[GUIDE]vpn asa - monowall issue [SOLVED!!!!!!!!!!!!!!!!!!]



  • Hi guy…..

    We have solved the problem, and we post our configuration and we hope that it can help you.


    TOPOLOGY:


    Monowall configuration:


    ASA configuration:

    conf t
    hostname ASA
    end

    conf t
    interface Ethernet 0/0
    nameif inside
    security-level 100
    ip address 172.16.201.1 255.255.255.0
    no shutdown
    end

    conf t
    interface Ethernet 0/1
    nameif outside
    security-level 0
    ip address e.f.g.h 255.255.255.0     
    no shutdown
    end

    ! STEP 1: enable isakmp
    configure terminal
    isakmp enable outside
    end

    ! STEP 2: create the isakmp policy
    configure terminal
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    end

    ! STEP 3: set the tunnel type
    configure terminal
    tunnel-group a.b.c.d type ipsec-l2l
    end

    ! STEP 4: configure isakmp pre-shared key
    configure terminal
    tunnel-group a.b.c.d ipsec-attributes
    pre-shared-key PASSWORD
    end

    ! STEP 5: define IPSec policy
    configure terminal
    crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
    end

    ! STEP 6: specify interesting traffic
    configure terminal
    access-list encrypt-acl extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
    management-access inside
    end

    ! STEP 7: configure a crypto map
    configure terminal
    crypto map IPsec_map 10 set peer a.b.c.d
    crypto map IPsec_map 10 set transform-set MYSET
    crypto map IPsec_map 10 match address encrypt-acl
    end

    ! STEP 8: apply the crypto map to an interface
    configure terminal
    crypto map IPsec_map interface outside
    end

    ! STEP 9: configuring traffic filtering
    configure terminal
    sysopt connection permit-ipsec
    end

    ! STEP 10: bypassing NAT (optional)
    configure terminal
    access-list nonat extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
    nat (inside) 0 access-list nonat
    end

    ! STEP 11: default static route, for Internet
    configure terminal
    route outside 0.0.0.0 0.0.0.0 e.f.g.h
    nat-control
    end


    OLD POST

    Hi guys,
    WE have a little problem….
    we would like to realize a Site-to-Site VPN for 2 remote intranet.
    To Accomplish this target, we have:
    1 ASA 5510
    1 m0n0wall v.12x

    The Topology

    We have tried 1 bilion of solution but we have always the same problem, the IKE Phase 1 fails  :wacko:

    Configuration of ASA


    conf t
    hostname ASA
    end
    conf t
    interface Ethernet 0/0
    nameif inside
    security-level 100
    ip address 172.16.201.1 255.255.255.0
    no shutdown
    end
    conf t
    interface Ethernet 0/1
    nameif outside
    security-level 0
    ip address e.f.g.h 255.255.255.0   
    no shutdown
    end
    ! STEP 1: enable isakmp
    configure terminal
    isakmp enable outside
    end
    ! STEP 2: create the isakmp policy
    configure terminal
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    end
    ! STEP 3: set the tunnel type
    configure terminal
    tunnel-group a.b.c.d type ipsec-l2l
    end
    ! STEP 4: configure isakmp pre-shared key
    configure terminal
    tunnel-group a.b.c.d ipsec-attributes
    pre-shared-key CiscoASAProva
    end
    ! STEP 5: define IPSec policy
    configure terminal
    crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
    end
    ! STEP 6: specify interesting traffic
    configure terminal
    access-list encrypt-acl extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
    management-access inside
    end
    ! STEP 7: configure a crypto map
    configure terminal
    crypto map IPsec_map 10 set peer a.b.c.d
    crypto map IPsec_map 10 set transform-set MYSET
    crypto map IPsec_map 10 match address encrypt-acl
    crypto map IPSec_map 10 set pfs group2
    end
    ! STEP 8: apply the crypto map to an interface
    configure terminal
    crypto map IPsec_map interface outside
    end
    ! STEP 9: configuring traffic filtering
    configure terminal
    sysopt connection permit-ipsec
    end
    ! STEP 10: bypassing NAT (optional)
    configure terminal
    access-list nonat extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
    nat (inside) 0 access-list nonat
    end
    ! ROUTE (is necessary?????)
    route outside 0.0.0.0 0.0.0.0 a.b.c.d


    MONOWALL config


    If we try a connection between an host on 172.16.200.0 network with an host on 172.16.201.0 network, if we use these debug command:
    debug crypto isakmp 127
    debug crypto ipsec 127

    We obtain:
    Nov 04 13:39:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi.and users are responsible for compliance     
    ciscoasa> hostname ASA         
    0x0   
    Nov 04 13:39:14 [IKEv1]: IP = a.b.c.d , IKE Initiator: New Phase 1, Intf insi                       
      product you
    ciscoasa> endy with applic         
    de, IKE Peer a.b.c.d local Proxy Address 172.16.201.0, remote Proxy Addressunable to comply with U.S.
    ciscoasa>       
    ciscoasa> conf t               
    172.16.200.0,  Crypto map (IPsec_map)d input detected at '^' marker.     
    Nov 04 13:39:14 [IKEv1 DEBUG]: IP = a.b.c.d, constructing ISAKMP SA payloadptographic             
              ^         
    ERROR: % Invalid input detected
    Nov 04 13:39:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0nterface Ethernet 0/0             
    Software clause at D
    ASA(config-if)# nameif
    Nov 04 13:39:17 [IKEv1]: IP = a.b.c.d, Queuing KEY-ACQUIRE messages to be pr
    ) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
    (0) total length : 148
    Nov 04 13:39:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
    Nov 04 13:39:23 [IKEv1]: IP = a.b.c.d, Queuing KEY-ACQUIRE messages to be pr
    ocessed when P1 SA is complete.
    Nov 04 13:39:30 [IKEv1]: IP = a.b.c.d, IKE_DECODE RESENDING Message (msgid=0
    ) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
    (0) total length : 148
    Nov 04 13:39:38 [IKEv1]: IP = a.b.c.d, IKE_DECODE RESENDING Message (msgid=0
    ) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
    (0) total length : 148
    Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, IKE MM Initiator FSM error hist
    ory (struct &0xd45b3710)  <state>, <event>:  MM_DONE, EV_ERROR–>MM_WAIT_MSG2, E
    V_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_S
    ND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,
    EV_RETRY
    Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, IKE SA MM:425d539b terminating:
      flags 0x01000022, refcnt 0, tuncnt 0
    Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, sending delete/delete with reas
    on message
    Nov 04 13:39:46 [IKEv1]: IP = a.b.c.d, Removing peer from peer table failed,
    no match!
    Nov 04 13:39:46 [IKEv1]: IP = a.b.c.d, Error: Unable to remove PeerTblEntry


    Please help us…...............</event></state>



  • Why don't you give someone on the m0n0wall forums a few days to answer before crossposting here?



  • Kill PFS on the ASA and enter the following command.

    nat-control

    Let us know how it goes after that.  Please post what you have actually entered into the ASA as the post only describes monowall's howto for PIX firewalls.  Please attach any log information from the ASA regarding IPSEC/ISAKMP.

    Thanks.

    Curtis



  • So what was the actual fix?



  • @clamasters:

    So what was the actual fix?

    We have put a wrong ip of the peer in the Monowall Configuration :)



  • Hi,

    I can not see the configuration image of the monowall.
    I you be wary happy to see it…

    Best regards
    Martin


Log in to reply