Cisco VPN client (ASA) password expiry messages
Hi all
I am looking for a way to change the message displayed on the Cisco VPN client, when a password change is required. This configuration uses an ASA 5520 with Windows 2003 IAS radius for authentication server.
I have configured the option 'password-management' under the tunnel-group, but when the password expires the vpn client prompts you to "enter a new pin code.
This customizable message, for example "Please enter a new password to 8 characters etc.
The original message communicates enough information for the user.
Thank you
Hi Matt,
This is a known defect CSCeh13180 (when using RADIUS with expiry) and there is currently no plan to fix this bug.
But you can try this for one of your VPN client and see if that helps.
you need to change the VPNClient.ini on the PC that installed the VPN Client. Here are the settings you will need...
[RadiusSDI]
NewPinSubStr = "" enter the new password: ""
HTH
Kind regards
JK
Tags: Cisco Security
Similar Questions
-
Configuration of Cisco for Cisco VPN Client ASA 5505
Our firm has finally made the move from Sonicwall Cisco for our SMB customers. Got our first customer with a VPN site-to site solid and you have configured the main router for connections via the Cisco VPN Client VPN Wizard.
When I install the VPN Client on desktop computers that does not capture all the necessary options (unless you have a SSL VPN). I guess that there is a process that I am missing to export a connection profile that Cisco VPN Client users can import for their connection.
There step by step guides to create the connection profile file to distribute to customers?
Hello
The ASDM wizard is for the configuration on the SAA. This wizard will help you complete the VPN configuration on the end of the ASA.
You will need to set the same in the client, so that they can negotiate and connect.
Input connection in the client field, that's what you want to be seen that on the VPN client - it can be any name
Host will be the external ip address of the ASA.
Group options:
name - same tunnel as defined on the ASA group
Password - pre-shared as on ASA.Confirm password - same pre-shared key.
Once this is over, you will see the customer having an entry same as a login entry. You must click on connect there. He will be a guest user and the password. Please enter the login crendentials. VPN connects.
You can distribute the .pcf file that is formed at the place mentioned in the post above. Once the other client receive the .pcf, they need to import it by clicking this tab on the VPN client.
Kind regards
Anisha
-
Routing issue of Cisco VPN Client ASA
Hi, I use a Barracuda NG for firewalls and I would use a Cisco ASA 5505 for VPN Client connections. But I have the problem that I can't get a connection to the VPN PC connected to the internal network. But I can reach the VPN connected PC from the inside. Here is a diagram of my network:
Here the IP Configuration and the routing of the Barracuda firewall table:
I have a route on the Barracuda NG to the 10.10.10.0/24 network VPN Client on eth0.
The 192.168.1.0/24 LAN I ping the Client comes with Client VPN 10.10.10.11 as it should. But I can't ping or access network resources in the local network for AnyConnected customer's PC that connected through the VPN.
Here is the config Cisco ASA:
: Saved : : Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz : ASA Version 9.2(2) ! hostname leela names ip local pool VPN-Pool 10.10.10.10-10.10.10.200 mask 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 switchport access vlan 5 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.1.250 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp ! interface Vlan5 nameif dmz security-level 50 ip address 172.16.0.250 255.255.255.0 ! ftp mode passive clock timezone CEST 1 clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 dns domain-lookup inside dns server-group DefaultDNS name-server 192.168.1.10 same-security-traffic permit inter-interface same-security-traffic permit intra-interface object network obj_any subnet 0.0.0.0 0.0.0.0 object network VPN-Pool subnet 10.10.10.0 255.255.255.0 description VPN-Pool object network NETWORK_OBJ_10.10.10.0_24 subnet 10.10.10.0 255.255.255.0 access-list inside_access_in extended permit ip any any access-list inside_access_in extended permit ip object VPN-Pool any access-list dmz_access_in extended permit ip any any access-list global_access extended permit ip any any access-list outside_access_in extended permit ip any any pager lines 24 logging enable logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 no failover icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (inside,dmz) source static any any destination static NETWORK_OBJ_10.10.10.0_24 NETWORK_OBJ_10.10.10.0_24 no-proxy-arp route-lookup inactive access-group inside_access_in in interface inside access-group outside_access_in in interface outside access-group dmz_access_in in interface dmz access-group global_access global route dmz 0.0.0.0 0.0.0.0 172.16.0.254 1 route inside 0.0.0.0 0.0.0.0 192.168.1.254 tunneled timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy server-type microsoft user-identity default-domain LOCAL aaa authentication enable console LDAP_SRV_GRP LOCAL aaa authentication http console LDAP_SRV_GRP LOCAL aaa authentication ssh console LDAP_SRV_GRP LOCAL aaa authentication serial console LOCAL http server enable 444 http 192.168.1.0 255.255.255.0 inside snmp-server location Vienna crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto map dmz_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map dmz_map interface dmz crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=leela proxy-ldc-issuer crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_TrustPoint0 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable dmz client-services port 443 crypto ikev2 remote-access trustpoint ASDM_TrustPoint0 telnet timeout 5 no ssh stricthostkeycheck ssh 192.168.1.0 255.255.255.0 inside ssh timeout 30 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd auto_config outside ! dhcpd address 192.168.1.254-192.168.1.254 inside ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept dynamic-filter updater-client enable dynamic-filter use-database ntp server 192.168.1.10 source inside ssl trust-point ASDM_TrustPoint0 dmz ssl trust-point ASDM_TrustPoint0 inside webvpn enable dmz no anyconnect-essentials anyconnect image disk0:/anyconnect-macosx-i386-3.1.05170-k9.pkg 1 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 2 anyconnect image disk0:/anyconnect-linux-3.1.05170-k9.pkg 3 anyconnect image disk0:/anyconnect-linux-64-3.1.05170-k9.pkg 4 anyconnect profiles AnyConnect_client_profile disk0:/AnyConnect_client_profile.xml anyconnect enable tunnel-group-list enable group-policy DfltGrpPolicy attributes default-domain value group-policy GroupPolicy_AnyConnect internal group-policy GroupPolicy_AnyConnect attributes wins-server none dns-server value 192.168.1.10 vpn-tunnel-protocol ikev2 ssl-client webvpn anyconnect profiles value AnyConnect_client_profile type user group-policy portal internal group-policy portal attributes vpn-tunnel-protocol ssl-clientless webvpn url-list none username tunnel-group AnyConnect type remote-access tunnel-group AnyConnect general-attributes address-pool VPN-Pool authentication-server-group LDAP_SRV_GRP default-group-policy GroupPolicy_AnyConnect tunnel-group AnyConnect webvpn-attributes group-alias AnyConnect enable tunnel-group Portal type remote-access tunnel-group Portal general-attributes authentication-server-group LDAP_SRV_GRP default-group-policy portal tunnel-group Portal webvpn-attributes group-alias portal enable! ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 ! prompt hostname context no call-home reporting anonymous hpm topN enable : end no asdm history enable
Can someone please help me solve this problem?
