Blog – Allwyn Mascarenhas

Allwyn June 18, 2019

f5 BIG-IP LTM

F5 BigIP ASM Failed to Load Policies Error

Had an absolute surprise when I landed at a client – “to just fine one policy”. The entire policy list was gone and the GUI would only give me a “failed to load policies” after 2 mins of loading the page.

This is on BIGIP v13.1.1.2.

After a little clicking around the GUI – turns out, not just the policies but the network map page, the device management overview page where you sync the devices and the ASM event logs also failing to load.

This looked like the classic ASM db corruption cases, so we followed the K14194: Troubleshooting the BIG-IP ASM MySQL database.

The output I got for the steps there:

Determining the status of the BIG-IP ASM process

This did not give me any down errors for the db.

Determining MySQL status by verifying the MySQL processes

This looked all normal as well.

Determining overall health of MySQL database and table contents

When you run this, just be patient as this took a while on my device

mysqlcheck -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -A

Most of the checks were OKs, except for these two:

mysql.func OK mysql.general_log Error : You can't use locks with log tables. status : OK mysql.help_category OK mysql.help_keyword OK mysql.help_relation OK mysql.help_topic OK mysql.host OK mysql.ndb_binlog_index OK mysql.plugin OK mysql.proc OK mysql.procs_priv OK mysql.servers OK mysql.slow_log Error : You can't use locks with log tables. status : OK mysql.tables_priv OK

Repairing tables in the MySQL database

Then you run the repair, as all tables do not support it you will see a lot of “note : The storage engine for the table doesn’t support repair”

mysqlcheck -p`perl -MF5::Cfg -e 'print F5::Cfg::get_mysql_password(user => q{root})'` -A -r

But the ones which had the problem were repaired alright, I thought this was it, but nope.

mysql.general_log OK
mysql.help_category OK
mysql.help_keyword OK
mysql.help_relation OK
mysql.help_topic OK
mysql.host OK
mysql.ndb_binlog_index OK
mysql.plugin OK
mysql.proc OK
mysql.procs_priv OK
mysql.servers OK
mysql.slow_log OK
mysql.tables_priv OK

Checking the httpd log.

The GUI pages still did not show up after all this, so in /var/log/httpd/httpd_errors I could see:

Jun 16 11:35:11 Internet_F5_Primary err httpd[29641]: [error] server reached MaxClients setting, consider raising the MaxClients setting

I googled and followed: K9588: Error Message: httpd: [error] server reached MaxClients setting

Restart the daemons which handle the GUI and the ASM.

Follow this order.

bigstart restart httpd tomcat
bigstart restart restjavad
bigstart restart restnoded

After this, I could see all the policies and the remaining pages just like before.

So hope this helps someone google brings here when asked for “bigip asm failed to load policies error“.

Allwyn May 27, 2019

f5 BIG-IP LTM

F5 BIGIP SSL Errors When Fronting Cisco Webex Solution

In a recent case, with BigIP and Cisco webex servers we saw the SSL would break in the browser even while the configuration had no apparent errors.

The VIP on the BigIP hosted the webex over an SSL connection using a client-ssl profile and also used a server-ssl profile.

Cisco webex does not support the solution over HTTP port 80 and hence a server-ssl profile becomes a must.

The perplexing part is also how different browsers dealt with the errors.

Chrome gives you the option to accept the certificate error but then just refreshes the page and comes back to the same page.

Mozilla Firefox just gives you a “secure connection failed” with nothing explained.

Image result for mozilla secure connection failed

Resolution

All this while we were trying to access the webex console in the browser using the IP address only, but in the end, we just decided to give a go with a URL and added a hostname entry to the windows hosts file.

Luckily we chose the name “meeting.domain.com” and the webex console opened perfectly fine with a trusted certificate. Later on trying with the meet.domain.com, the connection started failing again as before.

I scoured the internet for some document which explains whether webex server requires the word “meeting” to be present in the hostname and didn’t find a thing.

