Configuring ipsec on the cisco asa

nick7 · April 2, 2020, 2:38pm

I read it:
https://arogov.com/vpn-mezhdu-cisco-asa-5510-i-mikrotik-rb951ui-2hnd/

My scheme is as follows:
cisco asa(static ip) -----inet(ipsec l2l)------(dynamic ip l2tp)mikrotik

mikrotik ver 6.46.4

logging from asa:

Apr 02 16:58:39 [IKEv1]: IP = x.x.x.74, Header invalid, missing SA payload! (next payload = 4)
Apr 02 16:58:49 [IKEv1]: IP = x.x.x.74, Header invalid, missing SA payload! (next payload = 4)
Apr 02 16:59:00 [IKEv1]: Group = x.x.x.74, IP = x.x.x.74, Can't find a valid tunnel group, aborting...!
Apr 02 16:59:00 [IKEv1]: Group = x.x.x.74, IP = x.x.x.74, Removing peer from peer table failed, no match!
Apr 02 16:59:00 [IKEv1]: Group = x.x.x.74, IP = x.x.x.74, Error: Unable to remove PeerTblEntry

logging from mikrotik:

initiate new phase1 (Identity Protection)
phase1 negotiation failed due to time up

Ok.Can’t find a valid tunnel group, aborting…!

on asa:

crypto isakmp policy 60
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

on mikrotik:
IPsec Profile
Hash Algorithms - sha1
aes-256 -v
mobp1024 -v
NAT Traversal - v

manual:
https://wiki.mikrotik.com/wiki/Manual:IP/IPsec
Group 2 ---- 1024 bits MODP group ---- RFC 2409

View the attached log-file from mikrotik.

Does not work. Help me!
Syslog Messages_3.xls (48 KB)

nick7 · April 3, 2020, 8:45am

No ideas?

andriys · April 3, 2020, 9:56am

isakmp policy is just half of the phase1 configuration, please show your cryptopmap configuration from ASA as well.
Also please post the output of /ip ipsec export hide-sensitive from your Mikrotik.

On a general note, since IP address on one side of you channel is dynamic (may change) you will have to use a road-warrior-like IPsec configuration (i.e. use dynamic policies).

nick7 · April 3, 2020, 3:46pm

asa

access-list OutSide_cryptomap_110 extended permit ip 192.168.x.0 255.255.255.0 192.168.88.0 255.255.255.0
access-list InSide_nat0_outbound extended permit ip 192.168.x.0 255.255.255.0 192.168.88.0 255.255.255.0
access-list InSide_access_in extended permit ip 192.168.x.0 255.255.255.0 192.168.88.0 255.255.255.0 


global (OutSide) 10 interface
nat (InSide) 0 access-list InSide_nat0_outbound
nat (InSide) 10 0.0.0.0 0.0.0.0

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map OutSide_dyn_map 110 match address OutSide_cryptomap_110
crypto dynamic-map OutSide_dyn_map 110 set transform-set ESP-AES-256-SHA

crypto map OutSide_map 65535 ipsec-isakmp dynamic OutSide_dyn_map
crypto map OutSide_map interface OutSide

crypto isakmp enable OutSide



crypto isakmp policy 60
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

group-policy MT internal
group-policy MT attributes
 wins-server value 192.168.x.135
 default-domain value mygruop

tunnel-group MT type ipsec-l2l

tunnel-group MT general-attributes
  default-group-policy MT
tunnel-group MT ipsec-attributes
  pre-shared-key *******

mikrotik

[neroot@MikroTik] > /ip ipsec export hide-sensitive
# apr/03/2020 18:06:47 by RouterOS 6.46.4
# software id = KB54-9SM8
#
# model = 450G
# serial number = *******003D
/ip ipsec peer
add address=x.x.x.50/32 name=peer1-h50
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc pfs-group=none
/ip ipsec identity
add peer=peer1-h50
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.x.0/24 level=unique peer=peer1-h50 sa-dst-address=\
    x.x.x.50 sa-src-address=0.0.0.0 src-address=192.168.88.0/24 tunnel=\
    yes

nick7 · April 3, 2020, 4:26pm

More detailed log file.
Deleted NAT Ttaversal from mikrotik

(mes1)
Apr 03 18:57:17 [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, processing SA payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, Oakley proposal is acceptable
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, Received Cisco Unity client VID
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, Received DPD VID
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, processing IKE SA payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Apr 03 18:57:17 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112

(mes2)
Apr 03 18:57:17 [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, processing ke payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, processing ISA_KE payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, processing nonce payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ke payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing nonce payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Cisco Unity VID payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing xauth V6 VID payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, Send IOS VID
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, constructing VID payload
Apr 03 18:57:17 [IKEv1 DEBUG]: IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