When I tried to solve this I didn't choose which interface the Packet Tracer?
The interface inside or DMZ interface? Inside, he says it will not work with the dmz but the error did not help me
Anyone here knows why it does not work?
Hello
Inside LAN is directly connected to the right firewall VPN... then I don't think you have to have the itinerary tunnele... can you try to remove the road tunnel mode and check.
entrance to the road that is static to achieve 10.10.10.11 as its display is correct...
Route by tunnel watch also with 255 administrative distance. I've never used that in my scenarios... lets see...
Concerning
Knockaert
-
connect Cisco VPN client v5 to asa 5505
I have remote vpn configuration issues between ASA5505 and Cisco VPN client v5. Successfully, I can establish a connection between the client Vpn and ASA and receive the IP address of the ASA. Statistical customer VPN windows shows that packets are sent and encrypted but none of the packages is received/decrypted.
Cannot ping asa 5505
Any ideas on what I missed?
Try adding...
ISAKMP nat-traversal crypto
In addition, you cannot ping the inside interface of the ASA vpn without this command...
management-access inside
Please evaluate the useful messages.
-
windows\system32\vsinit.dll
I try to run CISCO "VPN Client" connect from my PC at home for my work PC.
Then, I get a message:
Validation failed for C:\WINDOWS\System32\VSINIT.dll
Any ideas?
Martin
Hello
Run the checker system files on the computer. Link, we can see: Description of Windows XP and Windows Server 2003 System File Checker (Sfc.exe): http://support.microsoft.com/kb/310747
Note that: if he asks you the service pack CD, follow these steps from the link: you are prompted to insert a Windows XP SP2 CD when you try to run the tool on a Windows XP SP2 computer system File Checker: http://support.microsoft.com/kb/900910 (valid for Service pack 3)
If the steps above is not enough of it please post your request in the TechNet forum for assistance: http://social.technet.microsoft.com/Forums/en/category/windowsxpitpro
-
All necessary licenses on ASA 5510 for old Cisco VPN Client
We're trying to migrate our firewall Watchguard to a Cisco ASA 5510, who bought some time ago. For some reason, all of our users have already installed the old Cisco VPN client. I think it will work. Are there licensing issues on the 5510 I had to be concerned with? No matter what special config that needs to be done on the 5510?
Fix. You don't require licensing of AnyConnect of any type of configuration and the use of IKEv1 IPsec remote access VPN (which use the old Cisco VPN client).
You will be limited to 250 active IPsec peers (remote access more no matter what VPN site-to-site) by the platform (hardware) device capabilities that are enforced by the software.
-
Cisco VPN Client and Windows XP VPN Client IPSec to ASA
I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.
PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?
Config is:
!
interface GigabitEthernet0/2.30
Description remote access
VLAN 30
nameif remote access
security-level 0
IP 85.*. *. 1 255.255.255.0
!
access-list 110 scope ip allow a whole
NAT list extended access permit tcp any host 10.254.17.10 eq ssh
NAT list extended access permit tcp any host 10.254.17.26 eq ssh
access-list extended ip allowed any one sheep
access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0
flow-export destination inside-Bct 192.168.1.27 9996
IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0
ARP timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) interface 2
NAT (inside-Bct) 0 access-list sheep-vpn
NAT (inside-Bct) 1 access list nat
NAT (inside-Bct) 2-nat-ganja access list
Access-group rdp on interface outside-Ganja
!
Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2
Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1
Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
dynamic-access-policy-registration DfltAccessPolicy
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
Crypto ipsec transform-set newset aes - esp esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans
Crypto ipsec transform-set vpnclienttrans transport mode
Crypto ipsec transform-set esp-3des esp-md5-hmac raccess
life crypto ipsec security association seconds 214748364
Crypto ipsec kilobytes of life security-association 214748364
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1
card crypto interface for remote access vpnclientmap
crypto isakmp identity address
ISAKMP crypto enable vpntest
ISAKMP crypto enable outside-Baku
ISAKMP crypto enable outside-Ganja
crypto ISAKMP enable remote access
ISAKMP crypto enable Interior-Bct
crypto ISAKMP policy 30
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
No encryption isakmp nat-traversal
No vpn-addr-assign aaa
Telnet timeout 5
SSH 192.168.1.0 255.255.255.192 outside Baku
SSH 10.254.17.26 255.255.255.255 outside Baku
SSH 10.254.17.18 255.255.255.255 outside Baku
SSH 10.254.17.10 255.255.255.255 outside Baku
SSH 10.254.17.26 255.255.255.255 outside-Ganja
SSH 10.254.17.18 255.255.255.255 outside-Ganja
SSH 10.254.17.10 255.255.255.255 outside-Ganja
SSH 192.168.1.0 255.255.255.192 Interior-Bct
internal vpn group policy
attributes of vpn group policy
value of DNS-server 192.168.1.3
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
BCT.AZ value by default-field
attributes global-tunnel-group DefaultRAGroup
raccess address pool
Group-RADIUS authentication server
Group Policy - by default-vpn
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
Hello
For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.
Please see configuration below:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml
or
Please see the section of tunnel-group config of the SAA.
There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.
So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.
Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.
"crypto isakmp nat-traversal.
Thirdly, change the transformation of the value
raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map
Let me know the result.
Thank you
Gilbert
-
Cisco VPN client 3.5.1 and Cisco ASA 5.2 (2)
Hello
I have a strange problem about Cisco VPN client (IPSec) with Cisco ASA. The Cisco ASA runs software version 5.2 (2). The Cisco VPN client version is 3.5.1.
The problem is the customer able Cisco VPN to authenticate successfully with Cisco ASA, but could not PING to any LAN behind the Cisco ASA. In any case, the problem disappeared when we used the Cisco VPN version 4.6 or 4.8 of the customer. All parameters are exactly the same. What has happened? What is the cause of this problem? How can I solve this problem?
Please advice.
Thank you
Nitass
I understand your problem, I never used 3.5.1 so I thought that maybe nat - t is not enabled by default as 4.x.
