VPN Problem Cisco PIX v6 to Cisco ASA 5500

KB ID 0000761 Dtd 06/02/13

Problem

I found this out purely by accident today, while replacing an old PIX 506E that had died with an ASA 5505. The client’s other site still had a PIX 506E (Running 6.3(5)). I was setting up the VPN, and noticed something that WOULD have been a problem if I had not spotted it.

Solution

Essentially the older PIX firewalls are set for 3DES encryption, MD5 Hashing and Diffie Hellman 2. After version 8.4 the ASA does not have a policy set for this, you need to create one. If I had simply gone ahead, phase 1 of the VPN tunnel would not have established and I would have seen;
Password: Type help or ‘?’ for a list of available commands. Petes-ASA> en Password: ******** Petes-ASA#debug crypto isakmp 200 <<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>> Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, IKE_DECODE RECEIVED Message (msgid=ce4a3ffe) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56 Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123,¬†Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Information Exchange processing failed <<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>
And phase 1 would have sat saying, MM_WAIT_MSG2. So you need to create a matching phase 1 (ISAKMP) policy on the ASA.

Create an IKE version 1 Policy via Command Line

1. Connect to the ASA and issue the following commands;
Sent username “pete” Type help or ‘?’ for a list of available commands. Petes-ASA> Petes-ASA> enable Password: ******* Petes-ASA# configure terminal Petes-ASA(config)#crypto ikev1 policy 1 Petes-ASA(config-ikev1-policy)# authentication pre-share Petes-ASA(config-ikev1-policy)# encryption 3des Petes-ASA(config-ikev1-policy)# hash md5 Petes-ASA(config-ikev1-policy)# group 2 Petes-ASA(config-ikev1-policy)# lifetime 86400 Petes-ASA(config-ikev1-policy)# exit Petes-ASA(config)#¬†write mem Building configuration… Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96 3965 bytes copied in 1.490 secs (3965 bytes/sec) [OK]

Create an IKE version 1 Policy via ASDM

If you are creating a Site to Site VPN tunnel from the ASDM wizard you can add the policy during step 6, like so;

ADSM and IKEv1 Policy

Or to add it after the tunnel has been created, Configuration > Site-to-Site VPN > Advanced > IKE Policies > Add > The priority may be changed, but set the rest of the settings as shown. > OK > Apply > File > Save Running Configuration to Flash.

ADSM and IKE Policy

Related Articles, References, Credits, or External

Links

Cisco ASA5500 Site to Site VPN from ASDM Cisco PIX 500 РIPSEC Site to Site VPNs (v6)

Author: Migrated

Share This Post On