[GUIDE]vpn asa - monowall issue [SOLVED!!!!!!!!!!!!!!!!!!]

concico

Hi guy…..

We have solved the problem, and we post our configuration and we hope that it can help you.

---

TOPOLOGY:

---

Monowall configuration:

---

ASA configuration:

conf t
hostname ASA
end

conf t
interface Ethernet 0/0
nameif inside
security-level 100
ip address 172.16.201.1 255.255.255.0
no shutdown
end

conf t
interface Ethernet 0/1
nameif outside
security-level 0
ip address e.f.g.h 255.255.255.0     
no shutdown
end

! STEP 1: enable isakmp
configure terminal
isakmp enable outside
end

! STEP 2: create the isakmp policy
configure terminal
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
end

! STEP 3: set the tunnel type
configure terminal
tunnel-group a.b.c.d type ipsec-l2l
end

! STEP 4: configure isakmp pre-shared key
configure terminal
tunnel-group a.b.c.d ipsec-attributes
pre-shared-key PASSWORD
end

! STEP 5: define IPSec policy
configure terminal
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
end

! STEP 6: specify interesting traffic
configure terminal
access-list encrypt-acl extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
management-access inside
end

! STEP 7: configure a crypto map
configure terminal
crypto map IPsec_map 10 set peer a.b.c.d
crypto map IPsec_map 10 set transform-set MYSET
crypto map IPsec_map 10 match address encrypt-acl
end

! STEP 8: apply the crypto map to an interface
configure terminal
crypto map IPsec_map interface outside
end

! STEP 9: configuring traffic filtering
configure terminal
sysopt connection permit-ipsec
end

! STEP 10: bypassing NAT (optional)
configure terminal
access-list nonat extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
nat (inside) 0 access-list nonat
end

! STEP 11: default static route, for Internet
configure terminal
route outside 0.0.0.0 0.0.0.0 e.f.g.h
nat-control
end

---

OLD POST

Hi guys,
WE have a little problem….
we would like to realize a Site-to-Site VPN for 2 remote intranet.
To Accomplish this target, we have:
1 ASA 5510
1 m0n0wall v.12x

The Topology

We have tried 1 bilion of solution but we have always the same problem, the IKE Phase 1 fails  :wacko:

Configuration of ASA

---

conf t
hostname ASA
end
conf t
interface Ethernet 0/0
nameif inside
security-level 100
ip address 172.16.201.1 255.255.255.0
no shutdown
end
conf t
interface Ethernet 0/1
nameif outside
security-level 0
ip address e.f.g.h 255.255.255.0   
no shutdown
end
! STEP 1: enable isakmp
configure terminal
isakmp enable outside
end
! STEP 2: create the isakmp policy
configure terminal
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
end
! STEP 3: set the tunnel type
configure terminal
tunnel-group a.b.c.d type ipsec-l2l
end
! STEP 4: configure isakmp pre-shared key
configure terminal
tunnel-group a.b.c.d ipsec-attributes
pre-shared-key CiscoASAProva
end
! STEP 5: define IPSec policy
configure terminal
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
end
! STEP 6: specify interesting traffic
configure terminal
access-list encrypt-acl extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
management-access inside
end
! STEP 7: configure a crypto map
configure terminal
crypto map IPsec_map 10 set peer a.b.c.d
crypto map IPsec_map 10 set transform-set MYSET
crypto map IPsec_map 10 match address encrypt-acl
crypto map IPSec_map 10 set pfs group2
end
! STEP 8: apply the crypto map to an interface
configure terminal
crypto map IPsec_map interface outside
end
! STEP 9: configuring traffic filtering
configure terminal
sysopt connection permit-ipsec
end
! STEP 10: bypassing NAT (optional)
configure terminal
access-list nonat extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
nat (inside) 0 access-list nonat
end
! ROUTE (is necessary?????)
route outside 0.0.0.0 0.0.0.0 a.b.c.d

---

MONOWALL config

---

If we try a connection between an host on 172.16.200.0 network with an host on 172.16.201.0 network, if we use these debug command:
debug crypto isakmp 127
debug crypto ipsec 127

We obtain:
Nov 04 13:39:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi.and users are responsible for compliance     
ciscoasa> hostname ASA         
0x0   
Nov 04 13:39:14 [IKEv1]: IP = a.b.c.d , IKE Initiator: New Phase 1, Intf insi                       
  product you
ciscoasa> endy with applic         
de, IKE Peer a.b.c.d local Proxy Address 172.16.201.0, remote Proxy Addressunable to comply with U.S.
ciscoasa>       
ciscoasa> conf t               
172.16.200.0,  Crypto map (IPsec_map)d input detected at '^' marker.     
Nov 04 13:39:14 [IKEv1 DEBUG]: IP = a.b.c.d, constructing ISAKMP SA payloadptographic             
          ^         
ERROR: % Invalid input detected
Nov 04 13:39:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0nterface Ethernet 0/0             
Software clause at D
ASA(config-if)# nameif
Nov 04 13:39:17 [IKEv1]: IP = a.b.c.d, Queuing KEY-ACQUIRE messages to be pr
) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 148
Nov 04 13:39:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 04 13:39:23 [IKEv1]: IP = a.b.c.d, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Nov 04 13:39:30 [IKEv1]: IP = a.b.c.d, IKE_DECODE RESENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 148
Nov 04 13:39:38 [IKEv1]: IP = a.b.c.d, IKE_DECODE RESENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 148
Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, IKE MM Initiator FSM error hist
ory (struct &0xd45b3710)  <state>, <event>:  MM_DONE, EV_ERROR–>MM_WAIT_MSG2, E
V_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_S
ND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,
EV_RETRY
Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, IKE SA MM:425d539b terminating:
  flags 0x01000022, refcnt 0, tuncnt 0
Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, sending delete/delete with reas
on message
Nov 04 13:39:46 [IKEv1]: IP = a.b.c.d, Removing peer from peer table failed,
no match!
Nov 04 13:39:46 [IKEv1]: IP = a.b.c.d, Error: Unable to remove PeerTblEntry

---

Please help us…...............</event></state>

dotdash

Why don't you give someone on the m0n0wall forums a few days to answer before crossposting here?

clamasters

Kill PFS on the ASA and enter the following command.

nat-control

Let us know how it goes after that.  Please post what you have actually entered into the ASA as the post only describes monowall's howto for PIX firewalls.  Please attach any log information from the ASA regarding IPSEC/ISAKMP.

Thanks.

Curtis

clamasters

So what was the actual fix?

concico

@clamasters:

So what was the actual fix?

We have put a wrong ip of the peer in the Monowall Configuration :)

martinwa

Hi,

I can not see the configuration image of the monowall.
I you be wary happy to see it…

Best regards
Martin