Forum Discussion
NimbostratusF5 TMOS 11.3 L2L vpn cisco ASA 8.4<
textWe want to setup a Site-2-Site vpn tunnel from F5 TMOS to a cisco ASA. We used IKEV1, SHA, 3DES and ESP phase 2. The VPN tunnel will establish isakmp (phase1)
-- [root@F5:Active:In Sync] config racoonctl -l show-sa isakmp Destination Cookies ST S V E Created Phase2 ... .500 d8446b7622448f89:bca3271182e939a7 9 R 10 M 2014-01-28 20:50:23 0
ASA sh crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1
1 IKE Peer: ... Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : SHA Auth : preshared Lifetime: 86400 Lifetime Remaining: 86389
There are no IKEv2 SAs
But Phase2 will failed, not able to establisch the ipsec ESP. I see the follow errors on the F5
2014-01-28 20:44:41: ERROR: failed to get proposal for responder. 2014-01-28 20:44:41: ERROR: failed to pre-process packet.
and on the Cisco I see the follow
Jan 28 2013 20:53:40: %ASA-6-713905: Group =.. , IP = ... , Already have a Phase 2 IV! Jan 28 2013 20:53:40: %ASA-3-713902: Group =.. , IP = ... , Can't create Quick Mode IV!
--- Looks like a mismatch on the encryption domain, but I checked those several times.
Maybe somebody has experience with this.
Thanks in advance,
Regards,
M.Schrier
7 Replies
Vitaliy_SavransNacreous
Can you provide /etc/racoon/racoon.conf.bigip and isakmp, ipsec, tunnel-group config from ASA?
Schrier_58326Hello, thanks here the config from ASA and F5. I masquate the orginal IP addressess
ASA configuration
object-group network vpn-destination network-object 172.16.1.0 255.255.255.0 object-group network vpn-source network-object host 10.10.10.10 object-group network test-source network-object host 192.168.100.2
access-list vpn-test extended permit ip object-group vpn-source object-group vpn-destination nat (inside,outside) source static test-source vpn-source destination static vpn-destination vpn-destination
crypto ipsec ikev1 transform-set ipsec-SET esp-3des esp-sha-hmac crypto ipsec fragmentation after-encryption inside crypto ipsec fragmentation after-encryption outside crypto isakmp identity address no crypto isakmp nat-traversal
crypto map outside_map 20 match address vpn-test crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 4.4.4.4 crypto map outside_map 20 set ikev1 transform-set ipsec-SET crypto map outside_map interface outside crypto ikev1 enable outside crypto ikev1 policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
tunnel-group 4.4.4.4 type ipsec-l2l tunnel-group 4.4.4.4 ipsec-attributes ikev1 pre-shared-key *****
F5 configuration
net ipsec ike-daemon ikedaemon { log-level debug2 } net ipsec ike-peer vpn { phase1-auth-method pre-shared-key preshared-key-encrypted Ta[_EjH>`O[1QNQ@=WohO=n:p6gHDR.J+U^B<0O@[0HNASg remote-address 2.2.2.2 verify-cert true } net ipsec ipsec-policy vpn-policy { ike-phase2-auth-algorithm sha1 ike-phase2-encrypt-algorithm 3des mode tunnel tunnel-local-address 4.4.4.4 tunnel-remote-address 2.2.2.2 } net ipsec traffic-selector vpn-selector { destination-address 172.16.1.0/24 direction in ipsec-policy vpn-policy source-address 10.10.10.10/32
- Vitaliy_Savrans
In racoon.conf:
remote-address 2.2.2.2 verify-cert true From man If you do not want to verify the identifier using the peer's certificate, set this to off. As I see from config you don't use certificates, set this option to off.
- Schrier_58326
Thanks for your quick reply , I already did this yesterday, but I had the same result :(
Do you know how I can't attach some log files in this forum ??
- Vitaliy_Savrans
For visibility I make some "translation":
on ASA side:
access-list vpn-test extended permit ip object-group vpn-source object-group vpn-destination
access-list vpn-test extended permit ip host 10.10.10.10 172.16.1.0 255.255.255.0
also you have: nat (inside,outside) source static test-source vpn-source destination static vpn-destination vpn-destination
on F5 side:
net ipsec traffic-selector vpn-selector { destination-address 172.16.1.0/24 direction in ipsec-policy vpn-policy source-address 10.10.10.10/32
in cisco cli it looks like:access-list vpn-selector permit ip host 10.10.10.10 172.16.1.0 255.255.255.0
I think you access-list on ASA must be: access-list vpn-test extended permit ip 172.16.1.0 255.255.255.0 host 10.10.10.10
- Schrier_58326
Hello Vitaliy, thanks for your feedback.. I change the traffic selector in the F5 and Phase 2 is alive. (instead on the asa) So Ipsec is ok, but didn't see any traffic through the tunnel. My next problem. Normally
See output from the Cisco
FW sh crypto ipsec sa detail interface: outside Crypto map tag: outside_map, seq num: 20, local addr: 2.2.2.2 access-list vpn-test extended permit ip host 10.10.10.10 172.16.1.0 255.255.255.0 local ident (addr/mask/prot/port): (10.10.10.10 /255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0.0/0/0) current_peer: 4.4.4.4 pkts encaps: 0, pkts encrypt: 0, pkts digest: 0 pkts decaps: 0, pkts decrypt: 0, pkts verify: 0 pkts compressed: 0, pkts decompressed: 0 pkts not compressed: 0, pkts comp failed: 0, pkts decomp failed: 0 post-frag successes: 0, post-frag failures: 0, fragments created: 0 PMTUs sent: 0, PMTUs rcvd: 0, decapsulated frgs needing reassembly: 0 pkts no sa (send): 0, pkts invalid sa (rcv): 0 pkts encaps failed (send): 0, pkts decaps failed (rcv): 0 pkts invalid prot (rcv): 0, pkts verify failed: 0 pkts invalid identity (rcv): 0, pkts invalid len (rcv): 0 pkts invalid pad (rcv): 0, pkts invalid ip version (rcv): 0, pkts replay rollover (send): 0, pkts replay rollover (rcv): 0 pkts replay failed (rcv): 0 pkts min mtu frag failed (send): 0, pkts bad frag offset (rcv): 0 pkts internal err (send): 0, pkts internal err (rcv): 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 4.4.4.4/0 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: FEA1D5ED current inbound spi : 3D1BA8CC inbound esp sas: spi: 0x3D1BA8CC (1025222860) transform: esp-3des esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 3203072, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4374000/28141) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 outbound esp sas: spi: 0xFEA1D5ED (4272018925) transform: esp-3des esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 3203072, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (4374000/28141) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001FW
- Vitaliy_Savrans
By my mind you didn't see trough the tunnel because: From asa nat config I guess that 172.16.1.0/24 is terminated on ASA and 10.10.10.10 terminated of F5 (correct me if I am wrong). But you have access-list for crypto-map:
access-list vpn-test extended permit ip host 10.10.10.10 172.16.1.0 255.255.255.0there will be no traffic pass through this access-list on ASA and you will not see any hitcounts in ipsec sa. I think you need change vice-vers you access-list and traffic selector.