(mes3)
Apr 03 18:57:17 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Can't find a valid tunnel group, aborting...!
Apr 03 18:57:17 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE MM Responder FSM error history (struct &0x484b3d0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
Apr 03 18:57:17 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:d1e3f159 terminating:  flags 0x01004002, refcnt 0, tuncnt 0
Apr 03 18:57:17 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message

Apr 03 18:57:17 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from peer table failed, no match!
Apr 03 18:57:17 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Error: Unable to remove PeerTblEntry
Apr 03 18:57:27 [IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
Apr 03 18:57:27 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Good links:
https://www.petenetlive.com/KB/Article/0000216
https://www.petenetlive.com/KB/Article/0000213

andriys · April 3, 2020, 6:23pm

This is wrong:

tunnel-group MT type ipsec-l2l

For tunnel group of type ipsec-l2l the group name must be the peer’s IP address. Check ASA’s command reference for details. As I said in my previous message, since your another endpoint has dynamic IP address you have to use a road-warrior-like tunnel configuration. I.e. use tunnel-group MT type remote-access. Cisco will then require some other criteria to match your Mikrotik peer with this tunnel group. In a real RA VPN that’s usually a group name, but I’m not sure you can configure that on RouterOS. If I have time I will try to look further into this either later today or over the weekend (but no promises yet).

nick7 · April 3, 2020, 8:07pm

For tunnel group of type ipsec-l2l the group name must be the peer’s IP address.

Yes I agree. Message from the console asa.

+tunnel-group MT type ipsec-l2l
WARNING: L2L tunnel-groups that have names which are not an IP address may only be used if the tunnel authentication method is Digitial Certificates and/or The peer is configured to use Aggressive Mode

I understand that you must use the mode Aggressive on Mikrotik.
Why?
Asa does not know where Mikrotik is. His address is dynamic. Therefore, the tunnel initiator can only be Mikrotik. This mode is called Aggressive.
It seems to be logical.

I want to thank you for helping!

andriys · April 4, 2020, 7:34am

Well, yes, yes and no.

You are right in that that Aggressive mode is a requirement and that your Mikrotik box should always be initiator. However that is not what Aggressive mode is. Aggressive mode is a simplified handshake where only 3 messages are used to establish an IKE SA, whereas 6 messages are normally used in Main mode. The main difference in your situation is that in Aggressive mode initiator’s ID is sent in clear, and so responder (you ASA) can use that information to select the correct tunnel group while looking for the peer authentication parameters like pre-shared key. In Main mode the only information available at this stage is the initiator’s IP address.

Talking about the initiator’s ID, please use key-id on your Mikrotik, it should match the tunnel-group name on you ASA.

nick7 · April 4, 2020, 4:33pm

Where do I need to register an MT group on mikrotik?
I created MT-name:

Proposals
Groups
Profiles
Re-elected to Policies, Peers, Identities.
Nothing has changed in the asa logs. (sort of).
On mikrotik “Active Peers” State - “message 2 sent”.

Apr 04 18:18:34 [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, processing SA payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, Oakley proposal is acceptable
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, Received Cisco Unity client VID
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, Received DPD VID
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, processing IKE SA payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ISAKMP SA payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Apr 04 18:18:34 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 112
Apr 04 18:18:34 [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, processing ke payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, processing ISA_KE payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, processing nonce payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, constructing ke payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, constructing nonce payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, constructing Cisco Unity VID payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, constructing xauth V6 VID payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, Send IOS VID
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, constructing VID payload
Apr 04 18:18:34 [IKEv1 DEBUG]: IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Apr 04 18:18:34 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Can't find a valid tunnel group, aborting...!
Apr 04 18:18:34 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE MM Responder FSM error history (struct &0x488fe28)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
Apr 04 18:18:34 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, IKE SA MM:8ff415e7 terminating:  flags 0x01004002, refcnt 0, tuncnt 0
Apr 04 18:18:34 [IKEv1 DEBUG]: Group = x.x.x.x, IP = x.x.x.x, sending delete/delete with reason message
Apr 04 18:18:34 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Removing peer from peer table failed, no match!
Apr 04 18:18:34 [IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Asa has technology for connecting remote clients through a software tunnel. For Windows - Cisco vpn client (AnyConnect - new). For Linux - NetworkManager.
Two passwords are used here, one for the group, the other for the user.
Not about this option you accidentally say?

