ASA 5505 remote-vpn help

Unanswered Question
Feb 6th, 2008

Out-of-the box configuration. Changed the internal ip range, DHCP pool and ASDM config. Then I ran the VPN wizard to connect a VPN client. I cant establish a tunnel what so ever. Find attached the config and the log.

Thank you in advanced for you help

Niko

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 02/06/2008 - 10:35

I pulled this off of a working config, 5505 7.2(3)

=====================================

ip local pool vpnpool 10.x.y.1-10.x.y.10 mask 255.255.255.0

crypto ipsec transform-set AES256_SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map DYNAMICMAP 5 set transform-set AES256_SHA

crypto dynamic-map DYNAMICMAP 5 set security-association lifetime seconds 7200

crypto map CRYPTOMAP 5 ipsec-isakmp dynamic DYNAMICMAP

crypto map CRYPTOMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

group-policy GROUPPOLICYNAME internal

group-policy GROUPPOLICYNAME attributes

dns-server value 10.x.y.z

vpn-idle-timeout 120

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel_acl

default-domain value domain.org

split-dns value domain.org

tunnel-group VPNGROUPNAME type ipsec-ra

tunnel-group VPNGROUPNAME general-attributes

address-pool vpnpool

default-group-policy GROUPPOLICYNAME

tunnel-group VPNGROUPNAME ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

============================================

the very last line disables xauth...

niko.hartung Wed, 02/06/2008 - 11:15

Thanks for your quick response. I've tried to disable xauth already but no luck.

srue Wed, 02/06/2008 - 11:21

based on your configuration, you have to set the group name (in the cisco vpn client) to 10.0.0.0

is that really what you want?

you also don't have nat-t enabled, which might be causing issues.

if you don't want xauth, just add that last line under the tunnel-group ipsec attributes.

husycisco Wed, 02/06/2008 - 11:22

Hi Niko

Attached config is a mess, attach the config you made after analyzing srue's sample RA-VPN config

Regards

niko.hartung Wed, 02/06/2008 - 12:07

Thanks for your quick response. I've tried to disable xauth already but no luck.

Actions

This Discussion