Allwyn February 23, 2019

SSL, Tools

OpenSSL – WIndows Installation and Certificate Operation Commands

For some reason OpenSSL packages are hard to find, most of them have some missing binaries etc. and things don’t work correctly.

In the end I found a proper working installer here.

Using it from Windows Command Line CMD

Once installed, you should add it to your environmental variables so you can invoke it from CMD straight away.

Open Start -> System and environmental variables.

Windows openssl environmental variabled — Windows openssl environmental variables

OpenSSL Files Directory

If you create a new file with openssl it goes to your users directory on windows: C:\Users\<username>

To output them to a specific folder you can add path with “path” like:

OpenSSL> genrsa -des -out "C:\anypath\testopenssl.key"

Certificate format change operations

One of the most common uses of having openssl installed is to convert and combine all those different(lord knows why there are no standards!) SSL certificates.

PFX to CRT and KEY

PFX/PKCS12 is a format which combines the certificate and the public key into one file with a .pfx extension. Microsoft AD CA gives you this file. You can divide into the cert and key with:

Then to extra the cert:

openssl pkcs12 -in yourfile.pfx -nokeys -out keyfile-encrypted.pem

To extract the key:

openssl pkcs12 -in yourfile.pfx -nocerts -out keyfile-encrypted.key

Once entered you need to type in the import password of the .pfx file.

This is the password that you used to protect your keypair when you created your .pfx file. If you cannot remember it anymore you can just throw your .pfx file away, cause you won’t be able to import it again, anywhere!.

Once you entered the import password OpenSSL requests you to type in another password, twice!. This new password will protect your .key file.

PEM (.pem, .crt, .cer) to PFX/PKCS12

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile more-int-certs.crt

-certfile more-int-certs.crt > optional, only required if you need to import intermediate certificates too.

This will ask you for a password. To use no pass use:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -nopass

PKCS#7/P7B (.p7b, .p7c) to PFX

P7B files cannot be used to directly create a PFX file. P7B files must be converted to PEM. Once converted to PEM, follow the above steps to create a PFX file from a PEM file.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt

PKCS7 and PKCS12

These

Testing Client based SSL auth with `s_client`

If you are using certificates to do client auth then you need to use:

openssl s_client -connect website:443 -cert user-cert.cert -key user-key.key

If it fails then the you will see an error with the SSL Handshake failure.

OpenSSL> s_client -connect auc.akmlab.local:443
CONNECTED(00000274)
depth=0 C = US, ST = Dubai, L = dubai, O = orgname, OU = IT, CN = *.akmlab.local, emailAddress = allwyn.mascarenhas@domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Dubai, L = dubai, O = orgname, OU = IT, CN = *.akmlab.local, emailAddress = allwyn.mascarenhas@domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
8732:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1528:SSL alert number 40

Verifying Certificate Trust

Recently got a case where there seems to be confusion with user certificates and the signing CA certificate, so in these situations you can just quickly verify the trust instead of importing the certs to production only to find out they do not work.

This also helps a lot with intermediate certificates in case you using those.

To verify the trust between an intermediate and CA signing root cert:

OpenSSL> verify -CAfile "C:<path>\akmdc-root.pem" "C:<path>\akmdc-root-intermediate-21feb19.pem"
C:<path>\akmdc-root-intermediate-21feb19.pem: OK

If you using a user cert for SSL client auth along with an intermediate cert and root then use this to check the chain trust all the way to the root:

OpenSSL> verify -CAfile "C:<path>\akmdc-root.pem" "C:<path>\akmdc-root-intermediate-21feb19.pem" "C:<path>\user-cert.pem"
C:<path>\akmdc-root-intermediate-21feb19.pem: OK
C:<path>\user-cert.pem: OK

Notes:

UPDATED: 23 Feb 2019

Allwyn January 26, 2019

Symantec Bluecoat ProxyGS

Symantec/Bluecoat ProxySG Doesn’t Trust RapidSSL Intermediate Certificate

When SSL interception is configured on a full proxy, these errors are quite common mostly due to some websites having expired certificates or the CN in the certificate not matching the actual hostname in the browser.

