News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  VPN
linktree Topic: vpn asa - monowall issue
Pages: [1]
Topic: vpn asa - monowall issue  (Read 1709 times)
« on: November 04, 2008, 14:09:56 »
concico *
Posts: 2
Hi guys,
WE have a little problem....
we would like to realize a Site-to-Site VPN for 2 remote intranet.
To Accomplish this target, we have:
1 ASA 5510
1 m0n0wall v.12x

The Topology

(http://www.freeimagehosting.net/uploads/th.a4a716af85.jpg)

We have tried 1 bilion of solution but we have always the same problem, the IKE Phase 1 fails  :wacko:

Configuration of ASA
______________________


conf t
hostname ASA
end
conf t
interface Ethernet 0/0
nameif inside
security-level 100
ip address 172.16.201.1 255.255.255.0
no shutdown
end
conf t
interface Ethernet 0/1
nameif outside
security-level 0
ip address e.f.g.h 255.255.255.0   
no shutdown
end
! STEP 1: enable isakmp
configure terminal
isakmp enable outside
end
! STEP 2: create the isakmp policy
configure terminal
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
end
! STEP 3: set the tunnel type
configure terminal
tunnel-group a.b.c.d type ipsec-l2l
end
! STEP 4: configure isakmp pre-shared key
configure terminal
tunnel-group a.b.c.d ipsec-attributes
pre-shared-key CiscoASAProva
end
! STEP 5: define IPSec policy
configure terminal
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
end
! STEP 6: specify interesting traffic
configure terminal
access-list encrypt-acl extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
management-access inside
end
! STEP 7: configure a crypto map
configure terminal
crypto map IPsec_map 10 set peer a.b.c.d
crypto map IPsec_map 10 set transform-set MYSET
crypto map IPsec_map 10 match address encrypt-acl
crypto map IPSec_map 10 set pfs group2
end
! STEP 8: apply the crypto map to an interface
configure terminal
crypto map IPsec_map interface outside
end
! STEP 9: configuring traffic filtering
configure terminal
sysopt connection permit-ipsec
end
! STEP 10: bypassing NAT (optional)
configure terminal
access-list nonat extended permit ip 172.16.201.0 255.255.255.0 172.16.200.0 255.255.255.0
nat (inside) 0 access-list nonat
end
! ROUTE (is necessary?Huh?)
route outside 0.0.0.0 0.0.0.0 a.b.c.d
___________________________________________________
MONOWALL config
(http://www.freeimagehosting.net/uploads/th.b68f750ed9.jpg)
______________________________________________________
If we try a connection between an host on 172.16.200.0 network with an host on 172.16.201.0 network, if we use these debug command:
debug crypto isakmp 127
debug crypto ipsec 127

We obtain:
Nov 04 13:39:14 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi.and users are responsible for compliance     
ciscoasa> hostname ASA         
0x0   
Nov 04 13:39:14 [IKEv1]: IP = a.b.c.d , IKE Initiator: New Phase 1, Intf insi                       
  product you
ciscoasa> endy with applic         
de, IKE Peer a.b.c.d local Proxy Address 172.16.201.0, remote Proxy Addressunable to comply with U.S.
ciscoasa>       
ciscoasa> conf t               
172.16.200.0,  Crypto map (IPsec_map)d input detected at '^' marker.     
Nov 04 13:39:14 [IKEv1 DEBUG]: IP = a.b.c.d, constructing ISAKMP SA payloadptographic             
          ^         
ERROR: % Invalid input detected
Nov 04 13:39:17 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0nterface Ethernet 0/0             
Software clause at D
ASA(config-if)# nameif
Nov 04 13:39:17 [IKEv1]: IP = a.b.c.d, Queuing KEY-ACQUIRE messages to be pr
) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 148
Nov 04 13:39:23 [IKEv1 DEBUG]: Pitcher: received a key acquire message, spi 0x0
Nov 04 13:39:23 [IKEv1]: IP = a.b.c.d, Queuing KEY-ACQUIRE messages to be pr
ocessed when P1 SA is complete.
Nov 04 13:39:30 [IKEv1]: IP = a.b.c.d, IKE_DECODE RESENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 148
Nov 04 13:39:38 [IKEv1]: IP = a.b.c.d, IKE_DECODE RESENDING Message (msgid=0
) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE
(0) total length : 148
Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, IKE MM Initiator FSM error hist
ory (struct &0xd45b3710)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG2, E
V_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_S
ND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2,
EV_RETRY
Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, IKE SA MM:425d539b terminating:
  flags 0x01000022, refcnt 0, tuncnt 0
Nov 04 13:39:46 [IKEv1 DEBUG]: IP = a.b.c.d, sending delete/delete with reas
on message
Nov 04 13:39:46 [IKEv1]: IP = a.b.c.d, Removing peer from peer table failed,
no match!
Nov 04 13:39:46 [IKEv1]: IP = a.b.c.d, Error: Unable to remove PeerTblEntry
_________________________________________________________________________

Please help us..................
 
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines