VPN Cisco router met Cisco firewall

Uhm Waar te beginnen? Ik wil een VPN site to site IPsec verbinding tussen twee locaties, een ASA firewall 5500 (LAN: 10.6.1.0 /24) en een Cisco 2800 router (10.7.1.0 /24). Beide locaties gebruiken NAT. De VPN verbinding werkt niet (verbinding zelf werkt wel, ik kan public adressen pingen). Ik heb al van alles geprobeerd, maar kom er niet meer uit. Ik hoop dat jullie mij verder kunnen helpen.

Volgens mij heb ik alles juist geconfigureerd. Als ik probeer te pingen (LAN adressen), krijg ik een hele lijst debug output. Hieronder is deze lijst gegeven. Ook mijn belangrijke onderdelen van de configs heb ik gegeven. Ik heb al met de ISAKMP waardes gerommeld. Maar ik krijg het niet werkend. Ik denk dat het fout gaat bij het onderhandelen tussen ISAKMP waardes?

Waar gaat het fout ? Ideeën?

DEBUG output --------------------------------------------------------------------------------------------------

(IP_Public_Dest = Public IP adres (verborgen))

Betreft een ping van 10.7.1.0 naar 10.6.1.0 met als source een adres uit de 10.7.1.x reeks

Apr 6 21:20:29.249: ISAKMP:(0): SA request profile is (NULL)
Apr 6 21:20:29.249: ISAKMP: Created a peer struct for IP_Public_Dest, peer port 500
Apr 6 21:20:29.249: ISAKMP: New peer created peer = 0x4770D5D8 peer_handle = 0x80000010
Apr 6 21:20:29.249: ISAKMP: Locking peer struct 0x4770D5D8, refcount 1 for isakmp_initiator
Apr 6 21:20:29.249: ISAKMP: local port 500, remote port 500
Apr 6 21:20:29.249: ISAKMP: set new node 0 to QM_IDLE
Apr 6 21:20:29.249: insert sa successfully sa = 4769E81C
Apr 6 21:20:29.249: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Apr 6 21:20:29.249: ISAKMP:(0):found peer pre-shared key matching IP_Public_Dest
Apr 6 21:20:29.249: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Apr 6 21:20:29.249: ISAKMP:(0): constructed NAT-T vendor-07 ID
Apr 6 21:20:29.249: ISAKMP:(0): constructed NAT-T vendor-03 ID
Apr 6 21:20:29.249: ISAKMP:(0): constructed NAT-T vendor-02 ID
Apr 6 21:20:29.249: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Apr 6 21:20:29.249: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1

Apr 6 21:20:29.249: ISAKMP:(0): beginning Main Mode exchange
Apr 6 21:20:29.249: ISAKMP:(0): sending packet to IP_Public_Dest my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 6 21:20:29.249: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 6 21:20:29.253: ISAKMP (0:0): received packet from IP_Public_Dest dport 500 sport 500 Global (N) NEW SA
Apr 6 21:20:29.257: %CRYPTO-4-IKMP_NO_SA: IKE message from IP_Public_Dest has no SA and is not an initialization offer....
Apr 6 21:20:37.253: ISAKMP (0:0): received packet from IP_Public_Dest dport 500 sport 500 Global (N) NEW SA.
Apr 6 21:20:39.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 6 21:20:39.253: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Apr 6 21:20:39.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 6 21:20:39.253: ISAKMP:(0): sending packet to IP_Public_Dest my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 6 21:20:39.253: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 6 21:20:39.253: ISAKMP (0:0): received packet from IP_Public_Dest dport 500 sport 500 Global (N) NEW SA
Apr 6 21:20:47.253: ISAKMP (0:0): received packet from IP_Public_Dest dport 500 sport 500 Global (N) NEW SA
Apr 6 21:20:49.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 6 21:20:49.253: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Apr 6 21:20:49.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 6 21:20:49.253: ISAKMP:(0): sending packet to IP_Public_Dest my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 6 21:20:49.253: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 6 21:20:59.249: ISAKMP: set new node 0 to QM_IDLE
Apr 6 21:20:59.249: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 145.103.252.69, remote IP_Public_Dest)
Apr 6 21:20:59.249: ISAKMP: Error while processing SA request: Failed to initialize SA
Apr 6 21:20:59.249: ISAKMP: Error while processing KMI message 0, error 2.
Apr 6 21:20:59.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 6 21:20:59.253: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Apr 6 21:20:59.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 6 21:20:59.253: ISAKMP:(0): sending packet to IP_Public_Dest my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 6 21:20:59.253: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 6 21:20:59.257: ISAKMP (0:0): received packet from IP_Public_Dest dport 500 sport 500 Global (N) NEW SA
Apr 6 21:21:07.253: ISAKMP (0:0): received packet from IP_Public_Dest dport 500 sport 500 Global (N) NEW SA
Apr 6 21:21:09.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 6 21:21:09.253: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Apr 6 21:21:09.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 6 21:21:09.253: ISAKMP:(0): sending packet to IP_Public_Dest my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 6 21:21:09.253: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 6 21:21:09.253: ISAKMP (0:0): received packet from IP_Public_Dest dport 500 sport 500 Global (N) NEW SA
Apr 6 21:21:17.253: ISAKMP (0:0): received packet from IP_Public_Dest dport 500 sport 500 Global (N) NEW SA
Apr 6 21:21:19.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 6 21:21:19.253: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Apr 6 21:21:19.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Apr 6 21:21:19.253: ISAKMP:(0): sending packet to IP_Public_Dest my_port 500 peer_port 500 (I) MM_NO_STATE
Apr 6 21:21:19.253: ISAKMP:(0):Sending an IKE IPv4 Packet.
Apr 6 21:21:29.253: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Apr 6 21:21:29.253: ISAKMP:(0):peer does not do paranoid keepalives.