This is what you see in the browser when the proxysg fails SSL verification of the OCS – original content server.


Untrusted SSL Server Certificate (ssl_server_cert_untrusted_issuer)

Proxysg error Untrusted SSL Server Certificate (ssl_server_cert_untrusted_issuer) — Browser error when proxy fails ssl cert validation

This case was a bit different as the certificate on the site was fine but the proxysg did not trust the intermediate cert in the chain.

Here you can see the RapidSSL intermediate cert when accessing the website directly without the proxy.

If you look at the chrome certificate store the RapidSSL intermediate cert is present under intermediate certs and the Digicert root cert under trusted root certs.

However the cert store on the proxysg only contains the Digicert root cert in its certificate store.

And hence why the connection from the proxy to the server breaks as the proxy doesn’t trust the certificate!

The way out of this is to either use a VPM policy by disabling the server certificate validation in an SSL Access Layer.

vpn policy server cert validation

..or by exporting the RapidSSL intermediate certificate from your browser and importing it to the proxysg. Always apply changes in proxysg for them to take effect.

importing cert to proxysg CA

To import you just open the cert in notepad and paste it using the paste from clipboard option as in the image.

It’s not done, the new cert needs to be added to browser trusted for it to work.

add cert to browser trusted

Once you do either of these the browser should load the page correctly through the proxysg!

Allwyn January 25, 2019

f5 BIG-IP LTM, LABS, Wireshark

F5 BigIP SSL TLS Traffic Decryption Methods and Notes

There are three methods to decrypt SSL encrypted packets on the BigIP:

From Jim Shaver’s blog, using your browser
Using the SSL Decryption Irule
Using the SSLDUMP on the BigIP platform

Jim Shaver’s blog, using your browser

Adding the SSLKEYLOGFILE to environmental setingd

This method simply involves adding a SSLKEYLOG variable to your windows settings and both chrome and firefox will start dumping all the SSL session keys there.

Then you import the file to wireshark under edit > preferences > SSL pre-master session keys.

Note: This only work on Chrome and FF and not on the IE browser.

Using the SSL Decryption Irule

K16700: Decrypting SSL traffic using the SSL::sessionsecret iRules command

You use the below irule on the virtual server and you get the RSA and Master-Key. This decrypts the client of the traffic only.

when CLIENTSSL_HANDSHAKE {
if {[IP::addr [IP::client_addr] equals <client_IP_addr>] } {
log local0. "[TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
}

Once you have the keys you put them in a .pms file like:

sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /var/tmp/sessionsecrets.pms

Then you import them to the same place as with the first method.

Notes:

If you have route domains on your BigIP then don’t forget to add the route domain to the client IP in the irule, if you miss it the traffic will never match the irule and you won’t see any keys being written to the ltm log.

Using the SSLDUMP on the BigIP CLI

This method requires the use of the private key used to encrypt the session and the pcap file to generate the Pre-Master Secret keys.

Once you capture traffic using TCPDUMP on the BigIP and you want to decrypt the client side of the traffic, you just use:

ssldump -r /path/to/capture_file -k /path/to/private_key -M /path/to/pre-master-key_log_file

For example:

ssldump -r /var/tmp/www-ssl-client1.cap -k /config/filestore/files_d/Common_d/certificate_key_d/\:Common\:test.org.key_1 -M /var/tmp/client1.pms

Now you can get the pcap file and the pms using WinSCP and load them into Wireshark 1.6 and later to view the decrypted traffic.

Wireshark Notes

If you are searching for a string match in Wireshark like a name/password use edit > Find packet > set the option to packet details and string.

Footnotes:

UPDATED: 25 JAN 2019.

