no tunnel-Group-map enable ike - id
why I don't receive any tunnel-Group-map enable ike - id when configuring site to site vpn. Did I miss something in the configuration?
You use certificate-based authentication?
Kind regards
Sandra
Tags: Cisco Security
Similar Questions
-
Enable ASA 9.1 problems with tunnel-group-list
Hello!
I try to get a working configuration where the Cisco VPN / DTLS phones VPN connect, while allowing access remotely via client AnyConnect of PCs. I have two groups of tunnel and configured for this purpose of group policy and use Group-URL.
Phones are connect very well, but I don't get the drop down menu to choose between the two groups of tunnel when connecting to a remote computer.
An excerpt from the config.
Moreover, I had the menu work previously when I used group instead of group-URL aliases. However, the phones seem to require the URL group. Now that I have those configured, the menu does not work. If I get the full URL in the AnyConnect window, both URLs work, and I can connect.
Thank you in advance for any suggestions you may have!
Deb
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
AnyConnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 3
AnyConnect enable
tunnel-group-list activate
ABC Group-Policy internal
ABC Group Policy attributes
value of server WINS 10.10.16.17 10.10.16.12
value of 10.10.16.17 DNS server 10.10.16.12
VPN - connections 3
SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless
Split-tunnel-policy tunnelall
field default value abc.com
the address value AnyConnectPool pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
time to generate a new key ssl AnyConnect 1440
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 5
dpd-interval gateway AnyConnect 30
AnyConnect ask none
internal strategy of group ABC - STG
ABC - STG group policy attributes
value of server DNS 8.8.8.8
VPN - connections 3
SSL VPN-tunnel-Protocol l2tp ipsec client ssl clientless
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value Split-Tunnel-encrypt-ACL
field default value abc.com
the address value AnyConnectPool pools
WebVPN
activate AnyConnect ssl dtls
AnyConnect Dungeon-Installer installed
time to generate a new key ssl AnyConnect 1440
AnyConnect ssl generate a new method ssl key
AnyConnect client of dpd-interval 5
dpd-interval gateway AnyConnect 30
AnyConnect ask none
type tunnel-group Split-Tunnel-Group remote access
attributes global-tunnel-group Split-Tunnel-Group
address pool AnyConnectPool
Group Policy - by default-ABC-STG
tunnel-group Split-Tunnel-Group webvpn-attributes
allow group-url https://asa.abc.com/ABC-STG
tunnel-group ABC - Tunnel - type remote access Group
attributes global-tunnel-group ABC - Tunnel - Group
address pool AnyConnectPool
Group-ACTIVE DIRECTORY authentication server
Group Policy - by default-ABC
password-management
ABC - Tunnel tunnel-group - webvpn-attributes Group
allow group-url https://asa.abc.com/ABC
Hello
You can have group-alias and group-url at the same time in the configuration so that the phones can connnect with Group-url and users can click on the drop down menu to select the right connection profile.
tunnel-group
webvpn-attributes
Group-aliasenable
Group-urlhelp Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Hello
I set up a lab for RA VPN with a version of the ASA5510 8.2 and VPN Client 5 software using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco's Web site:
Now, the vpn works fine, but now I need to configure a tunnel-different groups so I can provide different services to different users. The problem I have now is that I don't know how to set it up for the certificate is the name of tunnel-group. If I do an ASA debug crypto isakmp I get this error message:
% ASA-713906 7: IP = 165.98.139.12, trying to find the group through OR...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IKE ID...
% 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
% ASA-713906 7: IP = 165.98.139.12, trying to find the group via IP ADDR...
% ASA-713906 7: IP = 165.98.139.12, trying to find the group using default group...
% ASA-713906 7: IP = 165.98.139.12, connection landed on tunnel_group DefaultRAGroupSo, basically, when using certificates I connect always VPN RA only with the group default DefaultRAGroup. Do I have to use a model of different web registration for application for a certificate instead of the user model? How can I determine the OU on the user certificate so that match tunnel-group?
Please help me!
Kind regards
Fernando Aguirre
You can use the group certificate mapping feature to map to a specific group.
This is the configuration for your reference guide:
http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/IKE.html#wp1053978
And here is the command for "map of crypto ca certificate": reference
http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2186685
Hope that helps.