-
Cisco VPN Client 5.0.0 does not connect
Hello
I am trying to establish the VPN session the firewall to 5525 X Cisco ASA crossing 9.1.1 Cisco VPN Client. Although AnyConnect is the way to go, the inherited method must always be supported for some time as part of a migration. I tried two VPN users (authenticated by ad) on two client computers running Windows 7 64 bit and Cisco VPN Client 5.0.07.0440. Both users are able to establish a session to a computer at the ASA, but not the other. Entering credentails evil, the login popup will appear immediately. On the combination of username/password correct name, the following VPN client log messages are generated and the session drops that is "not connected" in the status bar. The PCF file is the same on both client computers.
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
119 22:49:16.933 06/23/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 203.99.111.44.
120 22:49:16.939 06/23/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
121 22:49:16.942 06/23/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 203.99.111.44
122 22:49:16.973 06/23/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 203.99.111.44
123 22:49:16.973 06/23/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, KE, NON, ID, HASH, VID(Unity), VID(Xauth), VID(dpd), VID(Nat-T), NAT-D, NAT-D, VID(Frag), VID(?)) from 203.99.111.44
124 22:49:16.974 06/23/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
125 22:49:16.974 06/23/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
126 22:49:16.974 06/23/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
127 22:49:16.974 06/23/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
128 22:49:16.974 06/23/13 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
129 22:49:16.977 06/23/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
130 22:49:16.977 06/23/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 203.99.111.44
131 22:49:16.977 06/23/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
132 22:49:16.977 06/23/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xCA7C, Remote Port = 0x1194
133 22:49:16.977 06/23/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
134 22:49:17.000 06/23/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 203.99.111.44
135 22:49:17.000 06/23/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 203.99.111.44
136 22:49:17.211 06/23/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
137 22:49:17.211 06/23/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
138 22:49:23.207 06/23/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 203.99.111.44
139 22:49:23.393 06/23/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 203.99.111.44
140 22:49:23.393 06/23/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 203.99.111.44
141 22:49:23.393 06/23/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 203.99.111.44
142 22:49:23.401 06/23/13 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
143 22:49:23.401 06/23/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 203.99.111.44
144 22:49:23.427 06/23/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 203.99.111.44
145 22:49:23.427 06/23/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 203.99.111.44
146 22:49:23.427 06/23/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 10.2.193.69
147 22:49:23.427 06/23/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 10.2.5.2
148 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(2): , value = 10.1.5.2
149 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
150 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
151 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x6300000F
SPLIT_NET #1
subnet = 10.0.0.0
mask = 255.0.0.0
protocol = 0
src port = 0
dest port=0
152 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = example.org
153 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
154 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc ASA5525 Version 9.1(1) built by builders on Wed 28-Nov-12 11:15 PST
155 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT: , value = 0x00000001
156 22:49:23.428 06/23/13 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = Received and using NAT-T port number , value = 0x00001194
157 22:49:23.445 06/23/13 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 10.2.193.69, GW IP = 203.99.111.44, Remote IP = 0.0.0.0
158 22:49:23.445 06/23/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 203.99.111.44
159 22:49:23.477 06/23/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 203.99.111.44
160 22:49:23.477 06/23/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 203.99.111.44
161 22:49:23.477 06/23/13 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
162 22:49:23.477 06/23/13 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 7 seconds, setting expiry to 86393 seconds from now
163 22:49:23.477 06/23/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 203.99.111.44
164 22:49:23.477 06/23/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 203.99.111.44
165 22:49:23.478 06/23/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 203.99.111.44
166 22:49:23.478 06/23/13 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=F3E3C530
167 22:49:23.478 06/23/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=CD65262E1C3808E4 R_Cookie=912AE160ADADEE65) reason = DEL_REASON_IKE_NEG_FAILED
168 22:49:23.478 06/23/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 203.99.111.44
169 22:49:23.479 06/23/13 Sev=Info/4 IKE/0x63000058
Received an ISAKMP message for a non-active SA, I_Cookie=CD65262E1C3808E4 R_Cookie=912AE160ADADEE65
170 22:49:23.479 06/23/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(Dropped) from 203.99.111.44
171 22:49:24.310 06/23/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
172 22:49:26.838 06/23/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=CD65262E1C3808E4 R_Cookie=912AE160ADADEE65) reason = DEL_REASON_IKE_NEG_FAILED
173 22:49:26.849 06/23/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
174 22:49:26.855 06/23/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
175 22:49:26.855 06/23/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
176 22:49:26.855 06/23/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
177 22:49:26.855 06/23/13 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Any ideas why the second client of Windows 7 does not work?
Kind regards
Rick.
Rick
Thanks for the additional output. It shows the xauth authentication step, which is good to see. But it does not offer much clarity on what is causing the problem.
My attention is drawn to a couple of message on the balls that are in line with the two sessions for which you posted newspapers.
32 00:36:08.178 24/06/13 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
I'm not sure that we see any answer to this, but it makes me wonder if it is somehow involved in the issue. Is it possible that there is a difference in the configuration of firewall and operating between two clients?
I am also interested in this series of posts
48 00:36:08.210 24/06/13 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 10.2.193.69, GW IP = 203.99.111.44, Remote IP = 0.0.0.0
I don't know why the pilot requested a key at this point, and I wonder why the remote IP is 0.0.0.0?
It is followed by a package in which the ASA provides the value of the life of SA - which seems to be on the path to a successful connection. that is followed by
55 00:36:08.350 24/06/13 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 203.99.111.44
56 00:36:08.350 24/06/13 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
during which the SAA indicates that no proposal has been selected. It seems therefore that the ASA is not happy about something.
If we do not find indications of the client that allows to identify the problem, then maybe we look at the ASA. Are all log messages generated on the SAA during this attempt to establish VPN that could show us the problem? Would it not be possible to run debugs on the SAA in a trial of this machine?
