ASA 5505 remote-vpn help

Unanswered Question
Feb 6th, 2008
User Badges:

Out-of-the box configuration. Changed the internal ip range, DHCP pool and ASDM config. Then I ran the VPN wizard to connect a VPN client. I cant establish a tunnel what so ever. Find attached the config and the log.


Thank you in advanced for you help

Niko



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Wed, 02/06/2008 - 10:35
User Badges:
  • Blue, 1500 points or more

I pulled this off of a working config, 5505 7.2(3)

=====================================


ip local pool vpnpool 10.x.y.1-10.x.y.10 mask 255.255.255.0

crypto ipsec transform-set AES256_SHA esp-aes-256 esp-sha-hmac

crypto dynamic-map DYNAMICMAP 5 set transform-set AES256_SHA

crypto dynamic-map DYNAMICMAP 5 set security-association lifetime seconds 7200

crypto map CRYPTOMAP 5 ipsec-isakmp dynamic DYNAMICMAP

crypto map CRYPTOMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 20

group-policy GROUPPOLICYNAME internal

group-policy GROUPPOLICYNAME attributes

dns-server value 10.x.y.z

vpn-idle-timeout 120

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel_acl

default-domain value domain.org

split-dns value domain.org

tunnel-group VPNGROUPNAME type ipsec-ra

tunnel-group VPNGROUPNAME general-attributes

address-pool vpnpool

default-group-policy GROUPPOLICYNAME

tunnel-group VPNGROUPNAME ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication none

============================================

the very last line disables xauth...

niko.hartung Wed, 02/06/2008 - 11:15
User Badges:

Thanks for your quick response. I've tried to disable xauth already but no luck.



srue Wed, 02/06/2008 - 11:21
User Badges:
  • Blue, 1500 points or more

based on your configuration, you have to set the group name (in the cisco vpn client) to 10.0.0.0


is that really what you want?

you also don't have nat-t enabled, which might be causing issues.

if you don't want xauth, just add that last line under the tunnel-group ipsec attributes.

husycisco Wed, 02/06/2008 - 11:22
User Badges:
  • Gold, 750 points or more

Hi Niko

Attached config is a mess, attach the config you made after analyzing srue's sample RA-VPN config


Regards

niko.hartung Wed, 02/06/2008 - 12:07
User Badges:

Thanks for your quick response. I've tried to disable xauth already but no luck.



Actions

This Discussion