Changed my pre-shared-key, vpn doesn't work now
Hello world
I recently completed implementation of the remote access vpn on my asa 5510. the software is v8.2. It was working fine, I was able to connect, able to what whether internally on our network, rdp worked, ping etc. I gave the FCP file to another person in our IT Department to test with me before we rolled it out to our users. He then called me to ask the pre-shared key cause he wanted to implement on his ipad. I then realized that I never made a note anywhere of that pre-shared-key, I used.
So I changed it. Deleted the one in the cli, made a new. Changed the key on my vpn client and logged. I can connect properly. But, now I can't do ANYTHING in-house. Ping does not work, rdp, nothing. I can't even ping the client connected to the asa. Is there anything else I need to do? I have to redo everything because changing it broke encryption or something?
Please help, thanks.
Try to redo the configuration of the tunnel group only.
And the computer should be good
Sent by Cisco Support technique iPad App
Tags: Cisco Security
Similar Questions
-
I currently use an ASA 5550 version 8.2 anwith ASDM version 6.2.
I have an ASA 5505 in remote and unable to connect via VPN.
My papers say perhaps unsuited pre-shared key.
On my 5550, via the ASDM I used the command more: execution of the system-config and it will not show my before shared key in plain text format, shows only one *.
Any help would be appreciated.
Hello
The command should work.
I guess you could always consider using the CLI and by inserting the command.
"If that leads to the same result you should probably consider you might have to copy and paste the ' * ' as the PSK real at some point?
I created a ' tunnel-group ' example in my ASA with commands
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
IKEv1 pre-shared-key TESTPSK
ASA # sh run 1.1.1.1 tunnel-group
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
IKEv1 pre-shared-key *.
I discover with "more system: running-config"
ASA # more system: running-config | start the tunnel-group 1.1.1.1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
IKEv1 pre-shared-key TESTPSK
This works as expected
-Jouni
-
Is it possible to create a VPN Anyconnect of RA with just the name of user and password + pre-shared key (Group) for the connection, as could do for ikev1 with cisco VPN client? I am running 8.4.X ASA code and looks like tunnel-group commands have 8.2.X somewhat change. If you change the group type of the tunnel for remote access, now there is no option for IKEv2 PSK. This is only available when you choose the type
Type of TG_TEST FW1 (config) # tunnel - group?
set up the mode commands/options:
Site IPSec IPSec-l2l group
Remote access using IPSec-IPSec-ra (DEPRECATED) group
remote access remote access (IPSec and WebVPN) group
WebVPN WebVPN Group (DEPRECATED)FW1(config-tunnel-General) # tunnel - group TG_TEST ipsec-attributes
FW1(config-tunnel-IPSec) #?configuration of the tunnel-group commands:
any required authorization request users to allow successfully in order to
Connect (DEPRECATED)
Allow chain issuing of the certificate
output attribute tunnel-group IPSec configuration
mode
help help for group orders of tunnel configuration
IKEv1 configure IKEv1
ISAKMP policy configure ISAKMP
not to remove a pair of attribute value
by the peer-id-validate Validate identity of the peer using the peer
certificate
negotiation to Enable password update in RADIUS RADIUS with expiry
authentication (DEPRECATED)FW1(config-tunnel-IPSec) # ikev1?
the tunnel-group-ipsec mode commands/options:
pre-shared key associate a key shared in advance with the connection policyI'm getting old so I hope that it is not in another complaint curmudgeonly on the loss of functionality. :)
Many small businesses do not want to invest in the PKI. It is usually a pain to deploy, backup, make redundant, etc..
But it would be nice to have a bit more security on VPN other than just the connections of username and password.
If this is not possible, it is possible to configure the Anyconnect customer to IKEv1 with PSK and name at the level of the Group client?
If this is not possible, WTH did cisco end customer VPN cisco as a choice of VPN connection (other than to get more fresh mail of license)?
I really hope that something like this exists still!
THX,
WR
You are welcome
In addition to two factors, you can also do double authentication (ie the two using the user name and password). Each set of credentials can come from a Bank of different identities.
With this scheme, you can can configure a local user name (common) with password on the SAA (think of it as your analog PSK) and the other be the AD user identification information.
