VPN Problem Cisco PIX v6 to Cisco ASA 5500

KB ID 0000761 

Problem

I found this out purely by accident today, while replacing an old PIX 506E that had died with an ASA 5505. The client’s other site still had a PIX 506E (Running 6.3(5)). I was setting up the VPN, and noticed something that WOULD have been a problem if I had not spotted it.

Solution

Essentially the older PIX firewalls are set for 3DES encryption, MD5 Hashing and Diffie Hellman 2. After version 8.4 the ASA does not have a policy set for this, you need to create one. If I had simply gone ahead, phase 1 of the VPN tunnel would not have established and I would have seen;

[box]

Password:
Type help or ‘?’ for a list of available commands.
Petes-ASA> en
Password: ********
Petes-ASA#debug crypto isakmp 200

<<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>

Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, IKE_DECODE RECEIVED Message (msgid=ce4a3ffe) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 56
Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping
Apr 01 14:48:48 [IKEv1]: IP = 123.123.123.123, Information Exchange processing failed

<<<<<<<LOTS Of DEBUG TEXT REMOVED>>>>>>>

[/box]

And phase 1 would have sat saying, MM_WAIT_MSG2. So you need to create a matching phase 1 (ISAKMP) policy on the ASA.

Create an IKE version 1 Policy via Command Line

1. Connect to the ASA and issue the following commands;

[box]Sent username “pete”
Type help or ‘?’ for a list of available commands.
Petes-ASA>
Petes-ASA> enable
Password: *******
Petes-ASA# configure terminal
Petes-ASA(config)#crypto ikev1 policy 1
Petes-ASA(config-ikev1-policy)# authentication pre-share
Petes-ASA(config-ikev1-policy)# encryption 3des
Petes-ASA(config-ikev1-policy)# hash md5
Petes-ASA(config-ikev1-policy)# group 2
Petes-ASA(config-ikev1-policy)# lifetime 86400
Petes-ASA(config-ikev1-policy)# exit
Petes-ASA(config)# write mem
Building configuration…
Cryptochecksum: b984ffbc dd77cdbf f2cd8d86 0b8f3f96

3965 bytes copied in 1.490 secs (3965 bytes/sec)
[OK]

[/box]

Create an IKE version 1 Policy via ASDM

If you are creating a Site to Site VPN tunnel from the ASDM wizard you can add the policy during step 6, like so;

Or to add it after the tunnel has been created, Configuration > Site-to-Site VPN > Advanced > IKE Policies > Add > The priority may be changed, but set the rest of the settings as shown. > OK > Apply > File > Save Running Configuration to Flash.

Related Articles, References, Credits, or External

Links

Cisco ASA5500 Site to Site VPN from ASDM

Cisco PIX 500 – IPSEC Site to Site VPNs (v6)