HTH
Rick
-
Is it possible to create a VPN Anyconnect of RA with just the name of user and password + pre-shared key (Group) for the connection, as could do for ikev1 with cisco VPN client? I am running 8.4.X ASA code and looks like tunnel-group commands have 8.2.X somewhat change. If you change the group type of the tunnel for remote access, now there is no option for IKEv2 PSK. This is only available when you choose the type
Type of TG_TEST FW1 (config) # tunnel - group?
set up the mode commands/options:
Site IPSec IPSec-l2l group
Remote access using IPSec-IPSec-ra (DEPRECATED) group
remote access remote access (IPSec and WebVPN) group
WebVPN WebVPN Group (DEPRECATED)FW1(config-tunnel-General) # tunnel - group TG_TEST ipsec-attributes
FW1(config-tunnel-IPSec) #?configuration of the tunnel-group commands:
any required authorization request users to allow successfully in order to
Connect (DEPRECATED)
Allow chain issuing of the certificate
output attribute tunnel-group IPSec configuration
mode
help help for group orders of tunnel configuration
IKEv1 configure IKEv1
ISAKMP policy configure ISAKMP
not to remove a pair of attribute value
by the peer-id-validate Validate identity of the peer using the peer
certificate
negotiation to Enable password update in RADIUS RADIUS with expiry
authentication (DEPRECATED)FW1(config-tunnel-IPSec) # ikev1?
the tunnel-group-ipsec mode commands/options:
pre-shared key associate a key shared in advance with the connection policyI'm getting old so I hope that it is not in another complaint curmudgeonly on the loss of functionality. :)
Many small businesses do not want to invest in the PKI. It is usually a pain to deploy, backup, make redundant, etc..
But it would be nice to have a bit more security on VPN other than just the connections of username and password.
If this is not possible, it is possible to configure the Anyconnect customer to IKEv1 with PSK and name at the level of the Group client?
If this is not possible, WTH did cisco end customer VPN cisco as a choice of VPN connection (other than to get more fresh mail of license)?
I really hope that something like this exists still!
THX,
WR
You are welcome
In addition to two factors, you can also do double authentication (ie the two using the user name and password). Each set of credentials can come from a Bank of different identities.
With this scheme, you can can configure a local user name (common) with password on the SAA (think of it as your analog PSK) and the other be the AD user identification information.
-
Error of customer Cisco VPN connection ASA 5505
I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.
CISCO VPN CLIENT LOG
Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.1.7600
Config files directory: C:\Program Cisco Systems Client\
1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002
Start the login process
2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "71.xx.xx.253".
4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 71.xx.xx.253.
5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253
7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253
16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055
Sent a keepalive on the IPSec Security Association
17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194
18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253
23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1
26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0
27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250
28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251
29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000
30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA
31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45
33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0
37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253
38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047
This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now
42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253
45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049
IPsec security association negotiation made scrapped, MsgID = 89EE7032
46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED
47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058
Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8
49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED
51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
----------------------------------------------------------------------------------------
ASA 5505 CONFIG
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain masociete.com
activate tdkuTUSh53d2MT6B encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 172.26.0.252 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
IP address 71.xx.xx.253 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain masociete.com
access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA
Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq 4500
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp
outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389
inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240
inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255
static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 172.26.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server WINS 172.26.0.250 172.26.0.251
value of 172.26.0.250 DNS server 172.26.0.251
Protocol-tunnel-VPN IPSec l2tp ipsec svc
value by default-field TLCUSA
internal LIMUVPNPOL1 group policy
LIMUVPNPOL1 group policy attributes
value of 172.26.0.250 DNS server 172.26.0.251
VPN-idle-timeout 30
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LIMU_Split_Tunnel_List
the address value VPN_POOL pools
internal TLCVPNGROUP group policy
TLCVPNGROUP group policy attributes
value of 172.26.0.250 DNS server 172.26.0.251
Protocol-tunnel-VPN IPSec l2tp ipsec svc
Re-xauth disable
enable IPSec-udp
value by default-field TLCUSA
barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0
username barry.julien attributes
VPN-group-policy TLCVPNGROUP
Protocol-tunnel-VPN IPSec l2tp ipsec
bjulien bhKBinDUWhYqGbP4 encrypted password username
username bjulien attributes
VPN-group-policy TLCVPNGROUP
attributes global-tunnel-group DefaultRAGroup
address VPN_POOL pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
ms-chap-v2 authentication
type tunnel-group TLCVPNGROUP remote access
attributes global-tunnel-group TLCVPNGROUP
address VPN_POOL pool
Group Policy - by default-TLCVPNGROUP
IPSec-attributes tunnel-group TLCVPNGROUP
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group TLCVPNGROUP ppp-attributes
PAP Authentication
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b94898c163c59cee6c143943ba87e8a4
: end
enable ASDM history
can you try to change the transformation of dynamic value ESP-3DES-SHA map.
for example
remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5
and replace with
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
-
Hi guru of cisco
Help me please to configure VPN access on ASA 5505 for Cisco VPN Client. I want to let the customers gateway, but access remote 192.168.17.0/24 and 192.168.10.0/24 (connected through site-to-site) networks.
Will be much appreciated for your help.
My config:
Output from the command: 'display conf '.
!
ASA Version 8.2 (2)
!
name of host host1
domain domain name
activate the encrypted password password
encrypted passwd password
names of
!
interface Vlan1
Description INTERNET
0000.0000.0001 Mac address
nameif WAN
security-level 0
IP address a.a.a.a 255.255.255.248 watch a1.a1.a1.a1
OSPF cost 10
!
interface Vlan2
OLD-PRIVATE description
0000.0000.0102 Mac address
nameif OLD-private
security-level 100
IP 192.168.17.2 255.255.255.0 watch 192.168.17.3
OSPF cost 10
!
interface Vlan6
Description MANAGEMENT
0000.0000.0106 Mac address
nameif management
security-level 100
IP 192.168.1.2 255.255.255.0 ensures 192.168.1.3
OSPF cost 10
!
interface Vlan100
Failover LAN Interface Description
!
interface Ethernet0/0
!
interface Ethernet0/1
Shutdown
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
switchport access vlan 100
!
interface Ethernet0/6
switchport trunk allowed vlan 2.6
switchport mode trunk
!
interface Ethernet0/7
Shutdown
!