-
Objective is that the anyconnect user must select group-alias, so that when a user enters his username and password he must go to his political group and tunnel-group specific. as I removed this command in webvpn 'no tunnel-group-list don't enable '. This I can not connect (user does not authenticate).
1 - my question is why his past does not?
Solution:
If I keep only a single tunnel-group by default and make several group policies and assign to each user with his specific group policy that it works. in user attribute means I have only question following the commands it works, but if I put "group-lock value test-tunnel" that it did not identify.
Please explain why.
WebVPN
allow outside
limit the cache-fs 50
SVC disk0:/anyconnect-win-3.0.10055-k9.pkg 1 image
enable SVC
internal strategy of group test-gp
attributes of the strategy of group test-gp
VPN-tunnel-Protocol svc webvpn
the address value test-pool pools
username, password test test
username test attributes
VPN-tunnel-Protocol svc
group-lock value test-tunnel
Strategy Group-VPN-test-gp
tunnel-group test-tunnel type remote access
attributes global-tunnel-group test-tunnel
Group Policy - by default-test-gp
tunnel-group test-tunnel webvpn-attributes
allow group-url https://192.168.168.2/test
Yes, you have the right solution. You only need to create 1 group of tunnel and multiple group policy. Under the attribute of the user, you re then group policy of vpn that you want the user assigned too.
You can also authenticate users against AD and configure ldap attribute map to map the user to a specific group policy automatically.
Here is an example of configuration if you happen to have the AD and will authenticate against AD:
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
Hope that helps.
-
Site to Site VPN. pick up DfltGrpPolicy instead of Tunnel-Group
Hello
Our ASA was set by a consultant some time ago to allow connectivity SSLVPN RSA backend. I am now trying to get a Site to Site VPN working but seem to get into a lot of difficulties. I get a load of the l2l VPN-related debugging messages which I believe is set up correctly. Here's what I think is of interest
"January 24, 2009 12:13:01: % ASA-6-113009: AAA recovered in group policy by default (DfltGrpPolicy) to the user = x.x.x.x".
The user specifies the IP address of the Cisco router remote that we try to get the VPN configuration.
I have to admit that I haven't done a lot with the side things SSLVPN so this part of the config is out of my depth, that's why I post here.
If anyone can help it would be really appreciated.
Here are the relevant details (I can post more if there isn't enough). My question is, how do I get the l2l using the tunnel-group and not the default group policy?
Thanks in advance for any help.
dynamic-access-policy-registration
DfltAccessPolicy
WebVPN
list of URLS no
SVC request no svc default
RADIUS protocol AAA-server VPNAUTH
AAA-server VPNAUTH *. *. *
interval before new attempt-5
timeout 3
key *.
AAA authentication enable LOCAL console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
AAA authentication LOCAL telnet console
LOCAL AAA authorization command
attributes of Group Policy DfltGrpPolicy
value of DNS server! !. !. !
VPN-idle-timeout no
VPN-tunnel-Protocol webvpn
enable IP-comp
enable IPSec-udp
field default value mondomaine.fr
the address value vpnpool pools
WebVPN
enable http proxy
SVC Dungeon - install any
SVC keepalive 60
SVC generate a new method ssl key
SVC request no svc default
disable ActiveX-relays
disable file entry
exploration of the disable files
disable the input URL
tunnel-group DefaultRAGroup webvpn-attributes
message of rejection-RADIUS-
IPSec-attributes tunnel-group DefaultRAGroup
pre-shared-key *.
tunnel-group DefaultRAGroup ppp-attributes
PAP Authentication
ms-chap-v2 authentication
attributes global-tunnel-group DefaultWEBVPNGroup
address vpnpool pool
authentication-server-group VPNAUTH
tunnel-group DefaultWEBVPNGroup webvpn-attributes
message of rejection-RADIUS-
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group ipsec-attributes x.x.x.x
pre-shared-key *.
Wayne
Do "sh run all tunnel-group" you should see the strategy of group associated with it.
for example:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 General attributes
no accounting server group
Group Policy - by default-DfltGrpPolicy
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *.
by the peer-id-validate req
no chain
no point of trust
ISAKMP retry threshold 10 keepalive 2
Let me know if it helps.
See you soon,.
Gilbert
-
Profile VPN (tunnel group) under the same IP pool
Hello
I have on my clients VPN from Cisco ASA 5510 works perfectly. The thing is that now I want to create a new profile or a tunnel in order to create the new cause of ACL I want to restrict only to certain hosts. But I don't know if I can do it under the same IP pool. If the answer is yes how could bind the new tunnel group to the correct ACL.
