Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [GUIDE]vpn asa - monowall issue [SOLVED!!!!!!!!!!!!!!!!!!]

    IPsec
    4
    6
    7.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      concico
      last edited by

      Hi guy…..

      We have solved the problem, and we post our configuration and we hope that it can help you.

      TOPOLOGY:

      Monowall configuration:

      ASA configuration:

      conf t
      hostname ASA
      end

      conf t
      interface Ethernet 0/0
      nameif inside
      security-level 100
      ip address 172.16.201.1 255.255.255.0
      no shutdown
      end

      conf t
      interface Ethernet 0/1
      nameif outside
      security-level 0
      ip address e.f.g.h 255.255.255.0     
      no shutdown
      end

      ! STEP 1: enable isakmp
      configure terminal
      isakmp enable outside
      end

      ! STEP 2: create the isakmp policy
      configure terminal
      isakmp policy 10 authentication pre-share
      isakmp policy 10 encryption 3des
      isakmp policy 10 hash md5
      isakmp policy 10 group 2
      isakmp policy 10 lifetime 86400
      end

      ! STEP 3: set the tunnel type
      configure terminal
      tunnel-group a.b.c.d type ipsec-l2l
      end

      ! STEP 4: configure isakmp pre-shared key
      configure terminal
      tunnel-group a.b.c.d ipsec-attributes
      pre-shared-key PASSWORD
      end

      ! STEP 5: define IPSec policy
      configure terminal
      crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
      end

      ! STEP 6: specify interesting traffic
      configure terminal
      access-list encrypt-acl extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
      management-access inside
      end

      ! STEP 7: configure a crypto map
      configure terminal
      crypto map IPsec_map 10 set peer a.b.c.d
      crypto map IPsec_map 10 set transform-set MYSET
      crypto map IPsec_map 10 match address encrypt-acl
      end

      ! STEP 8: apply the crypto map to an interface
      configure terminal
      crypto map IPsec_map interface outside
      end

      ! STEP 9: configuring traffic filtering
      configure terminal
      sysopt connection permit-ipsec
      end

      ! STEP 10: bypassing NAT (optional)
      configure terminal
      access-list nonat extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
      nat (inside) 0 access-list nonat
      end

      ! STEP 11: default static route, for Internet
      configure terminal
      route outside 0.0.0.0 0.0.0.0 e.f.g.h
      nat-control
      end

      OLD POST

      Hi guys,
      WE have a little problem….
      we would like to realize a Site-to-Site VPN for 2 remote intranet.
      To Accomplish this target, we have:
      1 ASA 5510
      1 m0n0wall v.12x

      The Topology

      We have tried 1 bilion of solution but we have always the same problem, the IKE Phase 1 fails  :wacko:

      Configuration of ASA

      conf t
      hostname ASA
      end
      conf t
      interface Ethernet 0/0
      nameif inside
      security-level 100
      ip address 172.16.201.1 255.255.255.0
      no shutdown
      end
      conf t
      interface Ethernet 0/1
      nameif outside
      security-level 0
      ip address e.f.g.h 255.255.255.0   
      no shutdown
      end
      ! STEP 1: enable isakmp
      configure terminal
      isakmp enable outside
      end
      ! STEP 2: create the isakmp policy
      configure terminal
      isakmp policy 10 authentication pre-share
      isakmp policy 10 encryption 3des
      isakmp policy 10 hash md5
      isakmp policy 10 group 2
      isakmp policy 10 lifetime 86400
      end
      ! STEP 3: set the tunnel type
      configure terminal
      tunnel-group a.b.c.d type ipsec-l2l
      end
      ! STEP 4: configure isakmp pre-shared key
      configure terminal
      tunnel-group a.b.c.d ipsec-attributes
      pre-shared-key CiscoASAProva
      end
      ! STEP 5: define IPSec policy
      configure terminal
      crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
      end
      ! STEP 6: specify interesting traffic
      configure terminal
      access-list encrypt-acl extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
      management-access inside
      end
      ! STEP 7: configure a crypto map
      configure terminal
      crypto map IPsec_map 10 set peer a.b.c.d
      crypto map IPsec_map 10 set transform-set MYSET
      crypto map IPsec_map 10 match address encrypt-acl
      crypto map IPSec_map 10 set pfs group2
      end
      ! STEP 8: apply the crypto map to an interface
      configure terminal
      crypto map IPsec_map interface outside
      end
      ! STEP 9: configuring traffic filtering
      configure terminal
      sysopt connection permit-ipsec
      end
      ! STEP 10: bypassing NAT (optional)
      configure terminal
      access-list nonat extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
      nat (inside) 0 access-list nonat
      end
      ! ROUTE (is necessary?????)
      route outside 0.0.0.0 0.0.0.0 a.b.c.d