boot system Disk0: / asa822 - k8.bin
passive FTP mode
DNS domain-lookup WAN
DNS server-group DefaultDNS
Server name dns.dns.dns.dns
domain domain name
permit same-security-traffic intra-interface
object-group Protocol TCPUDP
object-protocol udp
object-tcp protocol
object-group service RDP - tcp
RDP description
EQ port 3389 object
object-group Protocol DM_INLINE_PROTOCOL_1
ip protocol object
icmp protocol object
object-protocol udp
object-tcp protocol
Access extensive list ip 192.168.17.0 LAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
Standard access list LAN_IP allow 192.168.17.0 255.255.255.0
WAN_access_in list of allowed ip extended access all any debug log
WAN_access_in list extended access allowed icmp a.a.a.a 255.255.255.248 192.168.10.0 255.255.255.0 inactive debug log
WAN_access_in list extended access permit tcp any object-group RDP any RDP log debugging object-group
WAN_access_in list extended access allowed icmp a.a.a.a 255.255.255.248 a.a.a.a 255.255.255.248 debug log
MANAGEMENT_access_in list of allowed ip extended access all any debug log
access-list extended OLD-PRIVATE_access_in any allowed ip no matter what debug log
access-list OLD-PRIVATE_access_in allowed extended object-group DM_INLINE_PROTOCOL_1 interface OLD-private 192.168.10.0 255.255.255.0 inactive debug log
access-list OLD-PRIVATE_access_in allowed extended object-group TCPUDP interface OLD-private no matter what inactive debug log
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.10.254 interface private OLD newspaper inactive debugging
access-list OLD-PRIVATE_access_in allowed extended icmp host 192.168.17.155 interface private OLD newspaper debugging
access-list 101 extended allow host tcp 192.168.10.7 any eq 3389 debug log
Access extensive list ip 192.168.17.0 WAN_1_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_1_cryptomap to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_cryptomap_2 to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.10.0 255.255.255.0
Capin list extended access permit ip host 192.18.17.155 192.168.10.7
Capin list extended access permit ip host 192.168.10.7 192.168.17.155
LAN_access_in list of allowed ip extended access all any debug log
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
WAN_nat0_outbound list of allowed ip extended access all 192.168.17.240 255.255.255.252
WAN_nat0_outbound to access extended list ip 192.168.2.0 allow 255.255.255.0 192.168.2.0 255.255.255.248
Access extensive list ip 192.168.17.0 WAN_2_cryptomap allow 255.255.255.0 192.168.10.0 255.255.255.0
permit inside_nat0_outbound to access extended list ip 192.168.10.0 255.255.255.0 192.168.17.0 255.255.255.0
LAN_IP_inbound list standard access allowed 192.168.10.0 255.255.255.0
Standard access list IPSec_VPN_splitTunnelAcl allow a
access extensive list ip 192.168.17.0 vpnusers_splitTunnelAcl allow 255.255.255.0 any
sheep - in extended Access-list allow IP 192.168.17.0 255.255.255.0 192.168.2.0 255.255.255.0
vpn_ipsec_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0
pager lines 24
Enable logging
logging trap information
asdm of logging of information
Debugging trace record
MTU 1500 WAN
MTU 1500 OLD-private
MTU 1500 management
mask 192.168.1.150 - 192.168.1.199 255.255.255.0 IP local pool VPN_Admin_IP
IP local pool vpnclient 192.168.2.1 - 192.168.2.5 mask 255.255.255.0
failover
primary failover lan unit
failover lan interface failover Vlan100
15 75 holdtime interface failover pollTime
key changeover *.
failover interface ip failover 192.168.100.1 255.255.255.0 ensures 192.168.100.2
ICMP unreachable rate-limit 1 burst-size 1
ICMP permitted host b.b.b.b WAN
ICMP allow 192.168.10.0 255.255.255.0 WAN
ICMP permitted host c.c.c.c WAN
ICMP allow 192.168.17.0 255.255.255.0 WAN
ICMP deny any WAN
ICMP permitted host OLD-private b.b.b.b
ICMP allow 192.168.10.0 255.255.255.0 OLD-private
ICMP allow 192.168.17.0 255.255.255.0 OLD-private
ICMP permitted host c.c.c.c OLD-private
ICMP permitted host b.b.b.b management
ICMP permitted host 192.168.10.0 management
ICMP permitted host 192.168.17.138 management
ICMP permit 192.168.1.0 255.255.255.0 management
ICMP permitted host 192.168.1.26 management
ASDM image disk0: / asdm - 631.bin
don't allow no asdm history
ARP timeout 14400
Global (WAN) 1 interface
Global (OLD-private) 1 interface
Global interface (management) 1
NAT (OLD-private) 0-list of access WAN_nat0_outbound
NAT (OLD-private) 1 0.0.0.0 0.0.0.0
WAN_access_in access to the WAN interface group
Access-group interface private-OLD OLD-PRIVATE_access_in
Access-group MANAGEMENT_access_in in the management interface
Route WAN 0.0.0.0 0.0.0.0 a.a.a.185 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
the ssh LOCAL console AAA authentication
local AAA authentication attempts 10 max in case of failure
Enable http server
http 192.168.1.0 255.255.255.0 WAN
http 0.0.0.0 0.0.0.0 WAN
http a.a.a.a 255.255.255.255 WAN
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Service resetoutside
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
card crypto WAN_map 1 corresponds to the address WAN_1_cryptomap
card crypto WAN_map 1 set peer b.b.b.b
WAN_map 1 transform-set ESP-DES-SHA crypto card game
card crypto WAN_map WAN interface
ISAKMP crypto enable WAN
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
the Encryption
sha hash
Group 1
life 86400
Telnet timeout 5
SSH b.b.b.b 255.255.255.255 WAN
SSH timeout 30
SSH version 2
Console timeout 0
dhcpd auto_config OLD-private
!a basic threat threat detection
host of statistical threat detection
Statistics-list of access threat detection
a statistical threat detection tcp-interception rate-interval 30 burst-400-rate average rate 200
NTP server 129.6.15.28 source WAN prefer
WebVPN
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec svc webvpn
internal admin group strategy
group admin policy attributes
DNS.DNS.DNS.DNS value of DNS server
Protocol-tunnel-VPN IPSec
internal vpn_ipsec group policy
attributes of the strategy of group vpn_ipsec
value 192.168.17.80 DNS server dns.dns.dns.dns
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_ipsec_splitTunnelAcl
the address value vpnclient pools
username admin password encrypted password privilege 15
n1ck encrypted password privilege 15 password username
type tunnel-group admin remote access
tunnel-group admin general attributes
address pool IPSec_VPN_pool
vpnclient address pool
LOCAL authority-server-group
strategy-group-by default admin
tunnel-group admin ipsec-attributes
pre-shared-key *.
tunnel-group b.b.b.b type ipsec-l2l
tunnel-group b.b.b.b General-attributes
strategy-group-by default admin
b.b.b.b tunnel ipsec-attributes group
pre-shared-key *.
NOCHECK Peer-id-validate
type tunnel-group vpn_ipsec remote access
tunnel-group vpn_ipsec General-attributes
vpnclient address pool
Group Policy - by default-vpn_ipsec
vpn_ipsec group of tunnel ipsec-attributes
pre-shared-key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
inspect the icmpThanks a lot for the confirmation. There is some lack of configurations and also some configuration errors.