This is my config:
vpnxxxx list of allowed ip extended access all 192.168.125.0 255.255.255.0
IP local pool ippool 192.168.125.10 - 192.168.125.254
NAT (outside) 1 192.168.125.0 255.255.255.0
NAT (inside) 0-list of access vpnxxxx
RADIUS Protocol RADIUS AAA server
RADIUS protocol AAA-server partnerauth
AAA-server partnerauth (inside) host xxxx.xxxx.xxxx.xxxx
key xxxx
Crypto-map dynamic dynmap1 20 set transform-set Myset1
lifespan 20 set security-association crypto dynamic-map dynmap1 seconds 28800
Crypto-map dynamic dynmap1 20 kilobytes of life together - the association of safety 4608000
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
internal group RA - VPN strategy
attributes of RA-VPN-group policy
Server DNS 172.16.1.100 value
VPN-idle-timeout 30
Protocol-tunnel-VPN IPSec l2tp ipsec webvpn
Split-tunnel-policy tunnelspecified
type tunnel-group RA - VPN remote access
General-attributes of RA - VPN Tunnel-group
ippool address pool
authentication-server-group (outside partnerauth)
Group Policy - by default-RA-VPN
tunnel-group RA - VPN ipsec-attributes
pre-shared-key *.
Thank you
The command is "vpn-filter" in the Group Policy section.
Define a group policy for each group of tunnel and select it with 'by default-group-policy' in the section of the tunnel.
-
What is the difference when the IP pool is placed under the group policy and SSL tunnel-group
Hi usually ip address pool is placed under the group policy in Anyconnect VPN, but I noticed the ip address pool is also placed under the Anyconnect VPN tunnel-group in some ASA. What is the difference between both of them? Thank you
Both are used for the same purpose, but that under group policy always takes preference.
Kind regards
Sandra
If you find the answer useful, please mark it as correct while others can benefit from the discussion.
-
How to associate policies crypto with tunnel-group?
Hi, when I review the configuration of the VPN from point to point, I have a question. The ASA has three peer-to-peer VPN configuration. So, there are also three groups of tunnel in there. My question is how each VPN to ensure encryption policy tunnel-group? In the anther Word, what encryption policy associated with tunnel-group? Thank you.
This is the phase 1, they work from top to bottom. When you try to negotiate the tunnel between two counterparts, in the background, they send all of your policies and according to which is first (from top to bottom) is used.
For example.
If your counterpart device uses (3des, md5, pre-shared key and group 2), it will not match the policy 1 and the rest of the policy will not be considered.
Kind regards
Sandra
-
ACS 4.2 Wired and wireless group mapping
Hello
User1 connects to the switch, it belongs to the Group AD Domain_user and are mapped to ACS Group1 wich send the radius attribute to change the VLAN, this part works fine.
My problem is when the same user connects with its wifi card... He is still part of the domain_user and get still mapped to group1 on acs but now, RADIUS values are bad for the wireless.
Wired production vlan = 20
Prod wireless vlan = 120
What I want to do, it is something like:
ADGroupX Connect_type plus ACS Group1
ADGroupX + Connect_type2 = ACS group2
I tried to use the connection profile but the group mapping are not performed at this level. Ditto for NAR, my user must be able to log user wired or wireless and get the right vlan not get restricted by the NAR.
Another way would be to set up a username/password wireless on the internal database and add it to the ACS group good but which involve password management and not all client 802 support auth password (without user intervention)
Any idea?
Hi... this scenario is exactly what network access profiles are designed to address. Essentially, NAP to create a complete configuration based on network service.
So default ACS is a unique system of NAP (well I guess that 2 If you include RADIUS, and GANYMEDE) where any network service all RADIUS users would assume to use a single device type. NAP allows you to configure a service, the authentication, the mappings of groups and permissions Protocol.
The first part of the PAN you have to differentiate requests for authentication for each network service. This could be as easy to use the ip address of the AAA Client or NDG. If this is not possible, you can start looking at the attributes in the RADIUS request to find the attribute values that are unique to the switch or wlan.
Assuming you have managed to do is a matter of implementation of authenticattion and authorization policies-, but the main thing is that you will be able to send any returns RADIUS attributes to the device for the same user.
