VPN Problem Cisco PIX v6 to Cisco ASA 5500
KB ID 0000761
Problem
I found this out purely by accident today, while replacing an old PIX 506E that had died with an ASA 5505. The client’s other site still had a PIX 506E (Running 6.3(5)). I was setting up the VPN, and noticed something that WOULD have been a problem if I had not spotted it.
Solution
Essentially the older PIX firewalls are set for 3DES encryption, MD5 Hashing and Diffie Hellman 2. After version 8.4 the ASA does not have a policy set for this, you need to create one. If I had simply gone ahead, phase 1 of the VPN tunnel would not have established and I would have seen;
Password: Type help or ‘?’ for a list of available commands. Petes-ASA> en Password: ******** Petes-ASA#debug crypto isakmp 200
<<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>
Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, IKE_DECODE RECEIVED Message (msgid=ce4a3ffe) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56 Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Information Exchange processing failed
<<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>
And phase 1 would have sat saying, MM_WAIT_MSG2. So you need to create a matching phase 1 (ISAKMP) policy on the ASA.
Create an IKE version 1 Policy via Command Line
1. Connect to the ASA and issue the following commands;
3965 bytes copied in 1.490 secs (3965 bytes/sec) [OK]
Create an IKE version 1 Policy via ASDM
If you are creating a Site to Site VPN tunnel from the ASDM wizard you can add the policy during step 6, like so;
Or to add it after the tunnel has been created, Configuration > Site-to-Site VPN > Advanced > IKE Policies > Add > The priority may be changed, but set the rest of the settings as shown. > OK > Apply > File > Save Running Configuration to Flash.
Related Articles, References, Credits, or External
Links
Cisco ASA5500 Site to Site VPN from ASDM
Cisco PIX 500 – IPSEC Site to Site VPNs (v6)