Allwyn October 4, 2018

Cybersecurity labs cybersecurity labs, f5 labs, paloalto labs, vmware

Understanding VMNETs in VMWARE Workstation

If you are going to learn cybersecurity then the first thing you realize is how you don’t really understand anything till you do it. Good job to whoever came up with;

“I hear, and I forget
I see, and I remember
I do, and I understand.“
— not Confucius

And since most of us don’t have data centers lying around at home, the amazing power of virtualization is all we have.

Initially setting these up gets messy because a lot of “network” guys go almost their entire lives never done anything related to servers as they are not the “server” guy. Well, after a few CBT Nugget videos this thing becomes very straightforward.

Now I will stop rambling and get to the point.

Every VMnet Is Like A Network/Subnet

If you look at my setup below.

VMnet settings on my vmware setup — my setup

This means VMnet1 is a network in the range 10.128.1.0/24. Think of it like a switch and the gateway is your own machine which has a VMnet1 adapter with the IP 10.128.1.1/24.

Quick explanation of the highlighted parts:

I use VMnet1 as management network or OOB network.
Host only – means it doesn’t deal with your host’s IP addresses in anyway and is totally a separate network.
Connect a host virtual adapted to this network option creates a vmnet1 adapter on the host machine, which is your PC and the address can be anything in the subnet range but by default is .1, like mine is 10.128.1.1/24. This is like a cable from your machine to the vmnet1 switch and now your machine can access everything connected to this vmnet1.

DHCP – I disable it as most devices just pick up a random IP then it’s difficult to find, just better assign them manually.
Subnet – For the love of your God, plan your subnets and IP ranges well, or else you will just stop doing labs when you keep forgetting what IP is where, like happened to me for the first 2 years.

A NAT VMnet For Internet Access

This is maybe just my setup. I did it this way for the CBT Nuggets F5 labs.

The only difference is this is a NAT adapter and not host only, so it will NAT the 10.128.10.0/24 range with your host’s IP address and so anything assigned this adapter can go to the internet through 10.128.10.2
Notice the gateway next-hop you have to point to is 10.128.10.2 as .1 is assigned to the vmnet2 adapter on your own host PC.
I use this this as my external vlan, where the virtual servers live in f5 labs and also to give a default route to the f5 to the internet through 10.128.10.2.
You can use it to give internet access to a firewall too, but remember to NAT your internet inside zone LAN to 10.128.10.2 first as that will be a separate private IP address space.
This also puts a vmnet2 adapter on your host machine as explained, which is what lets you connect to the virtual servers if you use this as an external vlan.

One Completely Isolated VMnet

This VMnet cannot be accessed directly from your host machine as it does not “connect a host virtual adapter”. You can only reach him or it to you via a routing device like a firewall or f5.

This is perfect to simulate an inside network in firewall labs and for the internal vlan in f5 labs where you put the back end nodes/servers.

Allwyn September 21, 2018

Bluecoat, Symantec

Changing the Management Certificate on Symantec/Bluecoat ProxySG/ASG

I like the nice green lock which most browsers show up with when using a proper HTTPS config with a good certificate.

I like it so much that I have a trusted cert for all my lab devices. Once of which is a proxysg.

And it took me a good one hour to find the steps to assign a certificate to the proxysg management interface since for some reason it’s not in any of the documentation I looked into.

In the end I found the option just by manually looking at all the options in the GUI. The certificate import method to begin with is weird.

It doesn’t just accept the .pfx file but needs you to import .pem files and you must import the pvt key first.

Here’s the details:

Goto the config > SSL > keyrings > create
Name and import the private key first using the “pasting from clipboard” option
Apply the changes
Then click the pvt key and import the certificate for it again by using the “pasting from clipboard” option
Ref the screenshots below 😀

And once you have the keypair imported in the keyrings, the below screenshot shows you where you assign it to your management interface.

And with that just make sure you have the root certificate in your browser installed and you have nice green secured connection to the proxysg management.

Allwyn September 21, 2018

Bluecoat, Symantec

Symantec/Bluecoat ProxyASG Upgrade to 6.7.3.10 CAS Errors

Had an absolute nightmare of an upgrade, and all this after following the Symantec TAC recommended upgrade path to go to 6.6.5.13 > 6.7.3.2 > 6.7.3.10.