The user interface can take a little usual, then read the docs online and stick to it!
www.extraxi.com for all your reports ACS needs
-
Hide the tunnel-group in client anyconnect
Hi all
How to hide dropdown menu profiles that don't interest me not?
see always all tunnel group set up on asa.
in path of the cisco anyconnect client, I have preferences.xml.
Thanks in advance for your help
concerning
If the group alias are configured on the SAA, no matter which user goes to the external interface to connect to the VPN will see the list.
ASA administrator may eventually publish a URL shortcut using the "group-url" attribute when configuring the SSL VPN. Here is a link to the section of the configuration guide to do so. in this place you can browse (or point AnyConnect) directly to this URL and skip having to select from the drop-down list.
-
Hello
In the configuration below I put in place a tunnel-group name that is the same as the counterpart of VPN tunnel. Is that what you have to do, or could call you the tunnel-group what you want?
part of pre authentication ISAKMP policy 1
ISAKMP policy 1 3des encryption
ISAKMP policy 1 sha hash
Group of ISAKMP policy 1 2
ISAKMP policy 1 life 43200
ISAKMP allows outside
Crypto ipsec transform-set esp-3des esp-md5-hmac FirstSet
l2l_list to access extended list ip 192.168.100.0 allow 255.255.255.0 192.168.1.0 255.255.255.0
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
pre-shared key xxx
card crypto abcmap 1 match address l2l_list
card crypto abcmap 1 set counterpart 10.10.10.1
card crypto abcmap 1 set of transformation-FirstSet
abcmap interface card crypto outside
Robert,
The tunnekl group should be the IP address of the remote end - because it is used as ID. The only time where ever you need to use a specific name - is if you are certificate authentication.
HTH.
-
Select the Tunnel-Group based on OS devices
Hello
having an ASA5512x is possible to have anyconnect-dial-in-PC-users asking their IDs AND also a one-time-password
Whereas smartphone users only need to provide their username and a password without the need to manually select the profile?
I've set up two groups of tunnel:
(1) requires an LDAP server for authentication
(2) is in contact with a RADIUS server running the software One Time Password.
Is it possible to have the asa affect smartphone users (based on their OS) that it automatically uses the first profile (which has limited access to the resources of the intranet) and Anyconnect-PC-users pinned to the second category of tunnel? Dynamic access policies seem to be able to differentiate only ' in' a tunnel-group.
Thank you very much!
Kind regards
David
I never tried this way, but if it does not (as I suspect) there is a solution:
- Point your customers on the two different groups of tunnel with the help of tunnel-group-URL.
- Later in the DAP impose that the customer does not use the wrong tunnel-group.
-
ASA by the issue of authentication of the tunnel-group
Is it possible to do so by the tunnel-group authentication on ASA 8.4.x?
Here are the scenarios:
(1) tunnel-group_A performs authentication using the digital certificate (PKI)
(2) tunnel-group_B performs the authentication using AAA (RSA SecurID token)
(3) tunnel-group_C performs authentication for LOCAL assistance (AAA user defined locally)
Tunnel-group_A, B, and C are all using the same physical interface and outside the interface.
I tested it, but it doesn't work the way I expected. BTW, I have already disabled "interface authentication ssl certificate outside of port 443"
Here are the results of the tests:
If the tunnel group_A is configured with the certificate, then tunnel_group_B connection will fail, but connection tunnel-group_C works very well.
It seems that tunnel-group_B trying to authenticate with certificate too, if she does not. BTW, it seems to authenticate to the LOCAL help will still work.
I understand that you can configure tunnel_group_A to "both" certificate and AAA, but that's not what I want.
Anyone seen this before? Is there a way to bypass?
Thank you
Joe,
Yes, I would then use Group-url. And I would create and profile of XML with the specific URL in the list of servers.
Let me know.
-
Exception: Cluster address must be defined when the grouping is enabled
Hello
I created a simple web service and deployed on a cluster. When I invoke the url of the WSDL (http://localhost/webservice/MyService?WSDL) through the browser, I get the closed exception (listed at the bottom)
I can easily fix this by explicitly declaring a cluster address choices the administration console (environment-> cluster-> address Cluster :), but the documentation says I have is useless to do.) (http://edocs.bea.com/wls/docs100/webserv/setenv.html#wp220521)
Can someone say that I indeed need to explicitly declare a Cluster address on the deployment and calling web services in a clustered environment.