      MONOWALL config

      If we try a connection between an host on 172.16.200.0 network with an host on 172.16.201.0 network, if we use these debug command:
      debug crypto isakmp 127
      debug crypto ipsec 127

      We obtain:
      Nov 04 13:39:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi.and users are responsible for compliance     
      ciscoasa> hostname ASA         
      0x0   
      Nov 04 13:39:14 [IKEv1]: IP = a.b.c.d , IKE Initiator: New Phase 1, Intf insi                       
        product you
      ciscoasa> endy with applic         
      de, IKE Peer a.b.c.d local Proxy Address 172.16.201.0, remote Proxy Addressunable to comply with U.S.
      ciscoasa>       
      ciscoasa> conf t               
      172.16.200.0,  Crypto map (IPsec_map)d input detected at '^' marker.     
      Nov 04 13:39:14 [IKEv1 DEBUG]: IP = a.b.c.d, constructing ISAKMP SA payloadptographic             
                ^         
      ERROR: % Invalid input detected
      Nov 04 13:39:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0nterface Ethernet 0/0             
      Software clause at D
      ASA(config-if)# nameif
      Nov 04 13:39:17 [IKEv1]: IP = a.b.c.d, Queuing KEY-ACQUIRE messages to be pr
      ) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
      (0) total length : 148
      Nov 04 13:39:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
      Nov 04 13:39:23 [IKEv1]: IP = a.b.c.d, Queuing KEY-ACQUIRE messages to be pr
      ocessed when P1 SA is complete.
      Nov 04 13:39:30 [IKEv1]: IP = a.b.c.d, IKE_DECODE RESENDING Message (msgid=0
      ) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
      (0) total length : 148
      Nov 04 13:39:38 [IKEv1]: IP = a.b.c.d, IKE_DECODE RESENDING Message (msgid=0
      ) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
      (0) total length : 148
      Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, IKE MM Initiator FSM error hist
      ory (struct &0xd45b3710)  <state>, <event>:  MM_DONE, EV_ERROR–>MM_WAIT_MSG2, E
      V_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_S
      ND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,
      EV_RETRY
      Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, IKE SA MM:425d539b terminating:
        flags 0x01000022, refcnt 0, tuncnt 0
      Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, sending delete/delete with reas
      on message
      Nov 04 13:39:46 [IKEv1]: IP = a.b.c.d, Removing peer from peer table failed,
      no match!
      Nov 04 13:39:46 [IKEv1]: IP = a.b.c.d, Error: Unable to remove PeerTblEntry

      Please help us…...............</event></state>

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        Why don't you give someone on the m0n0wall forums a few days to answer before crossposting here?

        1 Reply Last reply Reply Quote 0
        • C
          clamasters
          last edited by

          Kill PFS on the ASA and enter the following command.

          nat-control

          Let us know how it goes after that.  Please post what you have actually entered into the ASA as the post only describes monowall's howto for PIX firewalls.  Please attach any log information from the ASA regarding IPSEC/ISAKMP.

          Thanks.

          Curtis

          http://www.curtis-lamasters.com
          http://www.builtnetworks.com

          1 Reply Last reply Reply Quote 0
          • C
            clamasters
            last edited by

            So what was the actual fix?

            http://www.curtis-lamasters.com
            http://www.builtnetworks.com

            1 Reply Last reply Reply Quote 0
            • C
              concico
              last edited by

              @clamasters:

              So what was the actual fix?

              We have put a wrong ip of the peer in the Monowall Configuration :)

              1 Reply Last reply Reply Quote 0
              • M
                martinwa
                last edited by

                Hi,

                I can not see the configuration image of the monowall.
                I you be wary happy to see it…

                Best regards
                Martin

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.