Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
5
Replies

Urgent VPN Help

Danny Guillory Jr
Level 1
Level 1

‎02-01-2008 10:54 AM - edited ‎02-21-2020 03:31 PM

VPN config:

vpngroup Admins-VPN address-pool Admins-VPN

vpngroup Admins-VPN dns-server 10.9.2.5 10.9.2.6

vpngroup Admins-VPN wins-server 10.9.2.6

vpngroup Admins-VPN default-domain abvalve.com

vpngroup Admins-VPN idle-time 1800

vpngroup Admins-VPN password ********

Client Errors:

trying to connect to my network over VPN this is what i get! we have a 506E

1 08:59:50.140 02/01/08 Sev=Warning/3 IKE/0xE3000057

The received HASH payload cannot be verified

2 08:59:50.140 02/01/08 Sev=Warning/2 IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.

3 08:59:50.140 02/01/08 Sev=Warning/2 IKE/0xE300009B

Failed to authenticate peer (Navigator:904)

4 08:59:50.140 02/01/08 Sev=Warning/2 IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)

any ideas?

Labels:
0 Helpful
5 Replies 5

djones
Level 1
Level 1

‎02-01-2008 12:01 PM

I believe it means that you have a password mismatch. The group password on the ASA/pix is different than the group password in the vpn client.

0 Helpful

Danny Guillory Jr
Level 1
Level 1

‎02-01-2008 09:06 PM

ok got the password matching and i can connect to the VPN now, but i cannot ping are log onto any of the servers in my network.

i cannot see anything on the inside my network!

0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to Danny Guillory Jr

‎02-01-2008 09:25 PM

Can you post a copy of your configuration along with information on what IP Addresses you are not able to access across the tunnel.

Regards,

Arul

0 Helpful

Danny Guillory Jr
Level 1
Level 1
In response to ajagadee

‎02-01-2008 09:57 PM

attached is my config file!

Preview file
12 KB
0 Helpful

ajagadee
Cisco Employee
Cisco Employee
In response to Danny Guillory Jr

‎02-01-2008 10:21 PM

Couple of things, You are assigning IP Address to the VPN Clients from a pool which is part of the LAN behind the Pix. This is not a recommended configuration. Also, I dont see a NAT 0 command to bypass NAT for the VPN Clients. So, you could try

access-list inside_outbound_nat0_acl permit ip AB01-LF 255.255.255.0 AB01-LF 255.255.255.0

After, applying the above ACL, your VPN Client still does not work. Then I would recommend that you configure a pool for the VPN Clients from a range of IP that is not part of your internal LAN. Example, 172.16.1.0/24 and also configure NAT 0 to bypass NAT.

access-list inside_outbound_nat0_acl permit ip AB01-LF 255.255.255.0 172.16.1.0 255.255.255.0

Let me know if it works.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful
Customers Also Viewed These Support Documents