[c-nsp] ASA w/ 7.2.2 & VPN - can't connect

Enno Rey erey at ernw.de
Wed Dec 20 08:36:32 EST 2006 

Hi,

with 7.2.2 Cisco introduced some new crazy stuff (at least I sumbled across this on two bixes now).
There': s a new command called "isakmp ikev1-user-authentication" that - according to the documentation - _should_ default to XAUTH. In fact you have to enter it manually (on CLI) in the ipsec-attributes of the tunnel-group.
Beware: you won'T see it afterwards... wich seems to indicate it's actually the default state. But I had to do (exactly!) this in recent cases to get it working.
please try and give us feedback...

thanks,

Enno

On Wed, Dec 20, 2006 at 02:08:55PM +0100, Garry wrote:
> Hi,
> 
> I've set up an ASA and multiple PIX firewalls up before, all without too 
> many problems, and all acting as VPN terminators just fine. Anyway, 
> having set up a new ASA (and required to use 7.2 due to PPPoE uplink), 
> I've run into multiple problems, the latest being that I don't seem to 
> be able to get any VPN connections up. The VPN client (tried 4.6, 4.7 
> and 4.8, with both UDP and TCP) hangs when trying to contact the ASA, 
> connections to the ASA arrive, but ASA reports e.g.:
> 
> 6|Dec 20 2006 08:03:31|302015: Built inbound UDP connection 64774 for 
> outside:212.y.y.y/500 (212.y.y.y/500) to NP Identity Ifc:212.x.x.x/500 
> (212.x.x.x/500)
> 6|Dec 20 2006 08:03:31|713905: Group = vpn, IP = 212.y.y.y, No valid 
> authentication type found for the tunnel group
> 3|Dec 20 2006 08:03:31|713902: Group = vpn, IP = 212.y.y.y, Removing 
> peer from peer table failed, no match!
> 4|Dec 20 2006 08:03:31|713903: Group = vpn, IP = 212.y.y.y, Error: 
> Unable to remove PeerTblEntry
> 
> I have checked, double-checked and re-entered the group password 
> multiple times (hard to mis-type "xxx" though), the VPN had been set up 
> using the VPN Wizard from ASDM (5.2.1), manual inspection inside the 
> ASDM of the created entries resulted in no obvious errors.
> 
> Here's part of the config ... anybody have an idea?
> 
> group-policy DfltGrpPolicy attributes
>   banner none
>   wins-server none
>   dns-server none
>   dhcp-network-scope none
>   vpn-access-hours none
>   vpn-simultaneous-logins 3
>   vpn-idle-timeout 30
>   vpn-session-timeout none
>   vpn-filter none
>   vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
>   password-storage enable
>   ip-comp disable
>   re-xauth disable
>   group-lock none
>   pfs disable
>   ipsec-udp enable
>   ipsec-udp-port 10000
>   split-tunnel-policy tunnelall
>   split-tunnel-network-list value inside_cryptomap
>   default-domain none
>   split-dns none
>   intercept-dhcp 255.255.255.255 disable
>   secure-unit-authentication disable
>   user-authentication disable
>   user-authentication-idle-timeout 30
>   ip-phone-bypass disable
>   leap-bypass disable
>   nem disable
>   backup-servers keep-client-config
>   msie-proxy server none
>   msie-proxy method no-modify
>   msie-proxy except-list none
>   msie-proxy local-bypass disable
>   nac disable
>   nac-sq-period 300
>   nac-reval-period 36000
>   nac-default-acl none
>   address-pools none
>   client-firewall none
>   client-access-rule none
> [..]
> group-policy vpn internal
> group-policy vpn attributes
>   vpn-tunnel-protocol IPSec webvpn
>   group-lock value vpn
>   split-tunnel-policy tunnelspecified
>   split-tunnel-network-list value inside_cryptomap
>   default-domain value somedoma.in
>   address-pools none
> username vpnuser password XXXXXXXXX encrypted privilege 0
> username vpnuser attributes
>   vpn-group-policy vpn
>   vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
> [..]
> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
> crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
>   authentication pre-share
>   encryption aes-256
>   hash sha
>   group 5
>   lifetime 86400
> crypto isakmp nat-traversal  20
> crypto isakmp ipsec-over-tcp port 10000
> tunnel-group vpn type ipsec-ra
> tunnel-group vpn general-attributes
>   address-pool vpn
>   default-group-policy vpn
> tunnel-group vpn ipsec-attributes
>   pre-shared-key xxxx
>   isakmp ikev1-user-authentication (outside) none
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

More information about the cisco-nsp mailing list