RE: L2L Tunnel wont come up!!

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Sat, 21 May 2011 20:54:10 +0000

The router is not an ASA - it needs explicit permission for the 3 L2L
"stateless" protocols coming in past the ACL

access-list 101 permit udp any eq bootps any eq bootpc
! used for IKE 500 (ISAKMP PHASE1)
access-list 101 permit udp any host 10.70.100.55 eq 500
!used for ESP IP PROTO 50 PHASE 2)
access-list 101 permit esp any host 10.70.100.55
! used for L2L Nat-T (IPSEC L2L when phase-1 detects NAT)
access-list 101 permit udp any host 10.70.100.55 eq 4500
access-list 101 deny ip host 91.212.226.179 any log
access-list 101 deny ip host 194.28.112.6 any log
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny ip any any log

From: Steve Di Bias [mailto:sdibias_at_gmail.com]
Sent: Saturday, May 21, 2011 4:51 PM
To: Joseph L. Brunner
Cc: ccielab_at_groupstudy.com
Subject: Re: L2L Tunnel wont come up!!

Joe, here is the entire config

SD-c850-Edge#sh run
Building configuration...

Current configuration : 6513 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
!
hostname SD-c850-Edge
!
boot-start-marker
boot-end-marker
!
logging buffered 4000000
enable secret 5 $1$zKZK
!
aaa new-model
!
!
!
!
aaa session-id common
clock timezone PST -8
clock summer-time PDT recurring
!
crypto pki trustpoint TP-self-signed-3333873543
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3333873543
 revocation-check none
 rsakeypair TP-self-signed-3333873543
!
!
crypto pki certificate chain TP-self-signed-3333873543
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333333 38373335 3433301E 170D3032 30333139 31333134
  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33333338
  37333534 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B57F B64E5891 14A6A84B CF952200 A304029E 1DCF36A9 8309B686 828D225A
  6FDC8DE1 586ACB97 79AC0528 0B775CE7 2B3E01B1 AB04A715 E5C0E021 DCD90781
  999396E6 96088053 9CD7BF47 2925F969 89ED216A BBF3B4E7 C3529353 0742D072
  4413965D FF2F98C6 21363D5F 438FAFCC 2A9CF213 96FFD3A6 9DA9AE95 37C2E8EF
  C16F0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 1553442D 45646765 2E73642E 64696269 61732E63 6F6D301F
  0603551D 23041830 16801428 C5FE6395 35E210AD 3C8B58E9 99496F0E 3D5E5930
  1D060355 1D0E0416 041428C5 FE639535 E210AD3C 8B58E999 496F0E3D 5E59300D
  06092A86 4886F70D 01010405 00038181 0013F5A2 04B03747 AFF5A4EA 3BB3AC36
  DEEF0383 3BA60409 316509C6 2766C189 515B6DEF 01027A4B E7AF55A8 211BAF6A
  EA76FEF3 456D981A AD0A270A FF90031A 03BDA26F 0CB02C09 E0B9278D 36CDBC54
  0D4998D8 400C1F51 A53EA9C5 FA0A9664 AC213969 5A0AA5EB A62BD26D EA492CFF
  FD09AFA6 93FD3D87 3CF6BB9E 19842374 0F
        quit
dot11 syslog
no ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.20
!
ip dhcp pool LAN
   import all
   network 192.168.100.0 255.255.255.0
   default-router 192.168.100.1
   dns-server 207.14.235.234 67.238.98.162 74.4.19.187
   domain-name wr
!
!
ip cef
ip inspect log drop-pkt
ip inspect tcp block-non-session
ip inspect name FWrule tcp
ip inspect name FWrule udp
ip inspect name FWrule ntp
ip inspect name FWrule icmp router-traffic
ip inspect name FWRule tcp
ip inspect name FWRule udp
ip inspect name FWRule icmp router-traffic
ip inspect name FWRule ntp
no ip domain lookup
ip domain name sd.ccie.int<http://sd.ccie.int>
!
!
!
username steve privilege 15 password 7 01435653570F08222E464148
username chelle privilege 15 password 7 075F711B420D17281818044D
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 8r$Ma2ebecu7 address 10.70.100.100
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set vpn esp-3des
!
crypto map vpn 10 ipsec-isakmp
 set peer 10.70.100.100
 set transform-set vpn
 match address 151
!
archive
 log config
  logging enable
  hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
bridge irb
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet1
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet2
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet3
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet4
 description *-* To DSL Modem *-*
 ip address 10.70.100.55 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip inspect FWrule out
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
 crypto map vpn
!
interface Vlan1
 no ip address
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.100.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
!
!
ip forward-protocol nd
ip route 91.212.226.179 255.255.255.255 Null0 name Block_TidServe_Troj
ip route 194.28.112.6 255.255.255.255 Null0 name Block_TidServ_Troj
!
no ip http server
no ip http secure-server
ip nat inside source route-map NO-NAT interface FastEthernet4 overload
!
logging history informational
logging trap debugging
access-list 10 permit 192.168.100.0 0.0.0.255
access-list 10 deny any log
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 permit udp any eq bootpc any
access-list 100 permit udp any eq bootps any
access-list 100 deny ip any any log
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip host 91.212.226.179 any log
access-list 101 deny ip host 194.28.112.6 any log
access-list 101 deny tcp any any log
access-list 101 deny udp any any log
access-list 101 deny ip any any log
access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list 120 permit ip 192.168.100.0 0.0.0.255 any
access-list 120 deny ip any any log
access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list 151 deny ip any any log
snmp-server location Downstairs
snmp-server contact Steve Di Bias
no cdp run
route-map NO-NAT permit 10
 match ip address 120
!
!
control-plane
!
bridge 1 route ip
banner motd ^C * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE

PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR
OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY

NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO
MONITORING AND AUDITING.
^C
alias exec c conf t
alias exec s sh run
alias exec w write mem
alias exec sir show ip route
!
line con 0
 password 7 snip
 no modem enable
line aux 0
 password 7 snip
line vty 0 4
 privilege level 15
 password 7 snip
 logging synchronous
 transport input telnet ssh
!
scheduler max-task-time 5000
end

On Sat, May 21, 2011 at 1:45 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>> wrote:
I think you may have an acl on your router blocking UDP 500 (IKE) facing the
ASA which is trying...

And make sure the asa has the crypto phase 1 config (remember default on both
is auth rsa, cry des, group 1), you need "auth preshared", cry 3des, group 2
in your phase 1 crypto isakmp policies.

-Joe

From: Steve Di Bias [mailto:sdibias_at_gmail.com<mailto:sdibias_at_gmail.com>]
Sent: Saturday, May 21, 2011 4:44 PM
To: Joseph L. Brunner
Cc: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: Re: L2L Tunnel wont come up!!

Joe, here you go

show run crypto (ASA)

crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
crypto map outside_map 7 set peer 71.2.66.243
crypto map outside_map 7 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

show ip access-list (Router)

access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list 120 permit ip 192.168.100.0 0.0.0.255 any
access-list 120 deny ip any any log
access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list 151 deny ip any any lo

On Sat, May 21, 2011 at 1:32 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>> wrote:
Why is this being logged on your router?

Let's see the rest of your configurations... especially the ACCESS LIST on the
ROUTER

*May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
10.70.100.55(0) -> 10.70.100.100(0), 5 packets
*May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
10.70.100.100(500) -> 10.70.100.55(500), 7 packets

Also on the ASA

Show run crypto

(paste result)

-----Original Message-----
From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>
[mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
Steve Di Bias
Sent: Saturday, May 21, 2011 4:22 PM
To: ccielab_at_groupstudy.com<mailto:ccielab_at_groupstudy.com>
Subject: OT: L2L Tunnel wont come up!!

Hello Experts!

I just finished building a tunnel between a Cisco 850 running IOS
12.4(15)T14 and an ASA 5510 running 8.0(3). Here are my configs::

On the Router

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key * address 10.70.100.100
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set vpn esp-3des
!
crypto map vpn 10 ipsec-isakmp
 set peer 10.70.100.100
 set transform-set vpn
 match address 151

access-list 120 deny ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list 120 permit ip 192.168.100.0 0.0.0.255 any
access-list 120 deny ip any any log
access-list 151 permit ip 192.168.100.0 0.0.0.255 host 10.186.56.6
access-list 151 deny ip any any log

route-map NO-NAT permit 10
 match ip address 120

ip nat inside source route-map NO-NAT interface FastEthernet4 overload

On the ASA

tunnel-group 10.70.100.55 type ipsec-l2l
tunnel-group 10.70.100.55 ipsec-attributes
 pre-shared-key *

access-list outside_1_cryptomap_NetEngCCIE extended permit ip host
10.186.56.6 192.168.100.0 255.255.255.0
access-list outside_1_cryptomap_NetEngCCIE remark CCIE_Tunnel

access-list inside_nat0_outbound extended permit ip host 10.186.56.6
192.168.100.0 255.255.255.0

crypto map outside_map 7 match address outside_1_cryptomap_NetEngCCIE
crypto map outside_map 7 set peer 10.70.100.55
crypto map outside_map 7 set transform-set ESP-3DES-SHA