-
Dial backup VPN - pre-shared key question
I use dial backup for my DSL connections in case of failure, but on my host router I also use EZVPN Client VPN access server. Thus the server EZVPN uses xauth for pre-shared key authentication:
ISAKMP crypto key? address 0.0.0.0 0.0.0.0
BUT for my backup of VPN connection to work, I need to use the dynamic IP to the IP address of the peer that requires:
ISAKMP crypto key? address 0.0.0.0 0.0.0.0 no xauth
I tried to set the keys for dial-in subnets, but it always seems to use the default value.
Is this all just not supported or is there a workaround?
My (main) the host router is a CISCO 1841, my remote router is 877.
See you soon,.
Sean
You need to configure ISAKMP profiles on the server Ezvpn router.
http://Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a00801dddbb.shtml
Who would do it.
-
Hello world
I would like to know if its possible to hide the pre-shared in the router configuration.
By default, you can see clearly if you access on the RV042.
Thanks for your comments.
Kind regards
HDAM
Hello hdam,.
I know, when you are administering and access the configuration of the router and configuring VPN, there is no method (or a check box) to hide the pre-shared away from plain text.
If security is a concern, perhaps limit available for the vpn router management access, so not too many users will know the pre-shared key.
-Andrew link
-
pre-shared key and shared secret
Hello
Pre-shared-key is only used for authentication of the peer or used in calculations of shared secret, too? Is there documentation that explains the whole process.
Hello
According to my notes, VPN, both are used to build a two-way VPN tunnel. IKEv1 is used to the old site-to-site IPsec VPN:
IKEv1 Main mode (Phase 1) using three pairs of messages between peers (making six in total):
* Pair 1 consists of IKEv1 configured on the device security policies: a peer (initiator) begins by sending one or more strategies IKEv1 and receiver pair answer (answering machine) with its political choices.
* Pair 2 includes DH public key exchange: DH creates shared secret keys using agreed on DH group/algorithm exchanged pair 1 and crypt the nuncios (a randomly generated number) that begin their life as first a exchange between peers. They are then encrypted by the receiving peer and return to sender and decrypted using the generated keys.
* Pair 3 is used for authentication ISAKMP: each peer is authenticated and their identity validated by either using pre-shared keys or digital certificates. These packages and all the others exchanged later during negotiations are encrypted and authenticated using shared and agreed by pair 2 policies.
-
Access point Cisco does not recognize correctly entered the WPA pre-shared key
My router is a Cisco DPC/EPC2325 DOCSIS residential gateway with wireless access Point. When connecing to Internet via a wireless adapter, this device does not accept the good WPA pre-shared key. I have no similar problem with another PC. Please notify.
You mean that you corrected it?
Great! Thanks for sharing this info with us! -
Pre shared keys used in IKE Phase 1
Hello world
Need to confirm if we use the buttons pre shared during IKE Phase 1 main mode and aggressive mode
Concerning
MAhesh
The pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same preshared key is configured on each IPSec peer. IKE peers authenticate each other computer and sending a hash key data that includes the pre-shared key.
-
RA VPN doesn't work is not on the second external interface
I've temporarily came from two Internet service providers in our ASA 5510. Which works very well. I tried to configure the VPN to our second outside interface (outside-XO) and who does not. The first/original VPN works great. Can someone look at the config and tell me if I did something wrong. It is not a customer number, because it is able to connect fine on the first interface. Thank you.
ASA Version 7.1 (2)
!
hostname FW01
dot.com domain name
activate the password * encrypted
names of
!
interface Ethernet0/0
nameif outside
security-level 0
IP address *.229.200 255.255.255.192
!
interface Ethernet0/1
Speed 100
full duplex
nameif inside
security-level 100
IP 192.168.2.3 address 255.255.255.0
!
interface Ethernet0/2
nameif outside-XO
security-level 0
IP address *.157.100 255.255.255.192
!
interface Management0/0
nameif management
security-level 100
IP 192.168.14.254 255.255.255.0
management only
!
passwd * encrypted
banner login attention is a private network. Unauthorized intruders will BE prosecuted to the extent of the ACT!