And I also upgraded the proxyasg BMC to the latest version 3.1.2.1 as well, following the steps here.

So the BMC upgrade was done first and then the firmware.

Now I was already aware of some known issues with CAS in these upgrades, but since the TAC recommended the upgrade, I was expecting a smooth sailing — I had plans and God was laughing.

Right after the upgrade I checked the CAS and saw these hideous errors which have no documentation anywhere.

Under Content Analysis > AV Patterns

"error no such interface tap0"

and I saw “unavailable” for services that should be working:

And any traffic going through this box was blocked with this:

“icap_error” an error occured while perfoming an ICAP operation. Uknown error (16:0x0); nonname; Sub File: ; Vendor: Kaspersky Labs; Engine version: unknown; Pattern version: Unknown; Pattern data: Unknown

The box did not do HTTPS inspection so it was only the HTTP websites like bbc.com and example.com which were being blocked. The error makes sense now, since it looks like the box cannot find any icap engine to do the content scanning and due to the “block if not able to scan” was enabled it rightfully did so.

Since there was no information online opening a TAC case was all there was to do.

And that also was for nothing, since the support did not have any idea on what was happening.

With time I think one from their engineering teams joined the session and a restart of ICAP services was recommended.

The restart options are in Content Analysis > Utilities.

After that, all the ugly errors were gone and we saw the AV patterns in Under “Services > AV Patters” were still downloading. Once they downloaded, then the traffic started working through the device.

Later after Symantec log analysis for an RCA, it seems we hit a bug in the 6.7.2.1 and a better upgrade path would have been 6.6.5.13 > 6.7.3.2 > 6.7.3.10.

However, I thought I will just record this info here, in case someone somewhere in a far away galaxy will come looking for these errors at 1AM early morning and will probably save some time.

Allwyn June 14, 2017

Open Source, XAMPP

OsTicket — An open source helpdesk ticketing platform

My friend is looking for a ticketing platform for her place of work in a medium scale advertising, marketing firm.

I evaluated LimeSurvery but seems development on it has stalled and things are little bit difficult to figure out.

Google forms would have worked for this use case as the only requirement is to capture responses to a spreadsheet, but as with most firms, all cloud apps are blocked to prevent data leak and malicious downloads etc.

Now I am reviewing OsTicket.

I have installed it using XAMPP which is a very easy and simply way to run a powerful webserver with Apache, MySQL and Perl on your local workstation. It will easy handle a good amount of traffic for most needs.

Some quick notes to keep in mind while installing OsTicket:

Use this XAMPP installation guide on YouTube.
It’s good to change the default port numbers for your apps where ever you can, but it depends on other considerations too.
To install OsTicket on XAMPP use this video on Youtube.

When creating the MySQL Database and User, you might get something like this:

Error: 1018 SQLSTATE: HY000 (ER_CANT_READ_DIR)
Message: Can’t read dir of ‘%s’ (errno: %d – %s)
this Message takes me to SQL Query in the PHPmyadmin server which shows this,
SHOW PLUGINS SONAME LIKE ‘%_password_check%’

Just create a directory as stated in the answer:

If you installed XAMPP in the default folder C:xampp go and manually create the folder C:xamppmysqllibplugin in Explorer. This should fix the user creation issue

You might get a blank page after you install OsTicket. Like I did and also reported here. Do this:

change
max_execution_time=30

to
max_execution_time=180

in php.ini file and restart all services

Should work now

You find this file in C:xamppphp

You can create a free gmail account and achieve email notifications from the OsTicketing server. Your ticket creating users also get canned responses after creating a ticket!

Some limitations in OsTicket:

If you want to export ticket data to excel, it doesn’t here support selecting the fields to export.
Also it doesn’t allow you to export the internal custom fields which you might have added to your ticket

These features are already in the pipeline.

This is a very easy to use and powerful ticketing platform rivaling the best of support systems out there.

