[c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP

Bruno Filipe brun0_filipe at yahoo.com
Wed Nov 5 10:36:43 EST 2008


Hi there,...

Can u guys help me understand why the dhcp is not providing addressing information to the VPN Clients...If I use a local pool, I can connect and get addressing info

Here's my config:

asa# wr t
: Saved
:
ASA Version 7.0(7) 
!
hostname asa
domain-name domain.co.ao
enable password shhhhhhhhhhhhhhhhhhh encrypted
names
dns-guard
!
interface Ethernet0/0
 description 100BASETX to LAN Switch
 nameif inside
 security-level 100
 ip address 192.168.91.254 255.255.255.0 
!
interface Ethernet0/1
 description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET)
 nameif outside
 security-level 0
 ip address xxx.xxx.xx.xxx 255.255.255.252 
!
interface Ethernet0/2
 description FOR FUTURE USE
 nameif dmz
 security-level 5
 ip address xxx.xxx.xx.xxx 255.255.255.0 
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
passwd shhhhhhhhhhhhhhhh encrypted
ftp mode passive
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq smtp 
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq pop3 
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq https 
access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq 3389 
pager lines 24
logging timestamp
logging buffer-size 16384
logging buffered critical
logging trap debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu management 1500
ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240
asdm image disk0:/asdm-507.bin
no asdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask 255.255.255.255 
static (inside,outside) tcp interface https 192.168.91.112 https netmask 255.255.255.255 
static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 196.216.54.229 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server none
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec webvpn
 password-storage disable
 ip-comp enable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain none
 split-dns none
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry
  port-forward-name value Application Access
group-policy COMPANY-REMOTE-ACCESS internal
group-policy COMPANY-REMOTE-ACCESS attributes
 dhcp-network-scope 192.168.91.150
 webvpn
username some.name password EB4ztYh0SYsdhnHI encrypted
aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL 
http server enable
http 192.168.91.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac 
crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set GENIUS-TRANSFORM-SET
crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP
crypto map COMPANY-CRYPTO-MAP interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra
tunnel-group COMPANY-TUNNEL-GROUP general-attributes
 dhcp-server 192.168.91.254
tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes
 pre-shared-key *
telnet timeout 5
ssh xxx.xxx.xx.x 255.255.255.0 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.91.150-192.168.91.240 inside
dhcpd dns xxx.xxx.xx.xx xxx.xxx.xx.xx
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd domain genius.co.ao
dhcpd enable inside
!
class-map inspection_default
 match default-inspection-traffic
!
!             
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
Cryptochecksum:d60a247e16f4bf6dd36da42b71aa1440
: end
[OK]
asa# 



DEBUG OUTPUT 

OUTPUT OMMITTED
::
asa#  debug crypto isakmp 127
asa# terminal monitor 
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Received unknown transaction mode attribute: 28684
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Application Version!
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Client Type: WinNT  Client Application Version: 5.0.04.0300
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for FWTYPE!
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for DHCP hostname for DDNS is: ispdomain!
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for UDP Port!
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Local LAN Include!
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE received response of type [VALID (but no address supplied)] to a request from the IP address utility
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Cannot obtain an IP address for remote peer
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE TM V6 FSM error history (struct &0x39c1900)  <state>, <event>:  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = GENIUS-TUNNEL-GROUP, Username = some.usera, IP = xxx.xxx.xx.xx, IKE AM Responder FSM error history (struct &0x3ac4060)  <state>, <event>:  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE SA AM:835707d8 terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
::
::
OUTPUT OMMITTED
::
::
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, sending delete/delete with reason message
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing blank hash payload
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing IKE delete payload
Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing qm hash payload
Nov 05 07:59:15 [IKEv1]: IP = xxx.xxx.xx.xx, IKE_DECODE SENDING Message (msgid=52532842) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx,Removing peer from peer table failed, no match!
Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Error: Unable to remove PeerTblEntry


      


More information about the cisco-nsp mailing list