They are here:
(1) Split tunnel-access list is incorrect:
vpn_ipsec_splitTunnelAcl list standard access allowed 192.168.2.0 255.255.255.0
It should be allowed in your internal network. Please, add and remove the following:
standard access list vpn_ipsec_splitTunnelAcl allow 192.168.17.0 255.255.255.0
No vpn_ipsec_splitTunnelAcl of the standard access list only allowed 192.168.2.0 255.255.255.0
(2) NAT 0-list of access should also include the traffic between the local subnet to the Pool of IP VPN:
Access extensive list ip 192.168.17.0 WAN_nat0_outbound allow 255.255.255.0 192.168.2.0 255.255.255.0
(3) dynamic-map has not been created and assigned to crypto card:
Crypto-map dynamic dynmap 10 game of transformation-ESP-3DES-SHA
card crypto ipsec WAN_map 65000-isakmp dynamic dynmap
(4) Finally, you have not enabled protocol IPSec in your group strategy:
attributes of the strategy of group vpn_ipsec
Protocol-tunnel-VPN IPSec
Hope that helps.
If it still does not after the changes described above, please kindly share the latest config and also the output of the following debugs when you try to connect:
debugging cry isa
debugging ipsec cry
-
Problems to connect via the Cisco VPN client IPSec of for RV180W small business router
Hello
I tried to configure my router Cisco of RV180W as a customer VPN IPSec, but have encountered a problem that I hope someone can help me with. "" I managed to do the work of configuration so that the Cisco's VPN IPSec client authenticates successfully with the XAUTH user, I put on the router, but during the negotiation, the client ends with the following, which appears several times on the router error message: ' Mar 20 Oct 19:41:53 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for
> [34360] has no config mode. I've read around the internet and a number of people seem to say that the Cisco VPN Client is not compatible with the router, but the same thing happens to my iPhone VPN client.
Is it possible that this can be implemented? Below, I have attached the full configuration files and the log files. Thank you much in advance.
Router log file (I changed the IP
addresses > respectively as well as references to MAC addresses) Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: floating ports NAT - T with counterpart
> [44074]
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] WARNING: notification to ignore INITIAL-CONTACT> [44074] because it is admitted only after the phase 1.
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for> [4500]
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT - D payload does not match for> [44074]
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received unknown Vendor ID
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: received Vendor ID: CISCO-UNITY
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: NAT detected: is located behind a device. NAT and alsoPeer is behind a NAT device
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: request sending Xauth for> [44074]
Mar 20 Oct 20:03:10 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association established for> [4500] - > [44074] with spi = >.
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REPLY' of> [44074]
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: login successful for the user "myusername".
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser connected from the IP>
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: sending of information Exchange: Notify payload [10381]
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: receives the type of the attribute 'ISAKMP_CFG_REQUEST' of> [44074]
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: ignored attribute 5
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28683
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no mode config
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] WARNING: attribute ignored 28684
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no config mode
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: local configuration for> [44074] has no mode config
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] ERROR: remove the invalid payload with doi:0.
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: purged-Association of ISAKMP security with proto_id = ISAKMP and spi =>.
Mar 20 Oct 20:03:15 2015 (GMT + 0000): [r1] [IKE] INFO: myusername XAuthUser Logged Out of the IP>
Mar 20 Oct 20:03:16 2015 (GMT + 0000): [r1] [IKE] INFO: ISAKMP Security Association deleted for> [4500] - > [44074] with spi = > The router configuration
IKE policy
VPN strategy
Client configuration
Hôte : < router="" ip=""> >
Authentication group name: remote.com
Password authentication of the Group: mysecretpassword
Transport: Enable Transparent Tunneling; IPSec over UDP (NAT/PAT)
Username: myusername
Password: mypassword
Please contact Cisco.
Correct, the RV180 is not compatible with the Cisco VPN Client. The Iphone uses the Cisco VPN Client.
You can use the PPTP on the RV180 server to connect a PPTP Client.
In addition, it RV180 will allow an IPsec connection to third-party customers 3. Greenbow and Shrew Soft are 2 commonly used clients.
-
Hi all
I need assistance with Cisco VPN Client, the client requests to set up a message (banner) to the user who is not allowed access to the VPN.
My client uses the authentication of LDAP, just tried include a banner to the group policy but it does not work once the vpn - concurrent connections 0, here's my sample config:
ASA 8.2
VPN client
=================================================
LDAP attribute-map AccessRestrict
name of the msNPAllowDialin cVPN3000-IETF-RADIUS-class card
msNPAllowDialin card-value TRUE AllowVPN
FALSE card-value msNPAllowDialin NoVPN
internal AllowVPN group strategy
attributes of Group Policy AllowVPN
banner value * Welcome to My Virtual Private Network *.
value of 172.16.0.10 DNS server
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
myvpn.com value by default-field
internal NoVPN group strategy
attributes of Group Policy NoVPN
VPN - concurrent connections 0
=================================================
There a way to show users that are not allowed access to the VPN a message, contact the administrator?
Any sugestion will be useful
See you soon
Rangel Bruno«Se você quiser alguem em quem entrust, entrust em mesmo TR.» Quem acredita sempre alcança.
Renato RussoI guess the banner actually appear when a group policy is applied with a message once the user is properly authenticated.
It comes
Unplug continue
See here:
As in the case of NoVpn-group policy, the user never reach at this point, so it did not show banner.
That's what I think, someone may have a better answer.
~ BR
Jatin kone* Does the rate of useful messages *.
-
Hello
IPhone 4 s last IOS5 V 5.1.1 installed
I'm not able to make the native IPSEC VPN connection upset my company Cisco 877
Instead, all my computer laptop and netbook with Cisco VPN Client work installed fine when they connect remotely to society 877
Turn debugging 877, it seems Iphone successfully passes the 1 connection ike (actually Iphone wonder phase2 user/pass), but it hung to phase2 give me the error 'Negotiation with the VPN server has no' back
An idea or a known issue on this?
This is how I configured my VPN 877 part:
R1 (config) # aaa new-model
R1 (config) # aaa authentication default local connection
R1 (config) # aaa authentication login vpn_xauth_ml_1 local
R1 (config) # aaa authentication login local sslvpn
R1 (config) # aaa authorization network vpn_group_ml_1 local
R1 (config) # aaa - the id of the joint session
Crypto isakmp policy of R1 (config) # 1
R1(config-ISAKMP) # BA 3des
# Preshared authentication R1(config-ISAKMP)
Group R1(config-ISAKMP) # 2
R1(config-ISAKMP) #.
R1(config-ISAKMP) #crypto isakmp policy 2
R1(config-ISAKMP) # BA 3des
Md5 hash of R1(config-ISAKMP) #.
# Preshared authentication R1(config-ISAKMP)
Group R1(config-ISAKMP) # 2
Output R1(config-ISAKMP) #.
R1 (config) # CUSTOMER - VPN crypto isakmp client configuration group
R1(config-ISAKMP-Group) # key xxxxxxxx
R1(config-ISAKMP-Group) # 192.168.0.1 dns
R1(config-ISAKMP-Group) # VPN - pool
ACL R1(config-ISAKMP-Group) # 120
R1(config-ISAKMP-Group) max-users # 5
Output R1(config-ISAKMP-Group) #.
R1 (config) # ip local pool VPN-pool 192.168.0.20 192.168.0.25
R1 (config) # crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
R1 (config) # crypto ipsec VPN-profile-1 profile
R1(IPSec-Profile) # set the transform-set encrypt method 1
Tunnel type interface virtual-Template2 R1 (config) #.
R1(Config-if) # ip unnumbered FastEthernet0/0
R1(Config-if) # tunnel mode ipsec ipv4
Ipsec protection tunnel R1(Config-if) # VPN - profile - 1 profile
Profile of R1 (config) # isakmp crypto vpn-ike-profile-1
R1(conf-ISA-Prof) # match group identity CUSTOMER VPN
R1(conf-ISA-Prof) # vpn_xauth_ml_1 list client authentication
R1(conf-ISA-Prof) # isakmp authorization list vpn_group_ml_1
R1(conf-ISA-Prof) # client configuration address respond
R1(conf-ISA-Prof) virtual-model # 2
Then run AccessList 120 for desired traffic ("access-list 120 now allows ip any any")
I have configured my VPN Cisco "CUSTOMER-VPN" clients and relative password
Whenever they connect, they are prompted for the password and username phase2 then they join the VPN with an IP address from local subnet released.
With the same parameters required and confirmed in section ipsec VPN Iphone it does not work.
It's 877 isakmp debug output after that Iphone wonder name of user and password (then I suppose that phase 1 completed):
* 14:29:30.731 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport CONF_XAUTH
* 14:29:30.735 May 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID =-1427983983
* 14:29:30.735 May 19: ISAKMP: Config payload RESPONSE
* 14:29:30.735 May 19: ISAKMP/xauth: response XAUTH_USER_NAME_V2 attribute
* 14:29:30.735 May 19: ISAKMP/xauth: response XAUTH_USER_PASSWORD_V2 attribute
* 14:29:30.735 May 19: ISAKMP: (2081): node-1427983983 error suppression FALSE reason "made with Exchange of request/response xauth.
* 14:29:30.735 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
* 14:29:30.735 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_REQ_SENT = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
* 14:29:30.743 May 19: ISAKMP: node set 1322685842 to CONF_XAUTH
* 19 May 14:29:30.747: ISAKMP: (2081): launch peer 151.38.197.143 config. ID = 1322685842
* 19 May 14:29:30.747: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) CONF_XAUTH
* 14:29:30.747 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:30.747 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
* 14:29:30.747 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_AAA_CONT_LOGIN_AWAIT = IKE_XAUTH_SET_SENT
* 14:29:31.299 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport CONF_XAUTH
* 14:29:31.299 May 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID = 1322685842
* 14:29:31.299 May 19: ISAKMP: Config payload ACK
* 19 May 14:29:31.303: ISAKMP: (2081): XAUTH ACK processed
* 14:29:31.303 May 19: ISAKMP: (2081): error suppression node 1322685842 FALSE basis "Mode of Transaction.
* 14:29:31.303 May 19: ISAKMP: (2081): talking to a customer of the unit
* 14:29:31.303 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_ACK
* 14:29:31.303 May 19: ISAKMP: (2081): former State = new State IKE_XAUTH_SET_SENT = IKE_P1_COMPLETE
* 14:29:31.303 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.303 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
* 19 May 14:29:31.303: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
* 14:29:31.315 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.315 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
* 14:29:31.623 may 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport QM_IDLE
* 14:29:31.623 may 19: ISAKMP: node set-851463821 to QM_IDLE
* 14:29:31.623 may 19: ISAKMP: (2081): responsible for operation of 151.38.197.143 of treatment. Message ID =-851463821
* 14:29:31.623 may 19: ISAKMP: Config payload REQUEST
* 14:29:31.623 may 19: ISAKMP: (2081): verification of claim:
* 14:29:31.623 may 19: ISAKMP: IP4_ADDRESS
* 14:29:31.623 may 19: ISAKMP: IP4_NETMASK
* 14:29:31.623 may 19: ISAKMP: IP4_DNS
* 14:29:31.623 may 19: ISAKMP: IP4_NBNS
* 14:29:31.623 may 19: ISAKMP: ADDRESS_EXPIRY
* 14:29:31.623 may 19: ISAKMP: APPLICATION_VERSION
* 14:29:31.623 may 19: ISAKMP: MODECFG_BANNER
* 14:29:31.623 may 19: ISAKMP: domaine_par_defaut
* 14:29:31.623 may 19: ISAKMP: SPLIT_DNS
* 14:29:31.623 may 19: ISAKMP: SPLIT_INCLUDE
* 14:29:31.623 may 19: ISAKMP: INCLUDE_LOCAL_LAN
* 14:29:31.623 may 19: ISAKMP: PFS
* 14:29:31.623 may 19: ISAKMP: MODECFG_SAVEPWD
* 14:29:31.623 may 19: ISAKMP: FW_RECORD
* 14:29:31.623 may 19: ISAKMP: serveur_sauvegarde
* 14:29:31.623 may 19: ISAKMP: MODECFG_BROWSER_PROXY
* 14:29:31.627 May 19: ISAKMP/author: author asks for CUSTOMER-VPNsuccessfully group AAA
* 14:29:31.627 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
* 14:29:31.627 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_CONFIG_AUTHOR_AAA_AWAIT
* 14:29:31.627 May 19: ISAKMP: (2081): attributes sent in the message:
* 19 May 14:29:31.627: address: 0.2.0.0
* 19 May 14:29:31.627: ISAKMP: (2081):address of 192.168.0.21 assignment
* 14:29:31.627 May 19: ISAKMP: sending private address: 192.168.0.21
* 14:29:31.627 May 19: ISAKMP: send the subnet mask: 255.255.255.0
* 14:29:31.631 May 19: ISAKMP: sending IP4_DNS server address: 192.168.0.1
* 14:29:31.631 May 19: ISAKMP: sending ADDRESS_EXPIRY seconds left to use the address: 3576
* 14:29:31.631 May 19: ISAKMP: string APPLICATION_VERSION sending: Cisco IOS software, software C870 (C870-ADVIPSERVICESK9-M), Version 12.4 (15) T7, VERSION of the SOFTWARE (fc3)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 14 August 08 07:43 by prod_rel_team
* 14:29:31.631 May 19: ISAKMP: split shipment include the name Protocol 120 network 0.0.0.0 mask 0.0.0.0 0 src port 0, port 0 DST
* 14:29:31.631 May 19: ISAKMP: sending save the password answer value 0
* 19 May 14:29:31.631: ISAKMP: (2081): respond to peer 151.38.197.143 config. ID =-851463821
* 19 May 14:29:31.631: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) CONF_ADDR
* 14:29:31.631 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:31.631 May 19: ISAKMP: (2081): node-851463821 error suppression FALSE reason "error no.".
* 14:29:31.631 May 19: ISAKMP: (2081): talking to a customer of the unit
* 14:29:31.631 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
* 14:29:31.631 May 19: ISAKMP: (2081): former State = new State IKE_CONFIG_AUTHOR_AAA_AWAIT = IKE_P1_COMPLETE
* 14:29:31.635 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
* 14:29:31.635 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_P1_COMPLETE
Here the Iphone remains unused for a few seconds...
* 14:29:48.391 May 19: ISAKMP (0:2081): received 151.38.197.143 packet 500 Global 500 (R) sport dport QM_IDLE
* 14:29:48.391 May 19: ISAKMP: node set 1834509506 to QM_IDLE
* 19 May 14:29:48.391: ISAKMP: (2081): HASH payload processing. Message ID = 1834509506
* 19 May 14:29:48.391: ISAKMP: (2081): treatment of payload to DELETE. Message ID = 1834509506
* 14:29:48.391 May 19: ISAKMP: (2081): peer does not paranoid KeepAlive.
* 14:29:48.395 May 19: ISAKMP: (2081): peer does not paranoid KeepAlive.
* 14:29:48.395 May 19: ISAKMP: (2081): removal of HIS right State 'No reason' (R) QM_IDLE (post 151.38.197.143)
* 14:29:48.395 May 19: ISAKMP: (2081): error suppression node 1834509506 FALSE reason 'informational (en) State 1.
* 19 May 14:29:48.395: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
* 19 May 14:29:48.395: IPSEC (key_engine_delete_sas): rec would notify of ISAKMP
* 19 May 14:29:48.395: IPSEC (key_engine_delete_sas): remove all SAs shared with peer 151.38.197.143
* 14:29:48.395 May 19: ISAKMP: node set-1711408233 to QM_IDLE
* 19 May 14:29:48.395: ISAKMP: (2081): lot of 151.38.197.143 sending my_port 500 peer_port 500 (R) QM_IDLE
* 14:29:48.395 May 19: ISAKMP: (2081): sending a packet IPv4 IKE.
* 14:29:48.399 May 19: ISAKMP: (2081): purge the node-1711408233
* 14:29:48.399 May 19: ISAKMP: (2081): entry = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
* 14:29:48.399 May 19: ISAKMP: (2081): former State = new State IKE_P1_COMPLETE = IKE_DEST_SA
* 14:29:48.399 May 19: ISAKMP: (2081): removal of HIS right State 'No reason' (R) QM_IDLE (post 151.38.197.143)
* 14:29:48.399 May 19: ISAKMP: (0): cannot decrement IKE Call Admission Control incoming_active stat because he's already 0.
* 14:29:48.399 May 19: ISAKMP (0:2081): return address 192.168.0.21 to pool
* 14:29:48.399 May 19: ISAKMP: Unlocking counterpart struct 0 x 84084990 for isadb_mark_sa_deleted(), count 0
* 14:29:48.399 May 19: ISAKMP: return address 192.168.0.21 to pool
* 14:29:48.399 May 19: ISAKMP: delete peer node by peer_reap for 151.38.197.143: 84084990
* 14:29:48.399 May 19: ISAKMP: return address 192.168.0.21 to pool
* 14:29:48.403 May 19: ISAKMP: (2081): node-1427983983 error suppression FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): error suppression node 1322685842 FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): node-851463821 error suppression FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): error suppression node 1834509506 FALSE reason 'IKE deleted.
* 14:29:48.403 May 19: ISAKMP: (2081): entry = IKE_MESG_FROM_PEER, IKE_MM_EXCH
* 14:29:48.403 May 19: ISAKMP: (2081): former State = new State IKE_DEST_SA = IKE_DEST_SA
* 19 May 14:29:48.403: IPSEC (key_engine): had an event of the queue with 1 KMI message (s)
It seems 877 comes even to assign a local ip address of LAN for Iphone (192.168.0.21) but then something goes wrong...
Any idea or suggestion on this?
Thank you very much
Hi Federico,.
Please let us know.
Please mark this message as answered while others will be able to learn the lessons.
Thank you.
Portu.
Maybe you are looking for
-
Firefox when trying to play wavs/mp3s after clicking on link to it instead of display the dialog to open/download. In preferences on the applications tab, I always chose "ask" in the types of wav and mp3 files, but it does not solve this problem. Thi
-
HP Pavilion 1b33ca g6: Bios password
1 password bios Pls. HP G6-1b33ca / Sn #[personal information] Code: 70977280 2. computer laptop time keep changing and laggin after update with time windows internet Thank you.
-
HP mini 1001TU. How to connect a full headset (micro + headphones)?
Hello world I wonder how can I use an external full headset (micro + headphones) on my hp mini 1001TU (for Skype and other applications...). Indeed: there is only one outlet jack. It is used for the audio input or the output sound, depending on what
-
Try to install Skype I got an error message (see below) and had to quit the installer. Error message: the drive or the UNC share, you have selected does not exist or is not accessible. Please select another. I did not select a player and do not know
-
BlackBerry App cannot delete emails 10.2.1.537
Since the new update, I can't delete emails. It always shows "perform this action. Do not show a checkbox + cancel or delete - but accepts what I choose? Anyone who has another experinecing this? A glitch? suggestions?