[c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP
Bruno Filipe
brun0_filipe at yahoo.com
Wed Nov 5 10:36:43 EST 2008
Hi there,...
Can u guys help me understand why the dhcp is not providing addressing information to the VPN Clients...If I use a local pool, I can connect and get addressing info
Here's my config:
asa# wr t
: Saved
:
ASA Version 7.0(7)
!
hostname asa
domain-name domain.co.ao
enable password shhhhhhhhhhhhhhhhhhh encrypted
names
dns-guard
!
interface Ethernet0/0
description 100BASETX to LAN Switch
nameif inside
security-level 100
ip address 192.168.91.254 255.255.255.0
!
interface Ethernet0/1
description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET)
nameif outside
security-level 0
ip address xxx.xxx.xx.xxx 255.255.255.252
!
interface Ethernet0/2
description FOR FUTURE USE
nameif dmz
security-level 5
ip address xxx.xxx.xx.xxx 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd shhhhhhhhhhhhhhhh encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq smtp
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq pop3
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq https
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq 3389
pager lines 24
logging timestamp
logging buffer-size 16384
logging buffered critical
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask 255.255.255.255
static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.91.112 https netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.216.54.229 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec webvpn
password-storage disable
ip-comp enable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
functions url-entry
port-forward-name value Application Access
group-policy COMPANY-REMOTE-ACCESS internal
group-policy COMPANY-REMOTE-ACCESS attributes
dhcp-network-scope 192.168.91.150
webvpn
username some.name password EB4ztYh0SYsdhnHI encrypted
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.91.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac
crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set GENIUS-TRANSFORM-SET
crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP
crypto map COMPANY-CRYPTO-MAP interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra
tunnel-group COMPANY-TUNNEL-GROUP general-attributes
dhcp-server 192.168.91.254
tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh xxx.xxx.xx.x 255.255.255.0 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.91.150-192.168.91.240 inside
dhcpd dns xxx.xxx.xx.xx xxx.xxx.xx.xx
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain genius.co.ao
dhcpd enable inside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
Cryptochecksum:d60a247e16f4bf6dd36da42b71aa1440
: end
[OK]
asa#
DEBUG OUTPUT
OUTPUT OMMITTED
::
asa# debug crypto isakmp 127
asa# terminal monitor
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Received unknown transaction mode attribute: 28684
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Application Version!
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Client Type: WinNT Client Application Version: 5.0.04.0300
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for FWTYPE!
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for DHCP hostname for DDNS is: ispdomain!
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for UDP Port!
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Local LAN Include!
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE received response of type [VALID (but no address supplied)] to a request from the IP address utility
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Cannot obtain an IP address for remote peer
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE TM V6 FSM error history (struct &0x39c1900) <state>, <event>: TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = GENIUS-TUNNEL-GROUP, Username = some.usera, IP = xxx.xxx.xx.xx, IKE AM Responder FSM error history (struct &0x3ac4060) <state>, <event>: AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE SA AM:835707d8 terminating: flags 0x0945c001, refcnt 0, tuncnt 0
::
::
OUTPUT OMMITTED
::
::
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, sending delete/delete with reason message
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing blank hash payload
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing IKE delete payload
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing qm hash payload
Nov 05 07:59:15 [IKEv1]: IP = xxx.xxx.xx.xx, IKE_DECODE SENDING Message (msgid=52532842) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx,Removing peer from peer table failed, no match!
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Error: Unable to remove PeerTblEntry
More information about the cisco-nsp
mailing list