Apr 6 21:21:29.253: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer IP_Public_Dest)
Apr 6 21:21:29.253: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer IP_Public_Dest)
Apr 6 21:21:29.253: ISAKMP: Unlocking peer struct 0x4770D5D8 for isadb_mark_sa_deleted(), count 0
Apr 6 21:21:29.253: ISAKMP: Deleting peer node by peer_reap for IP_Public_Dest: 4770D5D8
Apr 6 21:21:29.253: ISAKMP:(0):deleting node 2080035807 error FALSE reason "IKE deleted"
Apr 6 21:21:29.253: ISAKMP:(0):deleting node 2099213237 error FALSE reason "IKE deleted"
Apr 6 21:21:29.253: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Apr 6 21:21:29.253: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_DEST_SA

Apr 6 21:22:19.253: ISAKMP:(0):purging node 2080035807
Apr 6 21:22:19.253: ISAKMP:(0):purging node 2099213237
Apr 6 21:22:29.253: ISAKMP:(0):purging SA., sa=4769E81C, delme=4769E81C

Config Router --------------------------------------------------------------------------------------------------

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key TEST address IP_DEST no-xauth
!
!
crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
!

crypto map VPN 10 ipsec-isakmp
set peer IP_DEST
set transform-set TRANS
set pfs group2
match address 101
!
!
!
!
!
!
!
interface FastEthernet0/0
ip nat outside
crypto map VPN
!
ip nat source route-map POLICY-NAT interface FastEthernet0/0 overload
ip nat inside source static 10.7.1.1 IP_DEST route-map POLICY-NAT extendable
!
ip access-list extended NAT
deny ip 10.7.1.0 0.0.0.255 10.6.1.0 0.0.0.255
permit ip any any
!

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.6.1.0 0.0.0.255

!
route-map POLICY-NAT permit 10
match ip address NAT

Config ASA --------------------------------------------------------------------------------------------------

crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 1212
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 3600
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto isakmp nat-traversal 10

tunnel-group IP_Public_Dest type ipsec-l2l
tunnel-group IP_Public_Dest general-attributes
default-group-policy VPN_VESTIGINGEN_Policy
tunnel-group IP_Public_Dest ipsec-attributes
pre-shared-key *

crypto map outside_map 9 match address outside_9_cryptomap
crypto map outside_map 9 set pfs
crypto map outside_map 9 set peer IP_Public_Dest
crypto map outside_map 9 set transform-set ESP-3DES-SHA

access-list outside_9_cryptomap extended permit ip 10.6.1.0 255.255.255.0 10.7.1.0 255.255.255.0

Thx voor de link. Ik was die link al eerder tegen gekomen. Ik heb in mijn configs ook al verschillende dingen geprobeerd. Naar mijn mening moet het werken met deze configs.

Kan het zijn dat een provider berichten blokkeert? Dat daarom berichten simpelweg niet aankomen tussen de twee punten. Gebeurt dit vaker?

Al contact opgenomen met de provider, moest een vraag digitaal inzenden. Duurt allemaal erg lang, nog steeds geen antwoord.