KB ID 0000761
Problem
I found this out purely by accident today, while replacing an old PIX 506E that had died with an ASA 5505. The client’s other site still had a PIX 506E (Running 6.3(5)). I was setting up the VPN, and noticed something that WOULD have been a problem if I had not spotted it.
Solution
Essentially the older PIX firewalls are set for 3DES encryption, MD5 Hashing and Diffie Hellman 2. After version 8.4 the ASA does not have a policy set for this, you need to create one. If I had simply gone ahead, phase 1 of the VPN tunnel would not have established and I would have seen;
[box]
Password:
Type help or ‘?’ for a list of available commands.
Petes-ASA> en
Password: ********
Petes-ASA#debug crypto isakmp 200
<<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>
Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, IKE_DECODE RECEIVED Message (msgid=ce4a3ffe) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Information Exchange processing failed
<<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>
[/box]
And phase 1 would have sat saying, MM_WAIT_MSG2. So you need to create a matching phase 1 (ISAKMP) policy on the ASA.
Create an IKE version 1 Policy via Command Line
1. Connect to the ASA and issue the following commands;
[box]Sent username “pete”
Type help or ‘?’ for a list of available commands.
Petes-ASA>
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)#crypto ikev1 policy 1
Petes-ASA(config-ikev1-policy)# authentication pre-share
Petes-ASA(config-ikev1-policy)# encryption 3des
Petes-ASA(config-ikev1-policy)# hash md5
Petes-ASA(config-ikev1-policy)# group 2
Petes-ASA(config-ikev1-policy)# lifetime 86400
Petes-ASA(config-ikev1-policy)# exit
Petes-ASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96
3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]
[/box]
Create an IKE version 1 Policy via ASDM
If you are creating a Site to Site VPN tunnel from the ASDM wizard you can add the policy during step 6, like so;
Or to add it after the tunnel has been created, Configuration > Site-to-Site VPN > Advanced > IKE Policies > Add > The priority may be changed, but set the rest of the settings as shown. > OK > Apply > File > Save Running Configuration to Flash.