[c-nsp] ASA w/ 7.2.2 & VPN - can't connect

Ken Cheung kenwkcheung at gmail.com
Wed Dec 20 23:59:52 EST 2006 

Hi Garry,

The default IPSec authentication mode is "xauth" in version 7.2.1 code.   
It may have been changed in 7.2.2.

I have a working setup for IPSec and the only different in configuration  
is the "isakmp ikev1-..." line that Enno has pointed out.  The rest should  
be pretty straight forward to setup using the ASDM.

Ken

On Wed, 20 Dec 2006 05:36:32 -0800, Enno Rey <erey at ernw.de> wrote:

> Hi,
>
> with 7.2.2 Cisco introduced some new crazy stuff (at least I sumbled  
> across this on two bixes now).
> There': s a new command called "isakmp ikev1-user-authentication" that -  
> according to the documentation - _should_ default to XAUTH. In fact you  
> have to enter it manually (on CLI) in the ipsec-attributes of the  
> tunnel-group.
> Beware: you won'T see it afterwards... wich seems to indicate it's  
> actually the default state. But I had to do (exactly!) this in recent  
> cases to get it working.
> please try and give us feedback...
>
> thanks,
>
> Enno
>
> On Wed, Dec 20, 2006 at 02:08:55PM +0100, Garry wrote:
>> Hi,
>>
>> I've set up an ASA and multiple PIX firewalls up before, all without too
>> many problems, and all acting as VPN terminators just fine. Anyway,
>> having set up a new ASA (and required to use 7.2 due to PPPoE uplink),
>> I've run into multiple problems, the latest being that I don't seem to
>> be able to get any VPN connections up. The VPN client (tried 4.6, 4.7
>> and 4.8, with both UDP and TCP) hangs when trying to contact the ASA,
>> connections to the ASA arrive, but ASA reports e.g.:
>>
>> 6|Dec 20 2006 08:03:31|302015: Built inbound UDP connection 64774 for
>> outside:212.y.y.y/500 (212.y.y.y/500) to NP Identity Ifc:212.x.x.x/500
>> (212.x.x.x/500)
>> 6|Dec 20 2006 08:03:31|713905: Group = vpn, IP = 212.y.y.y, No valid
>> authentication type found for the tunnel group
>> 3|Dec 20 2006 08:03:31|713902: Group = vpn, IP = 212.y.y.y, Removing
>> peer from peer table failed, no match!
>> 4|Dec 20 2006 08:03:31|713903: Group = vpn, IP = 212.y.y.y, Error:
>> Unable to remove PeerTblEntry
>>
>> I have checked, double-checked and re-entered the group password
>> multiple times (hard to mis-type "xxx" though), the VPN had been set up
>> using the VPN Wizard from ASDM (5.2.1), manual inspection inside the
>> ASDM of the created entries resulted in no obvious errors.
>>
>> Here's part of the config ... anybody have an idea?
>>
>> group-policy DfltGrpPolicy attributes
>>   banner none
>>   wins-server none
>>   dns-server none
>>   dhcp-network-scope none
>>   vpn-access-hours none
>>   vpn-simultaneous-logins 3
>>   vpn-idle-timeout 30
>>   vpn-session-timeout none
>>   vpn-filter none
>>   vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
>>   password-storage enable
>>   ip-comp disable
>>   re-xauth disable
>>   group-lock none
>>   pfs disable
>>   ipsec-udp enable
>>   ipsec-udp-port 10000
>>   split-tunnel-policy tunnelall
>>   split-tunnel-network-list value inside_cryptomap
>>   default-domain none
>>   split-dns none
>>   intercept-dhcp 255.255.255.255 disable
>>   secure-unit-authentication disable
>>   user-authentication disable
>>   user-authentication-idle-timeout 30
>>   ip-phone-bypass disable
>>   leap-bypass disable
>>   nem disable
>>   backup-servers keep-client-config
>>   msie-proxy server none
>>   msie-proxy method no-modify
>>   msie-proxy except-list none
>>   msie-proxy local-bypass disable
>>   nac disable
>>   nac-sq-period 300
>>   nac-reval-period 36000
>>   nac-default-acl none
>>   address-pools none
>>   client-firewall none
>>   client-access-rule none
>> [..]
>> group-policy vpn internal
>> group-policy vpn attributes
>>   vpn-tunnel-protocol IPSec webvpn
>>   group-lock value vpn
>>   split-tunnel-policy tunnelspecified
>>   split-tunnel-network-list value inside_cryptomap
>>   default-domain value somedoma.in
>>   address-pools none
>> username vpnuser password XXXXXXXXX encrypted privilege 0
>> username vpnuser attributes
>>   vpn-group-policy vpn
>>   vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
>> [..]
>> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
>> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
>> crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
>> crypto map outside_map interface outside
>> crypto isakmp enable outside
>> crypto isakmp policy 10
>>   authentication pre-share
>>   encryption aes-256
>>   hash sha
>>   group 5
>>   lifetime 86400
>> crypto isakmp nat-traversal  20
>> crypto isakmp ipsec-over-tcp port 10000
>> tunnel-group vpn type ipsec-ra
>> tunnel-group vpn general-attributes
>>   address-pool vpn
>>   default-group-policy vpn
>> tunnel-group vpn ipsec-attributes
>>   pre-shared-key xxxx
>>   isakmp ikev1-user-authentication (outside) none
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/

More information about the cisco-nsp mailing list