Software tunnels did not suit me for the reason that it was not possible to expand the local network. The compound was obtained only Lan-to-Pc.

andriys · April 4, 2020, 4:51pm

Shared passwords (group passwords) are used for both L2L and RA IPsec VPNs (unless you are using certificate-base authentication for IKE, which you are not). On Mikrotik that’s secret under /ip ipsec identity. Group name goes to my-id under the same menu. If you are configuring this from WinBox then set “My ID Type” to “key id”. On the command line that would be my-id=key-id:<your_group_name>.

nick7 · April 9, 2020, 10:13am

What turns out.
In logs on asa.
All IPSec SA proposals found unacceptable

Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, processing SA payload
Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, processing ke payload
Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, processing ISA_KE payload
Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, processing nonce payload
Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, processing ID payload
Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, Received Cisco Unity client VID
Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, processing VID payload
Apr 09 12:03:06 [IKEv1 DEBUG]: IP = x.x.x.x, Received DPD VID
Apr 09 12:03:06 [IKEv1]: IP = x.x.x.x, Connection landed on tunnel_group MT
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, processing IKE SA payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 8
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing ISAKMP SA payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing ke payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing nonce payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, Generating keys for Responder...
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing ID payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing hash payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, Computing hash for ISAKMP
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing Cisco Unity VID payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing xauth V6 VID payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing dpd vid payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing Fragmentation VID + extended capabilities payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing VID payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 09 12:03:06 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 382
Apr 09 12:03:06 [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, processing hash payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, Computing hash for ISAKMP
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, PHASE 1 COMPLETED
Apr 09 12:03:06 [IKEv1]: IP = x.x.x.x, Keep-alive type for this connection: DPD
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, Starting P1 rekey timer: 82080 seconds.
Apr 09 12:03:06 [IKEv1 DECODE]: IP = x.x.x.x, IKE Responder starting QM: msg id = bda4f006
Apr 09 12:03:06 [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=bda4f006) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, processing hash payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, processing SA payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, processing nonce payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, processing ID payload
Apr 09 12:03:06 [IKEv1 DECODE]: Group = MT, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--192.168.88.0--255.255.255.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload:   Address 192.168.88.0, Mask 255.255.255.0, Protocol 0, Port 0
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, processing ID payload
Apr 09 12:03:06 [IKEv1 DECODE]: Group = MT, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--192.168.x.0--255.255.255.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.x.0, Mask 255.255.255.0, Protocol 0, Port 0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, QM IsRekeyed old sa not found by addr
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, checking map = OutSide_map, seq = 40...
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, map = OutSide_map, seq = 40, ACL does not match proxy IDs src:192.168.88.0 dst:192.168.x.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, checking map = OutSide_map, seq = 50...
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, map = OutSide_map, seq = 50, ACL does not match proxy IDs src:192.168.88.0 dst:192.168.x.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, checking map = OutSide_map, seq = 60...
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, map = OutSide_map, seq = 60, ACL does not match proxy IDs src:192.168.88.0 dst:192.168.x.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, checking map = OutSide_map, seq = 70...
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, map = OutSide_map, seq = 70, ACL does not match proxy IDs src:192.168.88.0 dst:192.168.x.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, checking map = OutSide_map, seq = 80...
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, map = OutSide_map, seq = 80, ACL does not match proxy IDs src:192.168.88.0 dst:192.168.x.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, checking map = OutSide_map, seq = 90...
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, map = OutSide_map, seq = 90, ACL does not match proxy IDs src:192.168.88.0 dst:192.168.x.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, checking map = OutSide_map, seq = 100...
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Static Crypto Map check, map = OutSide_map, seq = 100, ACL does not match proxy IDs src:192.168.88.0 dst:192.168.x.0
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, IKE Remote Peer configured for crypto map: OutSide_dyn_map
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, processing IPSec SA payload
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, All IPSec SA proposals found unacceptable!


Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, sending notify message
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing blank hash payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing ipsec notify payload for msg id bda4f006
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing qm hash payload
Apr 09 12:03:06 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=8f7e901a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, QM FSM error (P2 struct &0x45fbf50, mess id 0xbda4f006)!
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0x45fbf50)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, sending delete/delete with reason message
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Removing peer from correlator table failed, no match!
Apr 09 12:03:06 [IKEv1]: Group = MT, IP = x.x.x.x, Could not delete route for L2L peer that came in on a dynamic map. address: 192.168.88.0, mask: 255.0.0.0
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, IKE SA AM:b5e048da rcv'd Terminate: state AM_ACTIVE  flags 0x00004041, refcnt 1, tuncnt 0
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, IKE SA AM:b5e048da terminating:  flags 0x01004001, refcnt 0, tuncnt 0
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, sending delete/delete with reason message
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing blank hash payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing IKE delete payload
Apr 09 12:03:06 [IKEv1 DEBUG]: Group = MT, IP = x.x.x.x, constructing qm hash payload
Apr 09 12:03:06 [IKEv1]: IP = x.x.x.x, IKE_DECODE SENDING Message (msgid=fd3a7b54) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Apr 09 12:03:07 [IKEv1]: IP = x.x.x.x, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 298