boot system Disk0: / asa712 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT 2 Sun Mar 2:00 1 Sun Nov 02:00
DNS server-group DefaultDNS
dot.com domain name
permit same-security-traffic intra-interface
object-group service tcp Server
HTTPS and www description
EQ object of the https port
port-object eq www
object-group service tcp Mail
SMTP POP3 access description
EQ Port pop3 object
EQ smtp port object
port-object eq 32000
non-standard tcp service object-group
Port Description 1429 and 1431
port-object eq 1431
port-object eq 1429
object-group service DNS tcp - udp
Description to allow outside DNS resolution
area of port-object eq
object-group service FTP tcp
FTP description
port-object eq ftp
SMTPMail tcp service object-group
Description SMTP only access
EQ smtp port object
IQWebServer tcp service object-group
Www and port 8082 description access
port-object eq www
EQ object Port 8082
EQ object of the https port
port-object eq 8999
SFTP tcp service object-group
Description SFTP_SSH
EQ port ssh object
outside_access_in list extended access permit tcp any host *. *.229.201 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.229.202 object-group Mail
outside_access_in list extended access permit tcp any host *. *.229.202 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.229.202 object-group DNS
outside_access_in list extended access permit tcp any host *. *.229.203 - group of non-standard items
outside_access_in list extended access permit tcp any host *. *.229.204 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.229.205 - group of non-standard items
outside_access_in list extended access permit tcp any host *. *.229.208 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.157.101 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.157.102 object-group Mail
outside_access_in list extended access permit tcp any host *. *.157.102 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.157.102 object-group DNS
outside_access_in list extended access permit tcp any host *. *.157.103 - group of non-standard items
outside_access_in list extended access permit tcp any host *. *.157.104 - a group of Web server objects
outside_access_in list extended access permit tcp any host *. *.157.105 - group of non-standard items
outside_access_in list extended access permit tcp any host *. *.157.108 - a group of Web server objects
access-list 150 extended permit tcp any any eq smtp
access-list sheep extended ip 192.168.0.0 allow 255.255.0.0 10.1.1.0 255.255.255.0
access-list sheep extended permits all ip 10.1.1.0 255.255.255.240
Splt_tnl list standard access allowed 192.168.0.0 255.255.0.0
Splt_tnl list standard access allowed 10.1.1.0 255.255.255.0
access-list extended webcap permit tcp any host *. * eq.164.210 smtp
access-list extended webcap permit tcp host * smtp eq.164.210 all
pager lines 24
Enable logging
logging asdm-buffer-size 200
buffered logging critical
exploitation forest asdm errors
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
outside-XO MTU 1500
mask 10.1.1.1 - 10.1.1.15 255.255.255.0 IP local pool VPNpool
mask 192.168.14.244 - 192.168.14.253 255.255.255.0 IP local pool VPNCisco
ICMP allow any inside
ASDM image disk0: / asdm512.bin
enable ASDM history
ARP timeout 14400
Global (outside) 1 *. *.229.194
Global (outside-XO) 1 *. *. 157.66
NAT (inside) 0 access-list sheep
NAT (inside) 1 192.168.0.0 255.255.0.0
public static tcp (indoor, outdoor) * domaine.229.202 192.168.14.166 netmask 255.255.255.255 area
public static tcp (indoor, outdoor) *.229.202 www 192.168.14.2 www netmask 255.255.255.255
public static tcp (indoor, outdoor) *.229.202 smtp smtp 192.168.14.2 mask 255.255.255.255 subnet
public static tcp (indoor, outdoor) *.229.202 192.168.14.2 pop3 pop3 netmask 255.255.255.255
public static tcp (indoor, outdoor) *.229.202 32000 192.168.14.2 32000 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.6.229.203 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.28.229.204 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.205.229.205 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.29.229.208 netmask 255.255.255.255
static (inside, outside) *. * 192.168.14.3.229.201 netmask 255.255.255.255
TCP static (inside, outside-XO) *. * domaine.157.102 192.168.14.166 netmask 255.255.255.255 area
TCP static (inside, outside-XO) *. *.157.102 www 192.168.14.2 www netmask 255.255.255.255
TCP static (inside, outside-XO) *. *.157.102 smtp smtp 192.168.14.2 mask 255.255.255.255 subnet
TCP static (inside, outside-XO) *. *.157.102 192.168.14.2 pop3 pop3 netmask 255.255.255.255
