VPN Client not working

brianbono · ‎02-02-2009

We have already configured our firewall to allow VPN client connections. It is also setup to authenticate to our Active Directory but I still get this error on my vpn client software when trying to access my office.

1 02:26:53.171 02/03/09 Sev=Warning/3 IKE/0xE3000057

The received HASH payload cannot be verified

2 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE300007E

Hash verification failed... may be configured with invalid group password.

3 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE300009B

Failed to authenticate peer (Navigator:904)

4 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE30000A7

Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)

Below is my current running config:

ASA Version 8.0(4)

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 123.123.123.12 255.255.255.240

!

ftp mode passive

dns server-group DefaultDNS

domain-name abc.local

same-security-traffic permit intra-interface

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended permit tcp any host 123.123.123.18 eq 222

access-list outside_access_in extended permit tcp any host 123.244.188.18 eq pptp

access-list ST standard permit 192.168.100.0 255.255.255.0

access-list ST standard permit 192.168.1.0 255.255.255.0

access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255

.255.255.0

pager lines 24

mtu inside 1500

mtu outside 1500

ip local pool abcpool 192.168.100.1-192.168.100.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

asdm image disk0:/asdm-615.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp 123.123.123.22 222 192.168.1.70 ssh netmask 255.255.2

55.255

static (inside,outside) tcp interface pptp 192.168.1.6 pptp netmask 255.255.255.

255

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 123.123.123.17 1

dynamic-access-policy-record DfltAccessPolicy

aaa-server RADIUS protocol radius

aaa-server RADIUS (inside) host 192.168.1.6

key abc

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

crypto ipsec transform-set toabc esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set toRMT

crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds

28800

crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobyte

s 4608000

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map oustide_map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag

e-rate 200

group-policy abc internal

group-policy abc attributes

dns-server value 192.168.1.6

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ST

default-domain value abc.local

tunnel-group abc type remote-access

tunnel-group abc general-attributes

address-pool abcpool

authentication-server-group RADIUS

default-group-policy abc

tunnel-group abc ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

service-policy global_policy global

abcasa(config)#

Richard Burts · ‎02-02-2009

Brian

I do not believe that you are getting as far as Active Directory for authentication. The messages suggest that there is a mismatch between what is configured in your VPN client and what is configured on the ASA:

Hash verification failed... may be configured with invalid group password.

This would be a key configured on your client along with the group name of abc. The ASA shows that a pre shared key is configured for group authentication:

pre-shared-key *

but it does not show what that key value is. You need to be sure that the values are the same.

Are other people with VPN client able to connect? If so this would suggest a problem in configuration of your client and you need to re-configure your client. If you are the first person and are testing then it is possible to test this by changing the value on the ASA, changing the value on your client, or by changing both (which is the approach I would suggest).

HTH

Rick

HTH

Rick

brianbono · ‎02-02-2009

Yes, I have already made sure that that pre shared key configured for group authentication is correct. This is the first user to connect to the VPN so I assume that there is an issue going on...

Please advise. Thanks

Richard Burts · ‎02-03-2009

Brian

does the group name configured in the client match the abc used in the config (and does it match upper/lower case)?

I would suggest changing the shared key to something very simple (you can go to a more complex key when you have it working). change it on both the client and the ASA and see if the behavior changes.

If that does not help then I suggest setting the logging level in the client to high (at least for IKE and perhaps for others such as connection manager. test again and post the log output. perhaps it will have some better clue about the problem.

HTH

Rick

HTH

Rick