Thank you
Such #-Exception as displayed in the browser-
Error 500 - Internal server error
java.lang.IllegalArgumentException: Cluster address must be defined when the grouping is enabled.
at weblogic.wsee.server.ServerUtil.getClusterAddress(ServerUtil.java:439)
at weblogic.wsee.server.ServerUtil.getHTTPServerURL(ServerUtil.java:130)
at weblogic.wsee.server.servlet.WsdlRequestProcessor.getAddressInfo(WsdlRequestProcessor.java:161)
at weblogic.wsee.server.servlet.WsdlRequestProcessor.process(WsdlRequestProcessor.java:76)
to weblogic.wsee.server.servlet.BaseWSServlet$ AuthorizedInvoke.run (BaseWSServlet.java:257)
at weblogic.wsee.server.servlet.BaseWSServlet.service(BaseWSServlet.java:156)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
to weblogic.servlet.internal.StubSecurityHelper$ ServletServiceAction.run (StubSecurityHelper.java:226)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175)
to weblogic.servlet.internal.WebAppServletContext$ ServletInvocationAction.run (WebAppServletContext.java:3395)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs (unknown Source)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)Hello
You must specify the address of the cluster get this working. This was done because if address cluster is not specified, he had other problems that have arisen.
Its work as planned.
:)
Kind regards.
-
ACS 4.2 RSA Authentication and LDAP group mapping
Hello
I have a firewall, PaloAlto, with overall protection enabled (SSL - VPN) feature
I use Cisco Secure ACS as a proxy for the RSA SecurID authentication.
After authentication is try to map ad through LDAP query groups.
The question I've found, is that the user I get with user authentication has no field:
Show user ip-user-mapping all | mbm60380 game
10.240.1.24 vsys1 UIA 2388 2388 domain\mbm60380
10.240.1.1 vsys1 UIA 2101 2101 domain\mbm60380
10.240.250.1 mbm60380 2590859 2590859 vsys2 GP
But the list of users that I receive from the LDAP query includes the domain prefix:
See the user group name domain\group1 property
short name: domain\group1
[1] domain\aag60368
[2] domain\ced61081
[3] domain\jas61669
[4] domain\mbm60380
[5] domain\pmc61693
[6] domain\vcm60984
I would like to create the user with the area of GBA but it must delete the domain before querying the RSA server, as it does not support field stripping.
I tried to fix this on the Palo Alto firewall without success.
I'm trying to run Cisco Secure ACS 4.2 changing, but it did not work either:
RSA servers are configured as an external database. They are not defined in the groups of network devices.
Can I set up domain stripping for queries servers RSA?
Thank you
Hello
I think it should work, but it is a bit awkward:
Create an entry in the Distribution of Proxy in the Network Configuration.
DOMAIN\\USER *.
Prefix
Before returning to the AAA server, from there to authenticate to the server RSA without the domain prefix.
Make sense?
Thank you
Chris
Maybe you are looking for
-
Mac Mini pink Flash at startup
MAc Mini 2012 i7 16 GB 1 TB (bought in may 2013) MY trusty old Mac Mini seems to have a problem. When I start up from the Mac Mini, I see a pink Flash on the screen (NO PINK LINES THAT FLASH, this rose arrives on a section of the screen) for just a s
-
Satellite C855-1GQ - recovery 10-FC06-00D error
I have a Toshiba Satellite C855-1GQ part PSKC8E-09N005ENI used Toshiba Recovery and after 3 disk drives, I got the error code 10-FC06 - 00D and does not go more away someone can help please.
-
EA60 what someone knows something?
Hi ALL, anyone has no information about the EA60-173, I have looked everwhere and can't seem to find the comments, news or reviews, good, bad or otherwise, for example is the dedicated graphics chip? was soon Fred
-
Add Server 2012 R2 Server Manager servers dialog box problem
I have a problem in 2012 R2 Server when you add a remote server to all server management interface. Using the dialog box add servers to add a workgroup server (no configured DNS server), I added the problem of server using the IP address. A dialog
-
Ran Diagnostic Report/average line of the disc is 2
About 2 weeks ago, I upgraded my Vista laptop to 1 GB. It works perfectly, but I ran a Diagnostic report and it showed in the information Section that average disk queue length was 1. I did a defragment disks and changed it to 2, but I still get the