TCP static (inside, outside-XO) *. *.157.102 32000 192.168.14.2 32000 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.3.157.101 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.6.157.103 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.28.157.104 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.205.157.105 netmask 255.255.255.255
static (inside, outside-XO) *. * 192.168.14.29.157.108 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Access-group outside_access_in in interface outside-XO
Route outside 0.0.0.0 0.0.0.0 *. * 1.229.193
Route inside 192.168.0.0 255.255.0.0 192.168.2.1 1
Route outside-XO 0.0.0.0 0.0.0.0 *. * 2.157.65
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00
Timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
attributes of Group Policy DfltGrpPolicy
No banner
WINS server no
DNS server no
DHCP-network-scope no
VPN-access-hour no
VPN - connections 3
VPN-idle-timeout 480
VPN-session-timeout no
VPN-filter no
Protocol-tunnel-VPN IPSec
disable the password-storage
disable the IP-comp
Re-xauth disable
Group-lock no
disable the PFS
IPSec-udp disable
IPSec-udp-port 10000
Split-tunnel-policy tunnelall
Split-tunnel-network-list no
by default no
Split-dns no
disable secure authentication unit
disable authentication of the user
user-authentication-idle-timeout 30
disable the IP-phone-bypass
disable the leap-bypass
disable the NEM
Dungeon-client-config backup servers
the firewall client no
rule of access-client-none
WebVPN
url-entry functions
HTML-content-filter none
Home page no
4 Keep-alive-ignore
gzip http-comp
no filter
list of URLS no
value of customization DfltCustomization
port - forward, no
port-forward-name value access to applications
SSO-Server no
value of deny message connection succeeded, but because some criteria have not been met, or because of a specific group policy, you are not allowed to use the VPN features. Contact your administrator for more information
SVC no
SVC Dungeon-Installer installed
SVC keepalive no
generate a new key SVC time no
method to generate a new key of SVC no
client of dpd-interval SVC no
dpd-interval SVC bridge no
deflate compression of SVC
Cisco strategy of Group internal
Cisco group policy attributes
value of server WINS 192.168.14.4 192.168.14.11
value of 192.168.14.4 DNS server 192.168.14.11
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list Splt_tnl
field default value *.com
username * password * encrypted
username * password * encrypted privilege 0
username * password * encrypted
username * password * encrypted
username * password * encrypted
username * password * encrypted privilege 15
username * password * encrypted privilege 15
the ssh LOCAL console AAA authentication
Enable http server
http 0.0.0.0 0.0.0.0 outdoors
http 192.168.0.0 255.255.0.0 inside
http 192.168.1.0 255.255.255.0 management
http 192.168.14.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside-XO
SNMP-server host within the public 192.168.14.27 of the community
location of the SNMP server *.
contact SNMP Network Admin Server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
dynamic-map of crypto-XO_dyn_map 10 outside the value transform-set ESP-3DES-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
outside-XO_map 65535 ipsec-isakmp crypto map outside Dynamics-XO_dyn_map
card crypto outside-XO_map interface outside-XO
ISAKMP allows outside
ISAKMP enable outside-XO
part of pre authentication ISAKMP policy 10
ISAKMP policy 10 3des encryption
ISAKMP policy 10 sha hash
10 2 ISAKMP policy group
ISAKMP life duration strategy 10 86400
ISAKMP nat-traversal 20
IPSec-attributes tunnel-group DefaultL2LGroup
ISAKMP keepalive retry threshold 600 10
IPSec-attributes tunnel-group DefaultRAGroup
ISAKMP keepalive retry threshold 600 10
tunnel-group, type Cisco ipsec-ra
attributes global-tunnel-group Cisco
address pool VPNpool
Group Policy - by default-Cisco
tunnel-group Cisco ipsec-attributes
pre-shared-key *.
ISAKMP keepalive retry threshold 600 10
Telnet 192.168.0.0 255.255.0.0 inside
Telnet 192.168.14.109 255.255.255.255 inside
Telnet 192.168.14.36 255.255.255.255 inside
Telnet timeout 5
SSH 0.0.0.0 0.0.0.0 inside
SSH timeout 5
Console timeout 10
management-access inside
dhcpd lease 3600
dhcpd ping_timeout 50
!
INSPECT class-map
class-map inspection_default
match default-inspection-traffic
!
!
Policy-map global_policy
class INSPECT
inspect the dns
inspect the http
inspect the icmp
inspect the tftp
inspect the ftp
inspect the h323 ras
inspect h323 h225
inspect the snmp
inspect the sip
inspect esmtp
class inspection_default
inspect the ftp
!
global service-policy global_policy
TFTP server inside 192.168.14.21 TFTP-root /.
192.168.14.2 SMTP server
Cryptochecksum:5eedeb06395378ed1c308a70d253c1b6
: endHello
Should work.
