Net Worker World

Group Policy VPN protocol mismatch, responsder is configured with IKEv2 only Phase 1 actually is completed, but show crypto isakmp sa doesn't display anything  on both initiator and responder. Negotiation failed at QM. Only  responder debug gives real reason. I nitiator: Buffer log: Jan 20 2020 15:35:04: %ASA-3-713902: Group = 10.0.0.2, IP = 10.0.0.2, Removing peer from correlator table failed, no match! Jan 20 2020 15:35:04: %ASA-4-113019: Group = 10.0.0.2, Username = 10.0.0.2, IP = 10.0.0.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested Jan 20 2020 15:35:04: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = MAP.  Map Sequence Number = 10. Jan 20 2020 15:35:04: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel . Map Tag= MAP.  Map Sequence Number = 10. Debug ASAv1# Dec 23 17:59:13 [IKEv1 DEBUG

1. Phase I parameter (encryption, hash or group)  mismatch lifetime doesn't have to be matched between ASAs Initiator Buffer log: Jan 20 2020 15:38:40: %ASA-4-713903: IP = 10.0.0.2, Information Exchange processing failed Jan 20 2020 15:38:48: %ASA-4-713903: IP = 10.0.0.2, Information Exchange processing failed Jan 20 2020 15:39:12: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = MAP.  Map Sequence Number = 10. Jan 20 2020 15:39:12: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel . Map Tag= MAP.  Map Sequence Number = 10. Debug : ASAv1# Dec 23 17:25:59 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0 Dec 23 17:25:59 [IKEv1]IP = 10.0.0.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.0.0.2   local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0,   Crypto map (MAP) Dec 23 17:25:59 [IKEv1 DEBUG]IP = 10.0.0.2, c

IKEv1 defines two phases: * Phase 1  - on UDP/500, 6 packets, first 4 packets are in clear text, packet 5 and 6 are encrypted.     - Used for control plane     - Establish secure channel between peers     - Prove identities     - Negotiate data plane security settings *Phase 2  - on UDP/500, 3 packets, Quick Mode, packets are encrypted.     - Used for data plane     - Transports the protected data When both Phase1 and Phase 2 completed, data is encapsulated in ESP packet, and DPD is transferred in UDP/500 Phase1 packet 1: (Initiator) has Initiator SPI, Responde SPI is empty. has phase1 proposal. debug level 127: Dec 18 15:26:38 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0 Dec 18 15:26:38 [IKEv1]IP = 10.0.0.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.0.0.2  local Proxy Address 192.168.1.0, remote Proxy Address 192.168.2.0,  Crypto map (MAP) Dec 18 15:26:38 [IKEv1 DEBUG]IP = 10.0.0.2, constructing ISAKMP SA payload Dec 18 15:26:38