Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 39 subscribers
  • Views 10885 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASA to XG 230 ipsec L2L

onward

First attempt at ipsec L2L on an XG.  Looks like we're not making it to phase 1, the XG ip never shows up in sh cry isakmp sa on the ASA and pings from XG lan to private subnet behind the ASA get sent out the default wan route thus going nowhere.  The ASA currently has an active L2L with an external Cisco IOS device I've been going over for reference.  Any hints are appreciated. 

ASA5520 8.4(7)   = 1.1.1.1
XG230_WP01_15.01.0.376 = 2.2.2.2
XG230 LAN = 172.30.0.0/22




ASA -

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 ikev1 pre-shared-key MyKeyHere!!
 peer-id-validate nocheck
 isakmp keepalive disable

access-list outside_cryptomap_2 extended permit ip object-group INTERNAL_NETWORKS 172.30.0.0 255.255.252.0


crypto map outside_map 2 match address outside_cryptomap_2
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer 2.2.2.2
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

access-list outside_access_in extended permit object-group ip_udp_tcp_icmp host 2.2.2.2 any

debug crypto engine enabled at level 127
debug crypto ikev1 enabled at level 127

CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565
Jan 28 13:38:11 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 272
Jan 28 13:38:11 [IKEv1 DEBUG]IP = 2.2.2.2, processing SA payload
Jan 28 13:38:11 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 164
Jan 28 13:38:11 [IKEv1 DEBUG]IP = 2.2.2.2, All SA proposals found unacceptable
Jan 28 13:38:11 [IKEv1]IP = 2.2.2.2, Error processing payload: Payload ID: 1
Jan 28 13:38:11 [IKEv1 DEBUG]IP = 2.2.2.2, IKE MM Responder FSM error history (struct &0x785729d8)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Jan 28 13:38:11 [IKEv1 DEBUG]IP = 2.2.2.2, IKE SA MM:e79f27a0 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jan 28 13:38:11 [IKEv1 DEBUG]IP = 2.2.2.2, sending delete/delete with reason message
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565
Jan 28 13:38:50 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 272
Jan 28 13:38:50 [IKEv1 DEBUG]IP = 2.2.2.2, processing SA payload
Jan 28 13:38:50 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 164
Jan 28 13:38:50 [IKEv1 DEBUG]IP = 2.2.2.2, All SA proposals found unacceptable
Jan 28 13:38:50 [IKEv1]IP = 2.2.2.2, Error processing payload: Payload ID: 1
Jan 28 13:38:50 [IKEv1 DEBUG]IP = 2.2.2.2, IKE MM Responder FSM error history (struct &0x762c9810)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
Jan 28 13:38:50 [IKEv1 DEBUG]IP = 2.2.2.2, IKE SA MM:94681887 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Jan 28 13:38:50 [IKEv1 DEBUG]IP = 2.2.2.2, sending delete/delete with reason message
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565
CTM ERROR: Invalid input parameters, ctm_get_scb_prot_stats:1565




XG 230 -

 System >> VPN >> IPsec >>
connection type = site to site
policy = defaultbranchoffice
action on vpn restart = initiate
auth type = preshared key
local = port 2 2.2.2.2 / remote = 1.1.1.1
ipv4
local subnet = any
local id = ip address 2.2.2.2

/var/tslog/ipsec.log:

Jan 28 13:32:50 "MYASA-1" #32: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
Jan 28 13:32:50 "MYASA-1" #32: starting keying attempt 2 of an unlimited number
Jan 28 13:32:50 "MYASA-1" #33: initiating Main Mode to replace #32

Jan 28 13:33:20 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:33:40 pending Quick Mode with 1.1.1.1 "MYASA-1" took too long -- replacing phase 1
Jan 28 13:33:40 "MYASA-1" #34: initiating Main Mode to replace #33
Jan 28 13:33:40 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:33:40 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:33:50 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:33:50 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:34:10 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:34:10 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:34:50 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:34:50 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:35:30 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:35:30 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:36:10 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:36:10 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:36:50 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:36:50 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:37:30 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:37:30 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:38:11 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:38:11 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:38:50 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:38:50 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:39:30 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:39:30 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:40:10 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:40:10 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:40:50 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:40:50 packet from 1.1.1.1:500: received and ignored informational message
Jan 28 13:41:30 packet from 1.1.1.1:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 28 13:41:30 packet from 1.1.1.1:500: received and ignored informational message





