[c-nsp] ASA w/ 7.2.2 & VPN - can't connect
Ken Cheung
kenwkcheung at gmail.com
Wed Dec 20 23:59:52 EST 2006
Hi Garry,
The default IPSec authentication mode is "xauth" in version 7.2.1 code.
It may have been changed in 7.2.2.
I have a working setup for IPSec and the only different in configuration
is the "isakmp ikev1-..." line that Enno has pointed out. The rest should
be pretty straight forward to setup using the ASDM.
Ken
On Wed, 20 Dec 2006 05:36:32 -0800, Enno Rey <erey at ernw.de> wrote:
> Hi,
>
> with 7.2.2 Cisco introduced some new crazy stuff (at least I sumbled
> across this on two bixes now).
> There': s a new command called "isakmp ikev1-user-authentication" that -
> according to the documentation - _should_ default to XAUTH. In fact you
> have to enter it manually (on CLI) in the ipsec-attributes of the
> tunnel-group.
> Beware: you won'T see it afterwards... wich seems to indicate it's
> actually the default state. But I had to do (exactly!) this in recent
> cases to get it working.
> please try and give us feedback...
>
> thanks,
>
> Enno
>
> On Wed, Dec 20, 2006 at 02:08:55PM +0100, Garry wrote:
>> Hi,
>>
>> I've set up an ASA and multiple PIX firewalls up before, all without too
>> many problems, and all acting as VPN terminators just fine. Anyway,
>> having set up a new ASA (and required to use 7.2 due to PPPoE uplink),
>> I've run into multiple problems, the latest being that I don't seem to
>> be able to get any VPN connections up. The VPN client (tried 4.6, 4.7
>> and 4.8, with both UDP and TCP) hangs when trying to contact the ASA,
>> connections to the ASA arrive, but ASA reports e.g.:
>>
>> 6|Dec 20 2006 08:03:31|302015: Built inbound UDP connection 64774 for
>> outside:212.y.y.y/500 (212.y.y.y/500) to NP Identity Ifc:212.x.x.x/500
>> (212.x.x.x/500)
>> 6|Dec 20 2006 08:03:31|713905: Group = vpn, IP = 212.y.y.y, No valid
>> authentication type found for the tunnel group
>> 3|Dec 20 2006 08:03:31|713902: Group = vpn, IP = 212.y.y.y, Removing
>> peer from peer table failed, no match!
>> 4|Dec 20 2006 08:03:31|713903: Group = vpn, IP = 212.y.y.y, Error:
>> Unable to remove PeerTblEntry
>>
>> I have checked, double-checked and re-entered the group password
>> multiple times (hard to mis-type "xxx" though), the VPN had been set up
>> using the VPN Wizard from ASDM (5.2.1), manual inspection inside the
>> ASDM of the created entries resulted in no obvious errors.
>>
>> Here's part of the config ... anybody have an idea?
>>
>> group-policy DfltGrpPolicy attributes
>> banner none
>> wins-server none
>> dns-server none
>> dhcp-network-scope none
>> vpn-access-hours none
>> vpn-simultaneous-logins 3
>> vpn-idle-timeout 30
>> vpn-session-timeout none
>> vpn-filter none
>> vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
>> password-storage enable
>> ip-comp disable
>> re-xauth disable
>> group-lock none
>> pfs disable
>> ipsec-udp enable
>> ipsec-udp-port 10000
>> split-tunnel-policy tunnelall
>> split-tunnel-network-list value inside_cryptomap
>> default-domain none
>> split-dns none
>> intercept-dhcp 255.255.255.255 disable
>> secure-unit-authentication disable
>> user-authentication disable
>> user-authentication-idle-timeout 30
>> ip-phone-bypass disable
>> leap-bypass disable
>> nem disable
>> backup-servers keep-client-config
>> msie-proxy server none
>> msie-proxy method no-modify
>> msie-proxy except-list none
>> msie-proxy local-bypass disable
>> nac disable
>> nac-sq-period 300
>> nac-reval-period 36000
>> nac-default-acl none
>> address-pools none
>> client-firewall none
>> client-access-rule none
>> [..]
>> group-policy vpn internal
>> group-policy vpn attributes
>> vpn-tunnel-protocol IPSec webvpn
>> group-lock value vpn
>> split-tunnel-policy tunnelspecified
>> split-tunnel-network-list value inside_cryptomap
>> default-domain value somedoma.in
>> address-pools none
>> username vpnuser password XXXXXXXXX encrypted privilege 0
>> username vpnuser attributes
>> vpn-group-policy vpn
>> vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
>> [..]
>> crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
>> crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
>> crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
>> crypto map outside_map interface outside
>> crypto isakmp enable outside
>> crypto isakmp policy 10
>> authentication pre-share
>> encryption aes-256
>> hash sha
>> group 5
>> lifetime 86400
>> crypto isakmp nat-traversal 20
>> crypto isakmp ipsec-over-tcp port 10000
>> tunnel-group vpn type ipsec-ra
>> tunnel-group vpn general-attributes
>> address-pool vpn
>> default-group-policy vpn
>> tunnel-group vpn ipsec-attributes
>> pre-shared-key xxxx
>> isakmp ikev1-user-authentication (outside) none
>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
More information about the cisco-nsp
mailing list