Yes, I have other lan-to-lan tunnels to different static addresses and I can see how they get through.
It seems to me that there is a search for subnets 192.168.x.0 192.168.88.0.
But why not see:

access-list OutSide_cryptomap_110 extended permit ip 192.168.x.0 255.255.255.0 192.168.88.0 255.255.255.0 

crypto dynamic-map OutSide_dyn_map 110 match address OutSide_cryptomap_110
crypto dynamic-map OutSide_dyn_map 110 set transform-set ESP-AES-256-SHA

log from mikrotik attachment

On mikrotik.
General.
IPsec Policy:
Tunel - V
Src.Adress: 192.168.88.0/24
Dst.Adress: 192.168.x.0/24
Protocol: 255(all)

Action.
Action: encrypt
Level: unique
IPsec Protocols: esp
Proposal: MT

Status:
Is changing.
PH2 State: no phase2 ↔ msg1 sent
Syslog Messages_4.csv (27.1 KB)

andriys · April 9, 2020, 12:34pm

I’d interpret your ASA logs as “I see you have a matching dynamic map, but none of the proposals configured are matching”.
Do you possibly have other dynamic maps with seq < 110 that may potentially match your inner-tunnel network pair?

nick7 · April 9, 2020, 3:55pm

Yes there really is.

crypto dynamic-map OutSide_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map OutSide_dyn_map 110 match address OutSide_cryptomap_110
crypto dynamic-map OutSide_dyn_map 110 set transform-set ESP-AES-256-SHA

crypto map OutSide_map 65535 ipsec-isakmp dynamic OutSide_dyn_map
crypto map OutSide_map interface OutSide

crypto isakmp enable OutSide

tunnel-group **MyGroup** type ipsec-ra
tunnel-group **MyGroup** general-attributes
 address-pool Hpool
 default-group-policy **MyGroup**
tunnel-group **MyGroup** ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 20 retry 3

This is a tunnel for software connections.
Where there is still a password for the group and for the user.
I wrote about this before.

andriys · April 9, 2020, 5:39pm

Well, that explains. That “software connections” dynamic-map entry does not have “match address” specified, so it matches everything. And it is of higher priority because of a lower sequence. So your ASA picks this dynamic map and expects ESP-3DES-SHA to be proposed, which does not match the ESP-AES-256-SHA from the other end of the tunnel (from your Mikrotik).

nick7 · April 9, 2020, 7:48pm

IPsec Proposal
Encr.Algorithms:
3des - V

It turned out, but again some kind of problem.
Log attachments.

If you look.
IPsec Policy Status
PH2 State: established

Ping to a remote network do not go.

There are no routes there or there.
asa.log (10.2 KB)
Syslog Messages_5.csv (70.3 KB)

andriys · April 9, 2020, 8:49pm

ASA log looks good. Mikrotik log looks weird. First, please turn ipsec debug logging off, it’s too noisy to be useful. Second, I noticed timestamps differ dramatically in ASA and Mikrotik logs. Why is that?

Looks good.

How do you test? From where to where? From the router or through the router?

That’s normal. In a classic policy-base IPsec world routes do not work. Only policies matter.

nick7 · April 10, 2020, 8:09am

I don’t know how to change the level of detail through WinBox. I turn it on.
System - Logging
Topics - IPsec
Action - remote (This is my log server.)

Clock asa and mikrotik synchronized.

host(send ping) - mikrotik ==== inet==== asa - host (answer ping)
mikrotik(send ping)==== inet==== asa - host (answer ping)

andriys · April 10, 2020, 8:35am

On command line it would be /system logging add topics=ipsec,!packet,!debug action=remote. Should not be difficult to figure out how to do that in WinBox.

The first case should just work. In the second case please make sure you explicitly specify a suitable source IP address for the ping command.
Anyways, since phase2 seems to be established, it must be something else that blocks the traffic. ASA accepts all inner-tunnel traffic by default, but RouterOS does not. First, make sure you have NAT-exempt rules in place. Second, try disabling all your block rules in the firewall for a short period of time just to see if ping starts working.

nick7 · April 10, 2020, 10:03am

Attachments files.

I’m afraid I turn off the rules.
It seems to me that the NO NAT rules on Mikrotik are missing.

Syslog Messages_6.csv (512 Bytes)
asa.log (6.35 KB)

andriys · April 10, 2020, 10:17am

Yep, that’s what I meant when I wrote “make sure you have NAT-exempt rules in place”.
In terminal run the following:

/ip firewall nat add place-before=0 chain=srcnat action=accept src-address=192.168.88.0/24 dst-address=192.168.x.0/24