What I think is the routes:
Route outside 0.0.0.0 0.0.0.0 *. * 1.229.193
Route outside-XO 0.0.0.0 0.0.0.0 *. * 2.157.65If the first interface is ok, the ASA does not go to route packets via the second interface, so VPN will be not through this interface.
On the client, can you PING the two IPs outside of ASA or only the first?
Try to add a static route on the SAA to secondary education outside interface pointing to the address of the customer and try to connect via VPN and see if it works.
Orders:
HS cry isa his
HS cry ips its
Will be a big help as well, when the VPN connection attempt failed.
Federico.
-
I have a big problem in my laptop, this damage, next to the mouse, I have a swelling of the inside of the manufacturing unit. And it doesn't work now! What to do!
It's probably a battery issue. Take it in your local store to apple for review. It is still under warranty?
By the way, fill out your profile before asking questions, it is impossible to identify which mobile version otherwise.
-
Lightroom: Why edit in External Editor who worked doesn't work now?
Lightroom: Why edit in External Editor who worked doesn't work now?
In what sense do editing in the external editor not working? What happens when you try?
Which editor are you trying to reach?
People will not be able to help you unless you have a good idea of what is happening.
HAL
-
Serial number provided with the download doesn't work, now what?
Serial number provided with the download doesn't work, now what?
Contact support directly by phone or web chat.
Mylenium
-
Hello
What is the key length maximum for a pre-shared in a VPN configuration and all characters are allowed?
Robert,
The maximum PSK is 129 characters, I have used all types of characters before, without any problem.
HTH.
-
Shared objects: clear() doesn't work!
Hello!
With reference to the thread:
http://forums.Adobe.com/message/4923159
It doesn't work anymore!
that is, it is impossible to remove and get rid of identifiers that were previously written to disk...
:-(
The file name has not changed.
Directory where the file has not changed either.
I did write any statement in my .fla that could interfere with the instructions below.
I always use:
var so: SharedObject = SharedObject (credentials) .getLocal ("distinctive sign", "/");
so. Clear();
I have a checkbox and a listener in the annex:
memorizeCbx.selected;
var memorizeCbxListener:Object = {};
memorizeCbxListener.click = function() {}
If (! memorizeCbx.selected) {}
var so: SharedObject = SharedObject (credentials) .getLocal ("distinctive sign", "/");
so. Clear();
}
else {}
. Data.userName.flush SharedObject (credentials);
. Data.userPass.flush SharedObject (credentials);
}
};
memorizeCbx.addEventListener ("click", memorizeCbxListener);
Does anyone have any idea on what goes wrong?
Thank you all in advance for any solution.
What is SharedObject (credentials)?
SharedObject is a class identifier, and this class has static methods (like getLocal).
-
How can configure auronomous with WPA2 pre-shared key access point
I worked with the 4400 WLC series and set up access points aironet 1140, and all work without any problems.but when I tried to configure the autonomous access point I couldn't configure the AP with WPA or WPA2 preshared key and I could configure it with WEP, I want to help here.
Wi - Fi Protected Access 2 (WPA 2) Configuration example
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtmlPlease rate when useful or appropriate.
Maybe you are looking for
-
Hi FirefoxAfter I finished downloading a file, see the Mozilla download page.I right click on the download to open it and the box "you have chosen to open" appears in the lower right of the screen with the "radio button", already selected for "open w
-
Screen does not work on Satellite L775-10F
I turn on the computer and the screen does not work. Everything seems fine but the screen is all black. Nothings happening. I tried turning market and its still does not.I also tried to connect to my TV with an hdmi cable. What should I do?
-
Satellite A200 PSAE3E - how to install Win XP
Hello I have a Toshiba A200 / PSAE3 - E.It came with vista home pre installed.I lost the recovery CD of vista and had problems with windows and therefore now load XP. I understand the 2 options that I can use to install XP on a SATA drive, however th
-
Satellite A200-1QK stops randomly
Hello. Well, lately, my computer randomly stops after a while. For some reason, I can't activate it for 1 or 2 minutes when what is happening. I wonder, is this a battery problem? Or y at - it something worse than that? Thanks in advance.
-
NIDAQmx.lib not included
Hello I installed the CVI 2015 and found it was not included NIDAQmx.lib by defalt. How can I add on the left panel down the library? The file is on the site, but it seemed not included in the libray defalt. Don't you think that I miss the installati