Community discussions

MikroTik App
  4. RouterOS
  5. General

VPN from MT to Cisco No phase 2

Post Reply
 
phatone007
just joined
Topic Author
Posts: 2
Joined: Tue Apr 26, 2016 3:07 am

VPN from MT to Cisco No phase 2

Tue May 22, 2018 12:35 am

VPN tunnel just stopped working on weekend.(fine for 3months) and states no phase 2.
No changes made please help!

Cisco Firewall log
fw-827710-520299# show logging | in 203.118.155.156
May 20 2018 20:42:35: %ASA-5-713119: Group = 203.118.155.156, IP = 203.118.155.156, PHASE 1 COMPLETED
May 20 2018 20:42:36: %ASA-5-713904: Group = 203.118.155.156, IP = 203.118.155.156, All IPSec SA proposals found unacceptable!
May 20 2018 20:42:36: %ASA-3-713902: Group = 203.118.155.156, IP = 203.118.155.156, QM FSM error (P2 struct &0xc84f9e30, mess id 0xf1a626b1)!
May 20 2018 20:42:36: %ASA-3-713902: Group = 203.118.155.156, IP = 203.118.155.156, Removing peer from correlator table failed, no match!
May 20 2018 20:42:36: %ASA-6-713905: Group = 203.118.155.156, IP = 203.118.155.156, Warning: Ignoring IKE SA (src) without VM bit set
May 20 2018 20:42:36: %ASA-5-713259: Group = 203.118.155.156, IP = 203.118.155.156, Session is being torn down. Reason: Phase 2 Mis


Mikrotik
/ip ipsec policy
src-address=10.0.0.0/24 src-port=any dst-address=192.168.100.0/22 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=203.118.155.156 sa-dst-address=50.56.61.212 proposal=Rackspace ph2-count=0

/ip ipsec proposal
name="Rackspace" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m pfs-group=modp1024

/ip ipsec peer
address=50.56.61.212/32 auth-method=pre-shared-key secret="<Secret>"
generate-policy=no policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des dh-group=modp1024 lifetime=1d
dpd-interval=disable-dpd

/log ipsec
ipsec,info initiate new phase 1 (Identity Protection): 203.118.155.156[500]<=>50.56.61.212[500]
may/22 09:04:08 ipsec,info ISAKMP-SA established 203.118.155.156[500]-50.56.61.212[500] spi:ecf5d15b4aa0ab1b:cae1a78de5eacde8
may/22 09:04:08 ipsec,info purging ISAKMP-SA 203.118.155.156[500]<=>50.56.61.212[500] spi=ecf5d15b4aa0ab1b:cae1a78de5eacde8.
may/22 09:04:08 ipsec,info ISAKMP-SA deleted 203.118.155.156[500]-50.56.61.212[500] spi:ecf5d15b4aa0ab1b:cae1a78de5eacde8 rekey:1
Top
 
RiFF
newbie
Posts: 36
Joined: Sun Apr 29, 2018 9:35 pm

Re: VPN from MT to Cisco No phase 2

Tue May 22, 2018 12:50 am

What version RouterOS and ASA OS do you have ? First, you should try use new pre-shared key (I saw one problem with phase 2 between MT-ASA , after change key tunnel was reconnect correctly)
and second -> put crypto map from ASA in this topic to compare IPsec config ;)
Top
 
Jamesits
newbie
Posts: 25
Joined: Thu Jul 13, 2017 10:15 am

Re: VPN from MT to Cisco No phase 2

Tue May 22, 2018 12:45 pm

Code: Select all

/system logging add topics=ipsec,!debug
on your RouterOS... You will be seeing some useful IPSec log. the default log explains nothing.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 70 guests
  4. RouterOS
  5. General