02-02-2009 10:58 AM - edited 03-11-2019 07:44 AM
We have already configured our firewall to allow VPN client connections. It is also setup to authenticate to our Active Directory but I still get this error on my vpn client software when trying to access my office.
1 02:26:53.171 02/03/09 Sev=Warning/3 IKE/0xE3000057
The received HASH payload cannot be verified
2 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.
3 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
4 02:26:53.171 02/03/09 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)
Below is my current running config:
ASA Version 8.0(4)
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 123.123.123.12 255.255.255.240
!
ftp mode passive
dns server-group DefaultDNS
domain-name abc.local
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 123.123.123.18 eq 222
access-list outside_access_in extended permit tcp any host 123.244.188.18 eq pptp
access-list ST standard permit 192.168.100.0 255.255.255.0
access-list ST standard permit 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255
.255.255.0
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool abcpool 192.168.100.1-192.168.100.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 123.123.123.22 222 192.168.1.70 ssh netmask 255.255.2
55.255
static (inside,outside) tcp interface pptp 192.168.1.6 pptp netmask 255.255.255.
255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.123.123.17 1
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.1.6
key abc
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no sysopt connection permit-vpn
crypto ipsec transform-set toabc esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set toRMT
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds
28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobyte
s 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map oustide_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
group-policy abc internal
group-policy abc attributes
dns-server value 192.168.1.6
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ST
default-domain value abc.local
tunnel-group abc type remote-access
tunnel-group abc general-attributes
address-pool abcpool
authentication-server-group RADIUS
default-group-policy abc
tunnel-group abc ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
service-policy global_policy global
abcasa(config)#
02-02-2009 01:07 PM
Brian
I do not believe that you are getting as far as Active Directory for authentication. The messages suggest that there is a mismatch between what is configured in your VPN client and what is configured on the ASA:
Hash verification failed... may be configured with invalid group password.
This would be a key configured on your client along with the group name of abc. The ASA shows that a pre shared key is configured for group authentication:
pre-shared-key *
but it does not show what that key value is. You need to be sure that the values are the same.
Are other people with VPN client able to connect? If so this would suggest a problem in configuration of your client and you need to re-configure your client. If you are the first person and are testing then it is possible to test this by changing the value on the ASA, changing the value on your client, or by changing both (which is the approach I would suggest).
HTH
Rick
02-02-2009 02:37 PM
Yes, I have already made sure that that pre shared key configured for group authentication is correct. This is the first user to connect to the VPN so I assume that there is an issue going on...
Please advise. Thanks
02-03-2009 02:45 PM
Brian
does the group name configured in the client match the abc used in the config (and does it match upper/lower case)?
I would suggest changing the shared key to something very simple (you can go to a more complex key when you have it working). change it on both the client and the ASA and see if the behavior changes.
If that does not help then I suggest setting the logging level in the client to high (at least for IKE and perhaps for others such as connection manager. test again and post the log output. perhaps it will have some better clue about the problem.
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: