NetScreen to ASA IKE negotiation failure
Howdy, y ' All -.
I have a Netscreen ISG2000 which seeks to accommodate a VPN from point to point with one ASA v7.1 is running.
On the side of Netscreen, I configured a VPN "policy-oriented", waiting for the HTTPS traffic above the tunnel. Therefore, in the IKE negotiation, he expected the proposal to include only the IP proto 6.
On the side of the ASA, the administrator (not my colleague and I have no access) is not seen a place to define authorized outgoing of the protocols for the IKE proposal.
I see that it is supposed to be an ACL associated with the crypto map, which specifies the traffic that needs to be routed to the tunnel. I suspect it's now says "access-list (1) extended permit ip?", which allows all protos IP above the tunnel.
What I want to do is something like "access-list (1) extended allow tcp... eq 443.
Can anyone confirm that this will force the ASA to specify that it is only TCP happened in the proposal?
Thank you!
Hello
Yes, if you have configured your netscreen with policy based VPN and strategy only allow you https traffic to flow from your internal subnet to its internal subnet (do not forget to check modify it corresponding two-way policy option)... then its access alongside list should be exactly symmetrical of yours (including the source and destination host or subnet so that the port in your case it will be tcp 443)...
In the SAA, he gets the list of access
access list test permitted tcp source_subnet source_netmask destination_subnet Destination_netmask eq 443
test card crypto mymap 10 correspondence address
Please Note If this can help!
Tags: Cisco Security
Similar Questions
-
Need to patch to get IPsec to start working in Internet instant Mesasenger - I fought this for about 3 months. I can't do a Messenger call for more than a minute before having to re - connect - it's driving me crazy - fix your product - Paul * address email is removed from the privacy *. Settings information (network security) Diagnostics that can block connections:
filter name: Messaging microsoft instant - name for the provider context: windows Instant Messenger - provider name: Microsoft Corp.Provider - description: Microsoft Windows Firewall: IPsec provider
Hi paulrhea,-What version of the operating system are you using?-You are able to go online with no problems?-Have you been able to use the Messenger without any problem before?If you use Windows 7 or Windows Vista, follow the suggestion given here.Try to disable the firewall for the moment and check if it helps fix the problem.If the problem is resolved, you may need to contact the manufacturer of the program for the settings that can be changed or if there are other updates for this program.
Note: Firewall can keep the computer worm, pirates etc. Therefore, be sure to turn on the firewall once you are finished with the test.
If it is Windows Firewall, see the article below:
Allow a program to communicate through Windows Firewall
Additional reference on:
-
8.2 ASA failure phase2 ike ipsec
I used the wizard to access remote vpn, IPSEC on an ASA 5510 security + running os version 8.2.
Group: adminsbbs
User: adminuser
When connecting using the client, it says «fixing communications...» "and then it flashes and it is disconnected. Hoping the following debug output to help you will help me, so I didn't enter the config.
What seems to be the cause of failure of the phase 2 of IKE?
Since the ASA device:
asa01 # 29 dec 18:54:16 [IKEv1 DEBUG]: IP = 3.4.249.124, IKE Peer included IKE fragmentation capability flags: Main Mode: real aggressive Mode: false
29 Dec 18:54: 16 [IKEv1]: IP = 3.4.249.124, connection landed on tunnel_group adminsbbs
29 Dec 18:54: 16 [IKEv1 DEBUG]: Group = adminsbbs, IP = 3.4.249.124, IKE SA proposal # 1, transform # 10 entry overall IKE acceptable matches # 1
29 Dec 18:54: 16 [IKEv1]: Group = adminsbbs, IP = 3.4.249.124, status of automatic NAT detection: remote endpoint IS behind a NAT device this end is NOT behind a NAT device
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, (adminuser) user authenticated.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, transaction mode attribute unhandled received: 5
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, Type of Client: Mac OS X Client Application Version: 4.9.01 (0100)
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, assigned private IP 172.16.20.1 remote user address
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, fast Mode resumed treatment, Cert/Trans Exch/RM IDDM completed
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, PHASE 1 COMPLETED
29 Dec 18:54: 26 [IKEv1]: IP = 3.4.249.124, Keep-alive type for this connection: DPD
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, timer to generate a new key to start P1: 82080 seconds.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, data received in payload ID remote Proxy Host: address 172.16.20.1, protocol 0, Port 0
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, username = adminuser, IP = 3.4.249.124, received data IP Proxy local subnet in payload ID: address 0.0.0.0 Mask 0.0.0.0, protocol 0, Port 0
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, QM IsRekeyed its not found old addr
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, only Tunnel UDP-encapsulated and UDP-encapsulated-Transport mode NAT-Traversal-defined selection
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, remote peer IKE configured crypto card: outside_dyn_map
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, ITS processing IPSec payload
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT-T) Cfg would be: Transport UDP
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, username = adminuser, IP = 3.4.249.124, IPSec security association proposals found unacceptable.
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, error QM WSF (P2 struct & 0xcca2f140, mess id 0x374db953).
29 Dec 18:54: 26 [IKEv1 DEBUG]: Group = adminsbbs, name of user = adminuser, IP = 3.4.249.124, case of mistaken IKE responder QM WSF (struct & 0xcca2f140)
, : QM_DONE EV_ERROR--> QM_BLD_MSG2 EV_NEGO_SA--> QM_BLD_MSG2, EV_IS_REKEY--> QM_BLD_MSG2, EV_CONFIRM_SA--> QM_BLD_MSG2, EV_PROC_MSG--> QM_BLD_MSG2, EV_HASH_OK--> QM_BLD_MSG2, NullEvent--> QM_BLD_MSG2 EV_COMP_HASH 29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, Removing counterpart of table Correlator has failed, no match!
29 Dec 18:54: 26 [IKEv1]: Group = adminsbbs username = adminuser, IP = 3.4.249.124, Session is be demolished. Reason: Phase 2
29 Dec 18:54: 26 [IKEv1]: ignoring msg SA brand with Iddm 102400 dead because ITS removal
29 Dec 18:54: 26 [IKEv1]: IP = 3.4.249.124, encrypted packet received with any HIS correspondent, drop
The client connection:
Cisco Systems VPN Client Version 4.9.01 (0100)
Copyright (C) 1998-2006 Cisco Systems, Inc. All rights reserved.
Type of client: Mac OS X
Running: Darwin Darwin Kernel Version 10.5.0 10.5.0: Fri Nov 5 23:20:39 PDT 2010. root:XNU-1504.9.17~1/RELEASE_I386 i386
365 19:09:13.384 29/12/2010 Sev = Info/4 CM / 0 x 43100002
Start the login process
366 19:09:13.385 29/12/2010 Sev = WARNING/2 CVPND / 0 x 83400011
Send error - 28 package. ADR DST: 0xAC10D5FF, ADR Src: 0xAC10D501 (DRVIFACE:1158).
367 19:09:13.385 29/12/2010 Sev = WARNING/2 CVPND / 0 x 83400011
Send error - 28 package. ADR DST: 0xAC107FFF, ADR Src: 0xAC107F01 (DRVIFACE:1158).
368 19:09:13.385 29/12/2010 Sev = Info/4 CM / 0 x 43100004
Establish a connection using Ethernet
369 19:09:13.385 12/29/2010 Sev = Info/4 CM / 0 x 43100024
Attempt to connect with the server "1.2.0.14".
370 19:09:13.385 12/29/2010 Sev = Info/4 CVPND / 0 x 43400019
Separation of privileges: binding to the port: (500).
371 19:09:13.387 29/12/2010 Sev = Info/4 CVPND / 0 x 43400019
Separation of privileges: binding to the port: (4500).
372 19:09:13.387 29/12/2010 Sev = Info/6 IKE/0x4300003B
Attempts to establish a connection with 1.2.0.14.
373 19:09:13.471 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 1.2.0.14
374 19:09:13.538 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
375 19:09:13.538 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
376 19:09:13.538 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer is a compatible peer Cisco-Unity
377 19:09:13.538 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports XAUTH
378 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports the DPD
379 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports NAT - T
380 19:09:13.539 29/12/2010 Sev = Info/5 IKE / 0 x 43000001
Peer supports fragmentation IKE payloads
381 19:09:13.622 29/12/2010 Sev = Info/6 IKE / 0 x 43000001
IOS Vendor ID successful construction
382 19:09:13.622 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 1.2.0.14
383 19:09:13.623 12/29/2010 Sev = Info/6 IKE / 0 x 43000055
Sent a keepalive on the IPSec Security Association
384 19:09:13.623 29/12/2010 Sev = Info/4 IKE / 0 x 43000083
IKE port in use - Local Port = 0 x 1194, Remote Port = 0 x 1194
385 19:09:13.623 29/12/2010 Sev = Info/5 IKE / 0 x 43000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
386 19:09:13.623 29/12/2010 Sev = Info/4 CM/0x4310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
387 19:09:13.639 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
388 19:09:13.639 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
389 19:09:13.639 12/29/2010 Sev = Info/4 CM / 0 x 43100015
Launch application xAuth
390 19:09:13.825 12/29/2010 Sev = Info/4 IPSEC / 0 x 43700008
IPSec driver started successfully
391 19:09:13.825 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
392 19:09:16.465 29/12/2010 Sev = Info/4 CM / 0 x 43100017
xAuth application returned
393 19:09:16.465 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
394 19:09:16.480 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
395 19:09:16.480 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
396 19:09:16.481 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
397 19:09:16.481 29/12/2010 Sev = Info/4 CM/0x4310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
398 19:09:16.482 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 1.2.0.14
399 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
400 19:09:16.498 12/29/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
401 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.16.20.1
402 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
403 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 1.2.2.2
404 19:09:16.498 29/12/2010 Sev = Info/5 IKE / 0 x 43000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 1.2.2.22
405 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000
406 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0 x 00000003
407 19:09:16.498 12/29/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #1
subnet 10.10.10.0 =
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
408 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #2
subnet = 1.2.31.0
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
409 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000F
SPLIT_NET #3
subnet = 1.2.8.0
mask = 255.255.255.0
Protocol = 0
SRC port = 0
port dest = 0
410 19:09:16.498 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
411 19:09:16.499 29/12/2010 Sev = Info/5 IKE/0x4300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5510 Version 8.2 (2) built by manufacturers on Tuesday, January 11, 10 14:19
412 19:09:16.499 29/12/2010 Sev = Info/5 IKE/0x4300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
413 19:09:16.499 29/12/2010 Sev = Info/4 CM / 0 x 43100019
Data in mode Config received
414 19:09:16.500 29/12/2010 Sev = Info/4 IKE / 0 x 43000056
Received a request from key driver: local IP = 192.168.0.103, GW IP = 1.2.0.14, Remote IP = 0.0.0.0
415 19:09:16.500 2010-12-29 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to 1.2.0.14
416 19:09:16.517 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
417 19:09:16.517 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
418 19:09:16.517 29/12/2010 Sev = Info/5 IKE / 0 x 43000045
Answering MACHINE-LIFE notify has value of 86400 seconds
419 19:09:16.517 29/12/2010 Sev = Info/5 IKE / 0 x 43000047
This SA has been alive for 3 seconds, affecting seconds expired 86397 now
420 19:09:16.518 12/29/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
421 19:09:16.518 12/29/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
422 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to 1.2.0.14
423 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000049
IPsec security association negotiation made scrapped, MsgID = FCB95275
424 19:09:16.518 29/12/2010 Sev = Info/4 IKE / 0 x 43000017
Marking of IKE SA delete (I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED
425 19:09:16.520 29/12/2010 Sev = Info/5 IKE/0x4300002F
Received packet of ISAKMP: peer = 1.2.0.14
426 19:09:16.520 29/12/2010 Sev = Info/4 IKE / 0 x 43000058
Received an ISAKMP for a SA message no assets, I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148
427 19:09:16.520 29/12/2010 Sev = Info/4 IKE / 0 x 43000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
428 19:09:17.217 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
429 19:09:19.719 29/12/2010 Sev = Info/4 IKE/0x4300004B
IKE negotiation to throw HIS (I_Cookie = 4BEBFA4F685D02E9 R_Cookie = 6A6CB439CD58F148) reason = DEL_REASON_IKE_NEG_FAILED
430 19:09:19.719 29/12/2010 Sev = Info/4 CM / 0 x 43100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
431 19:09:19.719 29/12/2010 Sev = Info/5 CM / 0 x 43100025
Initializing CVPNDrv
432 19:09:19.719 29/12/2010 Sev = Info/4 CVPND/0x4340001F
Separation of privileges: restore MTU on the main interface.
433 19:09:19.719 29/12/2010 Sev = Info/4 IKE / 0 x 43000001
Signal received IKE to complete the VPN connection
434 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
435 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
436 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC / 0 x 43700014
Remove all keys
437 19:09:20.719 29/12/2010 Sev = Info/4 IPSEC/0x4370000A
IPSec driver successfully stopped
Hello 3moloz123,
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
1. the reason why the VPN remote access (RA) couldn't form with success before the passage of TRANS_ESP_3DES_MD5 to ESP_3DES_MD5 is the mode of transport is not supported for RA VPN. You must use Tunnel mode for the processing of IPSec together we must maintain the IP header inside so that, once the package is decapsules and decrypted at the head of IPSec end we can transfer the package.
In the newspapers, you can see this failure
29 Dec 18:54: 26 [IKEv1]: Phase 2 failed: Mismatched types of class attributes Mode of Encapsulation: RRs would be: UDP Tunnel(NAT - T) Cfg had: UDP Transport
Repeat x 4
RRS of transformation all sent by the RA Client. Cfg would be is that the dynamic encryption card supports.
2. the isakmp policy change was unnecessary, the Phase 1 session came fine ISAKMP indicating worked. Phase 2 begins only after a successful Phase 1 (session ISAKMP).
After failing to build Phase 2 (child SA) we drop the ISAKMP Security Association since it is not used.
I hope that answers your questions.
Kind regards
Craig -
Original title: The IPsec negotiation failure prevents the connection
My internet connection is constantly visitor drop-off and restarted, and when I troubleshoot I get this message "the IPsec negotiation failure prevents the connection." I don't use VPN or anything so I have no idea what it means. I restarted the router several times. Any other ideas?
Hello
1. you are using a wired or a wireless connection?
2. If it works well before?
3 did you changes to the computer before the show?
Method 1: Reset the router and see if that helps.
Note: To help you reset the router, you can consult the manual that came with the router or the router contact manufacturer.
Method 2: Uninstall and reinstall the NIC drivers and see if that helps.
See the following steps:
(a) click Start, right click on computer.
(b) click on properties, click on Device Manager
(c) expand the network card, right-click the wireless adapter option
(d) click on uninstall
(e) now go to your computer/wireless device manufacturer's website, download the updated drivers and install them.
Reference:
Updated a hardware driver that is not working properly:
http://Windows.Microsoft.com/en-us/Windows7/update-a-driver-for-hardware-that-isn ' t-work correctly
-
Hello
First I must admit that I am not very versed in Cisco equipment or in general IPSEC connections so my apologies if I'm doing something really good obviously stupid, but I checked through any kind of things that I could find on the internet on the configuration of IPSEC VPN.
The setup I have is an asa 5520 (o/s 8.2) firewall which, for now, is connected to a temporary connection beautiful style home broadband for testing purposes. The netopia router is configured to allow ipsec passthrough and redirect 62515 UDP, TCP 10000, 4500 UDP, UDP 500 ports in the asa 5520.
I'm trying to connein out of a laptop with disabled windows firewall and vpn cisco 5.0.02.0090 client version.
I ran several attempts through the ipsec configuration wizard options. most of the time that nothing comes in the newspaper to show that a connection was attempted, but there is a way I can set up product options the following on the firewall log:
4. Sep 24 2010 | 13: 54:29 | 713903 | Group = VPNtest9, IP = 86.44.x.x, error: cannot delete PeerTblEntry
5: Sep 24 2010 | 13: 54:29 | 713902 | Group = VPNtest9, IP = 86.44.x.x, drop table homologous counterpart does not, no match!
6. Sep 24 2010 | 13: 54:21 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:21 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:16 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:16 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
6. Sep 24 2010 | 13: 54:11 | 713905 | Group VPNtest9, IP = 86.44.x.x, P1 = relay msg sent to AM WSF
3: Sep 24 2010 | 13: 54:11 | 713201 | Group = VPNtest9, IP = 86.44.x.x, double-Phase 1 detected package. Retransmit the last packet.
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
3: Sep 24 2010 | 13: 54:06 | 713257 | 1 failure to phase: incompatibility of types of attributes of class Group Description: RRs would be: Group 2 FCMS would: Group 1
6. Sep 24 2010 | 13: 54:06 | 302015 | 86.44.x.x | 51905 | 192.168.0.27 | 500 | Built UDP inbound connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) at identity:192.168.0.27/500 (192.168.0.27/500)
and this, in the journal of customer:
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 5.1.2600 Service Pack 3
24 13:54:08.250 24/09/10 Sev = Info/4 CM / 0 x 63100002
Start the login process
25 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
26 13:54:08.265 24/09/10 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "213.94.x.x".
27 13:54:08.437 24/09/10 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 213.94.x.x.
28 13:54:08.437 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 213.94.x.x
29 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
30 13:54:08.484 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
31 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
32 13:54:13.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
33 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
34 13:54:18.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
35 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000021
Retransmit the last package!
36 13:54:23.484 24/09/10 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (Retransmission) to 213.94.x.x
37 13:54:28.484 24/09/10 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
38 13:54:28.984 24/09/10 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 36C50ACCE984B0B0 R_Cookie = 0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
39 13:54:28.984 24/09/10 Sev = Info/4 CM / 0 x 63100014
Could not establish the Phase 1 SA with the server '213.94.x.x' due to the 'DEL_REASON_PEER_NOT_RESPONDING '.
40 13:54:28.984 24/09/10 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
41 13:54:28.984 24/09/10 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
42 13:54:28.984 24/09/10 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
43 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
44 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
45 13:54:29.187 24/09/10 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
46 13:54:29.187 24/09/10 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I have connectivity full http from the internet to a machine inside the asa 5520 so I think that the static routing and NAT'ing should be ok, but I am pleased to provide you with all the details.
Can you see what I'm doing wrong?
Thank you
Sam
Pls add the following policy:
crypto ISAKMP policy 10
preshared authentication
the Encryption
md5 hash
Group 2
You can also run debug on the ASA:
debugging cry isa
debugging ipsec cry
and retrieve debug output after trying to connect.
-
Error of customer Cisco VPN connection ASA 5505
I am unable to connect to the vpn I created on my ASA 5505 using the Cisco VPN Client on a Windows machine. The log of the vpn client and the config of the ASA 5505 is lower. Any help to solve this is appreciated.
CISCO VPN CLIENT LOG
Cisco Systems VPN Client Version 5.0.06.0160
Copyright (C) 1998-2009 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.1.7600
Config files directory: C:\Program Cisco Systems Client\
1 09:34:23.030 13/04/11 Sev = Info/4 CM / 0 x 63100002
Start the login process
2 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
3 09:34:23.061 13/04/11 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "71.xx.xx.253".
4 09:34:23.061 13/04/11 Sev = Info/6 IKE/0x6300003B
Attempts to establish a connection with 71.xx.xx.253.
5 09:34:23.061 13/04/11 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
6 09:34:23.077 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) at 71.xx.xx.253
7 09:34:23.170 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
8 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
9 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
10 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
11 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
12 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
13 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
14 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
15 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) at 71.xx.xx.253
16 09:34:23.170 13/04/11 Sev = Info/6 IKE / 0 x 63000055
Sent a keepalive on the IPSec Security Association
17 09:34:23.170 13/04/11 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xEB07, Remote Port = 0 x 1194
18 09:34:23.170 13/04/11 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
19 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
20 09:34:23.170 13/04/11 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
21 09:34:23.186 13/04/11 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
22 09:34:23.186 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to 71.xx.xx.253
23 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
24 09:34:23.248 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
25 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 172.26.6.1
26 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.0.0
27 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 172.26.0.250
28 09:34:23.248 13/04/11 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 172.26.0.251
29 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000000
30 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = TLCUSA
31 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
32 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (1) built by manufacturers on Wednesday 5 May 09 22:45
33 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
34 09:34:23.248 13/04/11 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
35 09:34:23.248 13/04/11 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
36 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 172.26.6.1, GW IP = 71.xx.xx.253, Remote IP = 0.0.0.0
37 09:34:23.264 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > QM ISAKMP OAK * (HASH, SA, NO, ID, ID) to 71.xx.xx.253
38 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
39 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
40 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
41 09:34:23.326 13/04/11 Sev = Info/5 IKE / 0 x 63000047
This AA is already living from 0 seconds, setting the expiration to 86400 seconds right now
42 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
43 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
44 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to 71.xx.xx.253
45 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000049
IPsec security association negotiation made scrapped, MsgID = 89EE7032
46 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED
47 09:34:23.326 13/04/11 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = 71.xx.xx.253
48 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000058
Received an ISAKMP for a SA message no assets, I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8
49 09:34:23.326 13/04/11 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
50 09:34:26.696 13/04/11 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = 2617522400DC1763 R_Cookie = 029325381036CCD8) reason = DEL_REASON_IKE_NEG_FAILED
51 09:34:26.696 13/04/11 Sev = Info/4 CM / 0 x 63100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
52 09:34:26.696 13/04/11 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
53 09:34:26.696 13/04/11 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
54 09:34:26.696 13/04/11 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
----------------------------------------------------------------------------------------
ASA 5505 CONFIG
: Saved
:
ASA Version 8.2 (1)
!
ciscoasa hostname
domain masociete.com
activate tdkuTUSh53d2MT6B encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface Vlan1
nameif inside
security-level 100
IP 172.26.0.252 255.255.0.0
!
interface Vlan2
nameif outside
security-level 0
IP address 71.xx.xx.253 255.255.255.240
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passive FTP mode
clock timezone IS - 5
clock to summer time EDT recurring
DNS server-group DefaultDNS
domain masociete.com
access-list LIMU_Split_Tunnel_List note the network of the company behind the ASA
Standard access list LIMU_Split_Tunnel_List allow 172.26.0.0 255.255.0.0
outside_access_in list extended access permit icmp any one
outside_access_in list extended access udp allowed any any eq 4500
outside_access_in list extended access udp allowed any any eq isakmp
outside_access_in list extended access permit tcp any host 71.xx.xxx.251 eq ftp
outside_access_in list extended access permit tcp any host 71.xx.xxx.244 eq 3389
inside_outbound_nat0_acl list of allowed ip extended access all 172.26.5.192 255.255.255.240
inside_outbound_nat0_acl list of allowed ip extended access all 172.26.6.0 255.255.255.128
pager lines 24
Enable logging
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
local pool VPN_POOL 172.26.6.1 - 172.26.6.100 255.255.0.0 IP mask
ICMP unreachable rate-limit 1 burst-size 1
enable ASDM history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_outbound_nat0_acl
NAT (inside) 1 0.0.0.0 0.0.0.0
static (inside, outside) 71.xx.xxx.251 172.26.5.9 netmask 255.255.255.255
static (inside, outside) 71.xx.xxx.244 172.26.0.136 netmask 255.255.255.255
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 71.xx.xxx.241 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-registration DfltAccessPolicy
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 172.26.0.0 255.255.0.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 30
preshared authentication
3des encryption
sha hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd outside auto_config
!
no basic threat threat detection
no statistical access list - a threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server WINS 172.26.0.250 172.26.0.251
value of 172.26.0.250 DNS server 172.26.0.251
Protocol-tunnel-VPN IPSec l2tp ipsec svc
value by default-field TLCUSA
internal LIMUVPNPOL1 group policy
LIMUVPNPOL1 group policy attributes
value of 172.26.0.250 DNS server 172.26.0.251
VPN-idle-timeout 30
Protocol-tunnel-VPN IPSec l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list LIMU_Split_Tunnel_List
the address value VPN_POOL pools
internal TLCVPNGROUP group policy
TLCVPNGROUP group policy attributes
value of 172.26.0.250 DNS server 172.26.0.251
Protocol-tunnel-VPN IPSec l2tp ipsec svc
Re-xauth disable
enable IPSec-udp
value by default-field TLCUSA
barry.julien YCkQv7rLwCSNRqra06 + QXg password user name is nt encrypted privilege 0
username barry.julien attributes
VPN-group-policy TLCVPNGROUP
Protocol-tunnel-VPN IPSec l2tp ipsec
bjulien bhKBinDUWhYqGbP4 encrypted password username
username bjulien attributes
VPN-group-policy TLCVPNGROUP
attributes global-tunnel-group DefaultRAGroup
address VPN_POOL pool
Group Policy - by default-DefaultRAGroup
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
ms-chap-v2 authentication
type tunnel-group TLCVPNGROUP remote access
attributes global-tunnel-group TLCVPNGROUP
address VPN_POOL pool
Group Policy - by default-TLCVPNGROUP
IPSec-attributes tunnel-group TLCVPNGROUP
pre-shared-key *.
ISAKMP ikev1-user authentication no
tunnel-group TLCVPNGROUP ppp-attributes
PAP Authentication
ms-chap-v2 authentication
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
!
global service-policy global_policy
context of prompt hostname
Cryptochecksum:b94898c163c59cee6c143943ba87e8a4
: end
enable ASDM history
can you try to change the transformation of dynamic value ESP-3DES-SHA map.
for example
remove the encryption scheme dynamic-map outside_dyn_map 20 transform-set TRANS_ESP_3DES_MD5
and replace with
Crypto-map dynamic outside_dyn_map 20 the value transform-set ESP-3DES-SHA
-
Problem with remote access VPN on ASA 5505
I currently have a problem of an ASA 5505 configuration to connect via VPN remote access by using the Cisco VPN Client 5.0.07.0440 under Windows 8 Pro x 64. The VPN client will prompt you for the user name and password during the connection process, but fails soon after.
The VPN client connects is as follows:
---------------------------------------------------------------------------------------------------------------------------------------
Cisco Systems VPN Client Version 5.0.07.0440
Copyright (C) 1998-2010 Cisco Systems, Inc.. All rights reserved.
Customer type: Windows, Windows NT
Running: 6.2.9200
2 15:09:21.240 11/12/12 Sev = Info/4 CM / 0 x 63100002
Start the login process
3 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100004
Establish a secure connection
4 15:09:21.287 11/12/12 Sev = Info/4 CM / 0 x 63100024
Attempt to connect with the server "*." **. ***. *** »
5 15:09:21.287 11/12/12 Sev = Info/6 IKE/0x6300003B
Try to establish a connection with *. **. ***. ***.
6 15:09:21.287 11/12/12 Sev = Info/4 IKE / 0 x 63000001
From IKE Phase 1 negotiation
7 15:09:21.303 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK AG (SA, KE, NO, ID, VID (Xauth), VID (dpd), VID (Frag), VID(Nat-T), VID (Unity)) to *. **. ***. ***
8 15:09:21.365 11/12/12 Sev = Info/6 GUI/0x63B00012
Attributes of the authentication request is 6: 00.
9 15:09:21.334 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
10 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" ag="" (sa,="" ke,="" non,="" id,="" hash,="" vid(unity),="" vid(xauth),="" vid(dpd),="" vid(nat-t),="" nat-d,="" nat-d,="" vid(frag),="" vid(?))="" from="">
11 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer is a compatible peer Cisco-Unity
12 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports XAUTH
13 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports the DPD
14 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports NAT - T
15 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000001
Peer supports fragmentation IKE payloads
16 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000001
IOS Vendor ID successful construction
17 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SENDING > ISAKMP OAK AG * (HASH, NOTIFY: NAT - D, NAT - D, VID (?), STATUS_INITIAL_CONTACT, VID (Unity)) to *. **. ***. ***
18 15:09:21.334 11/12/12 Sev = Info/6 IKE / 0 x 63000055
Sent a keepalive on the IPSec Security Association
19 15:09:21.334 11/12/12 Sev = Info/4 IKE / 0 x 63000083
IKE port in use - Local Port = 0xFBCE, Remote Port = 0 x 1194
20 15:09:21.334 11/12/12 Sev = Info/5 IKE / 0 x 63000072
Automatic NAT detection status:
Remote endpoint is NOT behind a NAT device
This effect is behind a NAT device
21 15:09:21.334 11/12/12 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 0 IKE SA authenticated user in the system
22 15:09:21.365 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
23 15:09:21.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
24 15:09:21.365 11/12/12 Sev = Info/4 CM / 0 x 63100015
Launch application xAuth
25 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700008
IPSec driver started successfully
26 15:09:21.474 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
27 15:09:27.319 11/12/12 Sev = Info/4 CM / 0 x 63100017
xAuth application returned
28 15:09:27.319 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
29 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
30 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
31 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
32 15:09:27.365 11/12/12 Sev = Info/4 CM/0x6310000E
ITS established Phase 1. 1 crypto IKE Active SA, 1 IKE SA authenticated user in the system
33 15:09:27.365 11/12/12 Sev = Info/5 IKE/0x6300005E
Customer address a request from firewall to hub
34 15:09:27.365 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK TRANS *(HASH, ATTR) to *. **. ***. ***
35 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
36 15:09:27.397 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" trans="" *(hash,="" attr)="" from="">
37 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS:, value = 192.168.2.70
38 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_NETMASK:, value = 255.255.255.0
39 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (1):, value = 192.168.2.1
40 15:09:27.397 11/12/12 Sev = Info/5 IKE / 0 x 63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS (2):, value = 8.8.8.8
41 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD:, value = 0x00000001
42 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN:, value = NCHCO
43 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS:, value = 0x00000000
44 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000E
MODE_CFG_REPLY: Attribute = APPLICATION_VERSION, value = Cisco Systems, Inc. ASA5505 Version 8.2 (5) built by manufacturers on Saturday, May 20, 11 16:00
45 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SMARTCARD_REMOVAL_DISCONNECT:, value = 0x00000001
46 15:09:27.397 11/12/12 Sev = Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = received and by using the NAT - T port number, value = 0 x 00001194
47 15:09:27.397 11/12/12 Sev = Info/4 CM / 0 x 63100019
Data in mode Config received
48 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000056
Received a request from key driver: local IP = 192.168.2.70, GW IP = *. **. ***. remote IP address = 0.0.0.0
49 15:09:27.412 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK QM * (HASH, SA, NO, ID, ID) to *. **. ***. ***
50 15:09:27.444 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
51 15:09:27.444 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:status_resp_lifetime)="" from="">
52 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000045
Answering MACHINE-LIFE notify has value of 86400 seconds
53 15:09:27.444 11/12/12 Sev = Info/5 IKE / 0 x 63000047
This SA was already alive for 6 seconds, setting expiration 86394 seconds now
54 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
55 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">
56 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000013
SEND to > ISAKMP OAK INFO *(HASH, DEL) to *. **. ***. ***
57 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000049
IPsec security association negotiation made scrapped, MsgID = CE99A8A8
58 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000017
Marking of IKE SA delete (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
59 15:09:27.459 11/12/12 Sev = Info/5 IKE/0x6300002F
Received packet of ISAKMP: peer = *. **. ***. ***
60 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000058
Received an ISAKMP for a SA message no assets, I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924
61 15:09:27.459 11/12/12 Sev = Info/4 IKE / 0 x 63000014
RECEIVING< isakmp="" oak="" info="" *(dropped)="" from="">
62 15:09:27.490 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
63 15:09:30.475 11/12/12 Sev = Info/4 IKE/0x6300004B
IKE negotiation to throw HIS (I_Cookie = A3A341F1C7606AD5 R_Cookie = F1F403018625E924) reason = DEL_REASON_IKE_NEG_FAILED
64 15:09:30.475 11/12/12 Sev = Info/4 CM / 0 x 63100012
ITS phase 1 deleted before first Phase 2 SA is caused by "DEL_REASON_IKE_NEG_FAILED". Crypto 0 Active IKE SA, 0 IKE SA authenticated user in the system
65 15:09:30.475 11/12/12 Sev = Info/5 CM / 0 x 63100025
Initializing CVPNDrv
66 15:09:30.475 11/12/12 Sev = Info/6 CM / 0 x 63100046
Set indicator established tunnel to register to 0.
67 15:09:30.475 11/12/12 Sev = Info/4 IKE / 0 x 63000001
Signal received IKE to complete the VPN connection
68 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
69 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
70 15:09:30.475 11/12/12 Sev = Info/4 IPSEC / 0 x 63700014
Remove all keys
71 15:09:30.475 11/12/12 Sev = Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
---------------------------------------------------------------------------------------------------------------------------------------
The running configuration is the following (there is a VPN site-to-site set up as well at an another ASA 5505, but that works perfectly):
: Saved
:
ASA Version 8.2 (5)
!
hostname NCHCO
Select hTjwXz/V8EuTw9p9 of encrypted password
hTjwXz/V8EuTw9p9 of encrypted passwd
names of
description of NCHCO name 192.168.2.0 City offices
name 192.168.2.80 VPN_End
name 192.168.2.70 VPN_Start
!
interface Ethernet0/0
switchport access vlan 2
Speed 100
full duplex
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP address **. ***. 255.255.255.248
!
boot system Disk0: / asa825 - k8.bin
passive FTP mode
access extensive list ip NCHCO 255.255.255.0 outside_nat0_outbound allow 192.168.1.0 255.255.255.0
access extensive list ip NCHCO 255.255.255.0 inside_nat0_outbound allow 192.168.1.0 255.255.255.0
inside_nat0_outbound list of allowed ip extended access all 192.168.2.64 255.255.255.224
access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap allow 192.168.1.0 255.255.255.0
access extensive list ip NCHCO 255.255.255.0 outside_1_cryptomap_1 allow 192.168.1.0 255.255.255.0
Standard access list LAN_Access allow NCHCO 255.255.255.0
LAN_Access list standard access allowed 0.0.0.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
Within 1500 MTU
Outside 1500 MTU
mask of VPN_Pool VPN_Start VPN_End of local pool IP 255.255.255.0
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 645.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside_nat0_outbound
Route outside 0.0.0.0 0.0.0.0 74.219.208.49 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
network-acl outside_nat0_outbound
WebVPN
SVC request to enable default svc
Enable http server
http 192.168.1.0 255.255.255.0 inside
http *. **. ***. 255.255.255.255 outside
http 74.218.158.238 255.255.255.255 outside
http NCHCO 255.255.255.0 inside
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac l2tp-transform
Crypto ipsec transform-set l2tp-transformation mode transit
Crypto ipsec transform-set vpn-transform esp-aes-256 esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-sha-hmac TRANS_ESP_3DES_SHA
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_SHA
Crypto ipsec transform-set esp-3des esp-md5-hmac TRANS_ESP_3DES_MD5
Crypto ipsec transform-set transit mode TRANS_ESP_3DES_MD5
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyn-map 10 set pfs Group1
crypto dynamic-map dyn-map transform 10-set, vpn l2tp-transformation-transformation
dynamic-map encryption dyn-map 10 value reverse-road
Crypto-map dynamic outside_dyn_map 20 game of transformation-TRANS_ESP_3DES_MD5
card crypto outside_map 1 match address outside_1_cryptomap
card crypto outside_map 1 set pfs Group1
peer set card crypto outside_map 1 74.219.208.50
card crypto outside_map 1 set of transformation-ESP-3DES-SHA
map outside_map 20-isakmp ipsec crypto dynamic outside_dyn_map
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
inside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
inside crypto map inside_map interface
card crypto vpn-map 1 match address outside_1_cryptomap_1
card crypto vpn-card 1 set pfs Group1
set vpn-card crypto map peer 1 74.219.208.50
card crypto vpn-card 1 set of transformation-ESP-3DES-SHA
dynamic vpn-map 10 dyn-map ipsec isakmp crypto map
crypto isakmp identity address
crypto ISAKMP allow inside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
crypto ISAKMP policy 15
preshared authentication
aes-256 encryption
sha hash
Group 2
life 86400
crypto ISAKMP policy 35
preshared authentication
3des encryption
sha hash
Group 2
life 86400
crypto ISAKMP ipsec-over-tcp port 10000
enable client-implementation to date
Telnet 192.168.1.0 255.255.255.0 inside
Telnet NCHCO 255.255.255.0 inside
Telnet timeout 5
SSH 192.168.1.0 255.255.255.0 inside
SSH NCHCO 255.255.255.0 inside
SSH timeout 5
Console timeout 0
dhcpd address 192.168.2.150 - 192.168.2.225 inside
dhcpd dns 216.68.4.10 216.68.5.10 interface inside
lease interface 64000 dhcpd inside
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal DefaultRAGroup group strategy
attributes of Group Policy DefaultRAGroup
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec l2tp ipsec
nchco.local value by default-field
attributes of Group Policy DfltGrpPolicy
value of server DNS 192.168.2.1
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
allow password-storage
enable IPSec-udp
enable dhcp Intercept 255.255.255.0
the address value VPN_Pool pools
internal NCHVPN group policy
NCHVPN group policy attributes
value of 192.168.2.1 DNS Server 8.8.8.8
Protocol-tunnel-VPN IPSec l2tp ipsec
value by default-field NCHCO
admin LbMiJuAJjDaFb2uw encrypted privilege 15 password username
username privilege 15 encrypted password yB1lHEVmHZGj5C2Z 8njferg
username, encrypted NCHvpn99 QhZZtJfwbnowceB7 password
attributes global-tunnel-group DefaultRAGroup
address (inside) VPN_Pool pool
address pool VPN_Pool
authentication-server-group (inside) LOCAL
authentication-server-group (outside LOCAL)
LOCAL authority-server-group
authorization-server-group (inside) LOCAL
authorization-server-group (outside LOCAL)
Group Policy - by default-DefaultRAGroup
band-Kingdom
band-band
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared key *.
NOCHECK Peer-id-validate
tunnel-group DefaultRAGroup ppp-attributes
No chap authentication
no authentication ms-chap-v1
ms-chap-v2 authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
tunnel-group 74.219.208.50 type ipsec-l2l
IPSec-attributes tunnel-group 74.219.208.50
pre-shared key *.
type tunnel-group NCHVPN remote access
attributes global-tunnel-group NCHVPN
address pool VPN_Pool
Group Policy - by default-NCHVPN
IPSec-attributes tunnel-group NCHVPN
pre-shared key *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:15852745977ff159ba808c4a4feb61fa
: end
ASDM image disk0: / asdm - 645.bin
ASDM VPN_Start 255.255.255.255 inside location
ASDM VPN_End 255.255.255.255 inside location
don't allow no asdm history
Anyone have any idea why this is happening?
Thank you!
Add, crypto dynamic-map outside_dyn_map 20 value reverse-road.
With respect,
Safwan
-
VPN IPSEC ASA with counterpart with dynamic IP and certificates
Hello!
Someone please give me config the work of the ASA for ASA Site to Site IPSEC VPN with counterpart with dynamic IP and authentication certificates.
He works with PSK authentication. But the connection landed at DefaultRAGroup instead of DefaultL2LGroup with certificate
authentication.
Should what special config I ask a DefaultRAGroup to activate the connection?
Thank you!
The ASA uses parts of the client cert DN to perform a tunnel-group lookup to place the user in a group. When "peer-id-validate req" is defined the ASA also tries to compare the IKE ID (cert DN) with the actual cert DN (also received in IKE negotiation), if the comparison fails the connection fails. know you could set "peer-id-validate cert" for the time being and the ASA will try to compare the values but allow the connection if it cannot.
In general I would suggest using option "cert."
With nocheck, we are simply not strict on IKE ID matchin the certificate, which is normally not a problem of security :-)
-
CSCux29978 on systems not configured for IKE
For firewalls who Ikev1 or v2 enabled/configured, the code could still be executed and not force the restart or allow remote code execution?
Hi awysocki,
The documentation states that you need either a tunnel from Site to Site running Ikev1 or ikev2 or a remote connection with the ipsec technology. If you have any of these technologies that the feat can be run.
You can verify if IPSec is enabled with the command:
ciscoasa# show running-config crypto map | include interface crypto map outside_map interface outsidehttps://Tools.Cisco.com/Security/Center/content/CiscoSecurityAdvisory/Cisco-SA-20160210-ASA-IKE It can be useful - Randy -. -
Auditorio IKE mode in a dynamic VPN tunnel
What is the mode of IKE negotiation in a dynamic group of VPN tunnel, i.e. of DefaultL2LGroup? Hand, aggressive or AutoDetect? Thank you!
Ok.
I guess that you are looking for the following command.
card crypto [TAG] [SEQ #] defined phase 1-mode aggressive
Kind regards
Anisha
PS: Please mark this thread solved if your query is resolved.
-
Difference between IPSec over TCP and UDP IPsecover
Hello world
I'm testing the VPN to the user's PC.
When I test the PC of the user using IPsecoverTCP it uses protocol 10000.
When I check on ASA - ASDM under connection details
ike1 - UDP Destination Port 500
IPsecOverTCP TCP Dst Port 10000
using Ipsecover UDP
IKEv1 - Destination UDP 500 Port
IPsecOverUDP - Port of Destination UDP Tunnel 10000
Therefore when using TCP or UDP uses the same port 500 and 10000.
Is need to know what is the major difference between these two connections just TCP or UDP?
Concerning
MAhesh
IPSec over TCP is used in scenarios where:
1 UDP port 500 is blocked, resulting in incomplete IKE negotiations
2 ESP is not allowed to cross and encrypted traffic thus do not cross.
3. network administrator prefers to use a connection oriented protocol.
4. IPSec over TCP may be necessary when the intermediate NAT or PAT device is stateful firewall.
As there are IPSec over UDP with IPSec over TCP, there is no room for negotiation. IPSec on the TCP packets are encapsulated from the beginning of the cycle of implementation of the tunnel. This feature is available only for remote access VPN not for tunnel L2L. Also does not work with proxy firewall.
While IPSec via UDP, similar to NAT - T, is used to encapsulate ESP packets using a UDP wrapper. Useful in scenarios where the VPN clients don't support NAT - T and are behind a firewall that does not allow the ESP packets to pass through. IN IPSec over UDP, the IKE negotiations has always use port UDP 500.
-
I im doing site vpn to the other for the first time on a 891 to an rv 120 (gui), but it doesn't connect. I think it could be my list of access on the 891. the error I get in the rv120 is
08/12/02 18:15:35: [rv120w] [IKE] ERROR: Phase 1 negotiation failed because the time for xx.xx.xx.xx [500]. ea65b6c91b9e73de:0000000000000000
2012-08-02 18:16:11: [rv120w] [IKE] INFO: Configuration found for xx.xx.xx.xx.
2012-08-02 18:16:11: [rv120w] [IKE] INFO: opening new phase 1 negotiation: xx.xx.xx.xx [500]<=>xx.xx.xx.xx [500]
2012-08-02 18:16:11: [rv120w] [IKE] INFO: Start Identity Protection mode.
2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:180]: XXX: NUMNATTVENDORIDS: 3
2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 4
2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 8
2012-08-02 18:16:11: [rv120w] [IKE] INFO: [ident_i1send:184]: XXX: definition of vendorid: 9
2012-08-02 18:16:11: [rv120w] [IKE] ERROR: ignore the information because the message has no payload hash.
2012-08-02 18:16:42: [rv120w] [IKE] ERROR: invalid protocol SA type: 0
2012-08-02 18:16:42: [rv120w] [IKE] ERROR: failure of the Phase 2 negotiation because of the waiting time for the phase 1.
2012-08-02 18:17: [rv120w] [IKE] INFO: accept a request to establish IKE - SA: 71.32.110.24
2012-08-02 18:17: [rv120w] [IKE] WARNING: schedular is already planned for the creation of the SA for outside: 'xx.xx.xx.xx' 2012-08-02 18:17: [rv120w] [IKE] ERROR: could not attach schedSaCreate in IKE configuraion
891 config
=====================================================
pool dhcp IP test
Network 10.10.10.0 255.255.255.0
default router 10.10.10.1
Server DNS 8.8.8.8 8.8.4.4
!
!
IP cef
8.8.8.8 IP name-server
IP-server names 8.8.4.4
No ipv6 cef
!
!
crypto ISAKMP policy 1
preshared authentication
Group 2
lifetime 28800
ISAKMP crypto key Testingkey address xx.xx.xx.xxx
!
!
Crypto ipsec transform-set test1 ah-md5-hmac esp-3des
!
maptest1 map ipsec-isakmp crypto 2
defined peer xx.xx.xx.xx
Set transform-set test1
match address 100
!
!
interface FastEthernet8
Qwest connection description
no ip address
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
PPPoE enable global group
PPPoE-client dial-pool-number 1
maptest1 card crypto
!
!
interface Vlan1
Quest description
IP 10.10.10.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Dialer1
the negotiated IP address
IP mtu 1492
NAT outside IP
IP virtual-reassembly
encapsulation ppp
IP tcp adjust-mss 1452
Dialer pool 1
Dialer-Group 1
PPP authentication chap callin pap
PPP chap hostname xxxxxxxxx
PPP chap password 0 xxxxxxxx
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
the IP nat inside source 1 list overload of the Dialer1 interface
IP route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 10.10.10.0 0.0.0.255
category of access list 100 remark maptest1 = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
Dialer-list 1 ip protocol allow
Dialer-list 100 ip protocol allow
=======================================================================
Hi Manny,
Thanks for the debug output! I believe that we are making some progress and was able to establish phase 1 of IKE. The problem is now to establish IPsec SA or a phase of IKE 2. Could you do the following again once more, and view the results?
int f8
no card crypto maptest1
int d1
maptest1 card crypto
Claire crypto his
Debug crypto ISAKMP
Debug crypto ipsec
ISAKMP crypto to show his
Crypto ipsec to show his
Sent by Cisco Support technique iPhone App
-
On the inside interface to ASA5520 AnyConnect
We currently have a configuration where users connect within a firewall by using the ipsec client.
We are moving them to the anyconnect client but are unable to make it work, we can not even a page of webvpn inside.
When you are trying to connect with anyconnect ASA reports a failure of IKE initiator inside. and no tcp connection indicator.
We can't get an answer with Webvpn or I tried to use a different tcp on but webvpn port then the asa denies traffic even if there are
without denying the rules.
Any ideas anyone?
What about Dean
Perfect and thanks for the update.
Pls kindly marks the message as replied to close the loop. Thank you.
-
Hello
When I tried to connect to the VPN from the client using our internet here in the office, the transparent tunneling in the VPN active said State on UDP 4500. But when I tried to connect to the VPN via Vodafone vodem, transparent tunneling still shows inactive. Do you know the explanation for this?
Thank you
Patricia
Patricia, the fact that your vpn connection is based on UDP 4500 or not depends on whether nat is on the path, in the IKE negotiation when exchanging messages, there is a point where the two vpn peers to check the hash of each end and compare. If it does not match the past of the connection to the NAT - T (UDP 4500) is it not there no nat/PAT along the path, then this does not switch.
So correct me if I'm wrong, you say that when you use the modem from Vodafone, you see the transparent tunneling as inactive? If that's the case then it could be normal since your modem could give a public IP of your modem connection. Having problems with this?
-
Jabber comments does not work with Expressway 8.7.2
Hello
the last Highway requires Diffie-Hellman keys at least 1024 bits in size.
Unfortunately comments Jabber always uses 768bits as the 'server Temp key' on tomcat. This is why you cannot use Jabber comments (any version; I tried 10.6.9 and 10.6.10) with Expressway 8.7.2.
I also checked the Tomcat settings and there is the appropriate setting in/opt/cisco/jabber/conf/mss-sip-stack-properties (which, I guess that's the relevant file):
# 2048-bit support for the Diffie-Hellman key ephemeral
jdk.tls.ephemeralDHKeySize = 2048Unfortunately, this does not work, or at least the results are not as expected.
Try to connect with openssl (openssl s_client-connect
: 5061) shows: -snip-
Types of client certificate: RSA sign, DSA
Required Signature algorithms: ECDSA + SHA512: RSA + SHA512: ECDSA + SHA384: RSA + SHA384: ECDSA + SHA256: RSA + SHA256: ECDSA + SHA224 RSA: + SHA224: ECDSA + SHA1: SHA1 + RSA: DSA + SHA1: RSA + MD5
Required Signature shared algorithms: ECDSA + SHA512: RSA + SHA512: ECDSA + SHA384: RSA + SHA384: ECDSA + SHA256: RSA + SHA256: ECDSA + SHA224 RSA: + SHA224: ECDSA + SHA1: SHA1 + RSA: DSA + SHA1
Peer signature digest: SHA512
Temp server key: DH, 768 bits
---
SSL handshake has read 3205 bytes and written 210 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
The server public key is 4096 bit
Secure renegotiation IS supported
Compression: NONE
Expansion: NO
No ALPN negotiated-snip-
Expressway present "key too small dh" in the log file and the 'TLS negotiation failure' when checking the status of the area.
It works perfectly with Expressway 8.6.1 (have not tried far 8.7.1).
Log files / dumps / snapshots are available on request, but I think the problem is pretty clear and I hope that it will be easy to solve.
Thank you and best regards
Wolfgang
It's really weird, the first official Jabber client version is 10.0, I check the version of java on Jabber client 10.0, the version is "1.7.0_55".
Where do you find the original installation image? -What have you never install any external rpm on the comment Jabber server?
Comments of Jabber, connect with us: Administration of Cisco Jabber Guest-> marbles-> download all the
BTW, run the command "rpm - qa' on terminal server Jabber comments and send us the list.
Thank you
Maybe you are looking for
-
Small crack on the top of my iPhone 6
My iPhone slipped out of my bag and fell to the ground (floor of stone) Now, there are a few scratches (near the top of the phone and earpiece plug) , but there is also a slot on top... not on the screen, but on the top (the area marked with blue on
-
How can you check if you have a problem with the ghost attack
How can you check if you have a problem with the ghost attack. My ISP (Virgin) sent me a letter saying I could have an attack on my apps by the phantom virus. How is this true and what can do
-
you try to start windows in "safe" mode
I have been instructed by my virus software provider to start my computer in "safe" mode They told me to press F8 and keep it pressed until the safe mode options. I tried this but it seems that the F8 key doesn't seem to be holding options that are "
-
Today, I tried to upgrade my pc windows 7 to windows 10 but when I click on upgrade now, he says if please wait and then closes itself. He said that my pc is ready for the update but usually do, could you please help.
-
When I'm in Documents, music or photos, I can't create a new folder in Windows 7
When I'm in My Documents or music photos etc., I can't create a new (empty) folder by using the "new folder" button for some reason any. Also, I can right click and create a new compressed folder, but there is no option for a regular folder when I r