And here are the debugs when I try to bring the tunnel up:

*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): SA request profile is (NULL)
*May 16 2011 01:34:26.880 PDT: ISAKMP: Created a peer struct for
10.70.100.100, peer port 500
*May 16 2011 01:34:26.880 PDT: ISAKMP: New peer created peer = 0x81FB0F04
peer_handle = 0x8000000A
*May 16 2011 01:34:26.880 PDT: ISAKMP: Locking peer struct 0x81FB0F04,
refcount 1 for isakmp_initiator
*May 16 2011 01:34:26.880 PDT: ISAKMP: local port 500, remote port 500
*May 16 2011 01:34:26.880 PDT: ISAKMP: set new node 0 to QM_IDLE
*May 16 2011 01:34:26.880 PDT: insert sa successfully sa = 82FBBE5C
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Can not start Aggressive mode,
trying Main mode.
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):found peer pre-shared key matching
10.70.100.100
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-rfc3947
ID
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Old State = IKE_READY New State =
IKE_I_MM1

*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): beginning Main Mode exchange
SD-c850-Edge#
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:34:26.880 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
SD-c850-Edge#
SD-c850-Edge#
SD-c850-Edge#
SD-c850-Edge#
*May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:34:36.882 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 1 of 5: retransmit phase 1
*May 16 2011 01:34:36.882 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
*May 16 2011 01:34:36.882 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:34:36.882 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:34:46.885 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 2 of 5: retransmit phase 1
*May 16 2011 01:34:46.885 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
*May 16 2011 01:34:46.885 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:34:46.885 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:34:56.879 PDT: ISAKMP: set new node 0 to QM_IDLE
*May 16 2011 01:34:56.879 PDT: ISAKMP:(0):SA is still budding. Attached new
ipsec request to it. (local 10.70.100.55, remote 10.70.100.100)
*May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing SA request:
Failed to initialize SA
*May 16 2011 01:34:56.879 PDT: ISAKMP: Error while processing KMI message 0,
error 2.
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:34:56.887 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 3 of 5: retransmit phase 1
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
SD-c850-Edge#
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:34:56.887 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:35:06.889 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 4 of 5: retransmit phase 1
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:35:06.889 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 120 denied udp
10.70.100.55(0) -> 10.70.100.100(0), 5 packets
*May 16 2011 01:35:09.394 PDT: %SEC-6-IPACCESSLOGP: list 101 denied udp
10.70.100.100(500) -> 10.70.100.55(500), 7 packets
SD-c850-Edge#
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:35:16.891 PDT: ISAKMP (0:0): incrementing error counter on
sa, attempt 5 of 5: retransmit phase 1
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0): sending packet to 10.70.100.100
my_port 500 peer_port 500 (I) MM_NO_STATE
*May 16 2011 01:35:16.891 PDT: ISAKMP:(0):Sending an IKE IPv4 Packet.
SD-c850-Edge#
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0): retransmitting phase 1
MM_NO_STATE...
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):peer does not do paranoid
keepalives.

*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting SA reason "Death by
retransmission P1" state (I) MM_NO_STATE (peer 10.70.100.100)
*May 16 2011 01:35:26.894 PDT: ISAKMP: Unlocking peer struct 0x81FB0F04 for
isadb_mark_sa_deleted(), count 0
*May 16 2011 01:35:26.894 PDT: ISAKMP: Deleting peer node by peer_reap for
10.70.100.100<http://10.70.100.100>: 81FB0F04
SD-c850-Edge#
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1945611004 error
FALSE reason "IKE deleted"
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):deleting node 1604588444 error
FALSE reason "IKE deleted"
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
*May 16 2011 01:35:26.894 PDT: ISAKMP:(0):Old State = IKE_I_MM1 New State =
IKE_DEST_SA

Any ideas on what is causing this?? Thanks in advance! 

--
-Steve Di Bias
Blogs and organic groups at http://www.ccie.net
Received on Sat May 21 2011 - 20:54:10 ART

This archive was generated by hypermail 2.2.0 : Wed Jun 01 2011 - 09:01:11 ART