address-pool VPNSmart26
> vpngroup vpnsmart26 dns-server x.x.x.x
> vpngroup vpnsmart26 wins-server x.x.x.x
> vpngroup vpnsmart26 default-domain smart26.com
> vpngroup vpnsmart26 split-tunnel 101
> vpngroup vpnsmart26 idle-time 1800
> telnet VPNDialin 255.255.255.0 outside
> telnet smart26 255.255.255.0 inside
> telnet VPNDialin 255.255.255.0 inside
> telnet timeout 6
> ssh timeout 5
> console timeout 0
>
> vpdn enable outside
>
>
>
>
> On 07/05/07, Plank, Jason <Jason_Plank@condenast.com> wrote:
> >
> > Phase 2 mismatch. Post configs from both devices.
> >
> >
> > Jason Plank, CCIE# 16560
> > Senior Network Engineer
> > Conde Nast Publications
> > 1201 North Market St.
> > Wilmington, DE 19808
> > Email: Jason_Plank@CondeNast.com
> > Office: 302-830-4910
> > Cell: 302-290-0387
> >
> >
> >
> > -----Original Message-----
> > From: Taiwo Efunogbon [mailto:taiwo.efunogbon@gmail.com]
> > Sent: Monday, May 07, 2007 08:37 AM Eastern Standard Time
> > To: ccielab@groupstudy.com
> > Subject: LAN-to-LAN VPN using the ASDM on ASA5505 and a PIX515
> >
> > Hello GS,
> >
> > I am configuring a LAN-to-LAN VPN using the ASDM on ASA5505 and a
> PIX515.
> >
> > I do have a completed Phase 1. But the Phase 2 keeps coming up with the
> > following error on the ASA:
> >
> > All IPSec SA proposals found unacceptable!
> > QM FSM error (P2 struct &0x3bd89b0, mess id 0x46e2e95d)!
> >
> > I have checked the transform-sets and that seems OK, SA Lifetimes are OK
> > as
> > well.
> >
> > I'll appreciate an idea on how to fix this.
> >
> > --
> > Rgds
> > Taiwo Efunogbon
> >
> > Output from ASA:
> >
> > 4 May 07 2007 03:33:47 113019 Group = 195.54.x.x, Username =
> 195.54.x.x
> > ,
> > IP = 195.54.x.x, Session disconnected. Session Type: IPSecLAN2LAN,
> > Duration:
> > 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
> > 3 May 07 2007 03:33:47 713902 Group = 195.54.x.x, IP = 195.54.x.x,
> > Removing peer from correlator table failed, no match!
> > 3 May 07 2007 03:33:47 713902 Group = 195.54.x.x, IP = 195.54.x.x, QM
> > FSM
> > error (P2 struct &0x3c48e70, mess id 0x9580a93e)!
> > 5 May 07 2007 03:33:47 713904 Group = 195.54.x.x, IP = 195.54.x.x,
> All
> > IPSec SA proposals found unacceptable!
> > 3 May 07 2007 03:33:47 713119 Group = 195.54.x.x, IP = 195.54.x.x,
> > PHASE
> > 1 COMPLETED
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
>
>
> --
> Taiwo Efunogbon
> Network Specialist
> CCNA, CCNP, CCIP, CCIE (w)
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Fri Jun 01 2007 - 06:55:20 ART