    System
    > Diagnostics
    > Log Viewer

2016-01-28 13:43:30
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:42:50
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:42:10
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:41:30
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:40:50
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:40:10
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:39:30
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:38:50
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:38:11
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:37:30
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:36:50
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:36:10
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:35:30
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:34:50
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:34:10
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:33:50
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:33:40
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853
2016-01-28 13:33:40
    
IPsec
    
SUCCESSFUL
    
-
    
"MYASA-1" SA-MGT: Initiating rekeying of connection's main mode SA 33
    
17884
2016-01-28 13:33:40
    
IPsec
    
SUCCESSFUL
    
-
    
"MYASA-1" SA-MGT: Phase1 SA is being re-keyed
    
17886
2016-01-28 13:33:20
    
IPsec
    
SUCCESSFUL
    
-
    
EST-P1: Peer did not accept any proposal sent
    
17853



This thread was automatically locked due to age.
Parents
  • 0

    successfully connected after further review. for future reference these were the settings that worked:


    ASA:

    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    crypto map outside_map 2 match address outside_cryptomap_2
    crypto map outside_map 2 set pfs (default is group 2 @ 1024)
    crypto map outside_map 2 set peer 2.2.2.2
    crypto map outside_map 2 set ikev1 transform-set ESP-AES-256-SHA

    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400


    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 ipsec-attributes
    ikev1 pre-shared-key *****
    peer-id-validate nocheck
    isakmp keepalive disable


    access-list outside_cryptomap_2 extended permit ip object-group private_networks 172.30.0.0 255.255.252.0

    access-list outside_access_in extended permit object-group ip_udp_tcp_icmp host 2.2.2.2 any





    XG system >> vpn >> ipsec:
    connection type: site to site
    action on restart - initiate
    endpoints details - local : 2.2.2.2 / remote: 1.1.1.1
    nat traversal disabled
    local id - ip address 2.2.2.2
    remote id - ip address 1.1.1.1


    ipsec policy:
    allow rekeying
    main mode

    phase 1 -
    aes256 / sha1
    dh group - 2 DH1024
    key life 86400
    rekey margin 120

    phase 2
    aes256 / sha1
    pfs group 2 dh1024
    key life 86400

Reply
  • 0

    successfully connected after further review. for future reference these were the settings that worked:


    ASA:

    crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

    crypto map outside_map 2 match address outside_cryptomap_2
    crypto map outside_map 2 set pfs (default is group 2 @ 1024)
    crypto map outside_map 2 set peer 2.2.2.2
    crypto map outside_map 2 set ikev1 transform-set ESP-AES-256-SHA

    crypto ikev1 policy 10
    authentication pre-share
    encryption aes-256
    hash sha
    group 2
    lifetime 86400


    tunnel-group 2.2.2.2 type ipsec-l2l
    tunnel-group 2.2.2.2 ipsec-attributes
    ikev1 pre-shared-key *****
    peer-id-validate nocheck
    isakmp keepalive disable


    access-list outside_cryptomap_2 extended permit ip object-group private_networks 172.30.0.0 255.255.252.0

    access-list outside_access_in extended permit object-group ip_udp_tcp_icmp host 2.2.2.2 any





    XG system >> vpn >> ipsec:
    connection type: site to site
    action on restart - initiate
    endpoints details - local : 2.2.2.2 / remote: 1.1.1.1
    nat traversal disabled
    local id - ip address 2.2.2.2
    remote id - ip address 1.1.1.1


    ipsec policy:
    allow rekeying
    main mode

    phase 1 -
    aes256 / sha1
    dh group - 2 DH1024
    key life 86400
    rekey margin 120

    phase 2
    aes256 / sha1
    pfs group 2 dh1024
    key life 86400

Children
No Data
Unfiltered HTML