Give it a shot in your lab environment and evaluate it at least once!

Allwyn May 23, 2017

Cisco ASA, IPsec VPN

ASA – IOS Router IPsec VPN Config And Troubleshooting

We will use this network diagram for this lab.

The IPsec VPN will be created between Outside-R and the ASAv.

Traffic from 192.168.20.0/24 and 10.1.1.0/24 subnets will be encrypted using the tunnel.

The tricky part on the ASA is that ASDM doesn’t allow you to remove or let’s say limit the number of cipher suits to be used with the IPsec tunnel which is the phase-2 of the IPsec IKEv1. It’ll be clear with the CLI below.

Here’s the VPN config on the IOS router.

Outside-R#show running-config | section crypto
crypto isakmp policy 1
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ourset esp-aes
crypto map ourmap 1 ipsec-isakmp
set peer 192.168.2.1
set transform-set ourset
match address 100
crypto map ourmap

For the ASA config it’s highly recommended to just use the IPsec VPN wizard from the wizards menu.

Here’s the ASA config from the CLI anyway.

ciscoasa# show running-config cryptocrypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 192.168.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-MD5 ESP-AES-128-MD5-TRANS
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400

I have edited the ASA output to exclude a huge section which is unnecessary and which actually causes the problem.

Let’s see the IOS router debug first.

Outside-R# debug crypto isakmp
*Mar 1 03:15:12.955: ISAKMP:(1001): retransmitting phase 2 QM_IDLE 1349190959 ...
*Mar 1 03:15:12.955: ISAKMP (0:1001): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Mar 1 03:15:12.955: ISAKMP (0:1001): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Mar 1 03:15:12.955: ISAKMP:(1001): retransmitting phase 2 1349190959 QM_IDLE
*Mar 1 03:15:12.959: ISAKMP:(1001): sending packet to 192.168.2.1 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 03:15:12.959: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 1 03:15:12.975: ISAKMP (0:1001): received packet from 192.168.2.1 dport 500 sport 500 Global (R) QM_IDLE
*Mar 1 03:15:12.975: ISAKMP: set new node -619099427 to QM_IDLE
*Mar 1 03:15:12.975: ISAKMP:(1001): processing HASH payload. message ID = -619099427
*Mar 1 03:15:12.975: ISAKMP:(1001): processingNOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 0, message ID = -619099427, sa = 66772820
*Mar 1 03:15:12.975: ISAKMP:(1001):deleting node -619099427 error FALSE reason "Informational (in) state 1"
*Mar 1 03:15:12.975: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 03:15:12.975: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

The highlighted part in the last line show us that Phase-1 is complete.

Which means NOTIFY PROPOSAL_NOT_CHOSEN is a phase-2 problem.

And the reason is a mismatch between the ciphers used for the phase 2 negotiation.

Refer back to the config lines on both the devices we see:

crypto ipsec transform-set ourset esp-aes - router

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-MD5 - ASA

These lines show control the phase-2 cipher negotiation and both do look the same, 
here the part which I omitted from the ASA config comes in to play.

Here’s the complete ASA config from the CLI

ciscoasa# show running-config crypto
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 192.168.2.2
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-MD5 ESP-AES-128-MD5-TRANS
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400

Now see the highlighted line above, that’s the only cipher we need – because that’s the one in use on the router or else the phase 2 negotiation won’t match and we keep getting the error as shown in the debug.

The whole confusion is that the ASDM doesn’t properly display this and the only thing you see there is just a single cipher.

Maybe this is a bug or I missed something. But for now to get this VPN to work you simply have to remove all the other non-matching ciphers with a “no” command in the ASA CLI.

That is just keep the one cipher which is highlighted or whichever you use in your case.

no crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
no crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
no crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
no crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

That’s it. Now your beautiful VPN tunnel will come up the moment you send the interesting traffic.

This entire confusion is because of the way ASDM displays the ciphers.

I hope to find more info on that and update this further.

1 2 3