ASA5505 - VPNclient > All IPSEC SA proposals found unacceptible

Unanswered Question
Jun 8th, 2009

Hi all,

Trying to get CiscoVPN client ( on Vista Home Premium connect to ASA5505.

As the title says the SA proposals are found unacceptible.

And although I've been searching for solutions all over the place I 've not found a working solution yet.

Could anyone help me please?



1. The config and debug are attached

2. Tested with both users > same result

3. Authentication MS-Chap V2 used > Vista

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Ivan Martinon Wed, 06/10/2009 - 07:21

This most likely is due to trasnport mode being chosen as the ipsec transformset, go ahead and change it or remove it, unless you have l2tp over ipsec you don't need that setup.

jlaay-diode Wed, 06/10/2009 - 23:00


Thanks for your answer.

I think you are referring to the group-policy DefaultRAGroup?

The group-policy used for testing the Cisco VPN-client (with user Graham) is 'cisco_client_vpn' with one of the attributes being 'vpn-tunnel-protocol IPSec'.

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol l2tp-ipsec

group-policy cisco_client_vpn internal

group-policy cisco_client_vpn attributes

dns-server value

vpn-tunnel-protocol IPSec

default-domain value diode-networks.local

username graham password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted privilege 0

username graham attributes

vpn-group-policy cisco_client_vpn

username jaap password cCiE5PO1AMnFfx.p encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool VPNtest

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group cisco_client_vpn type ipsec-ra

tunnel-group cisco_client_vpn general-attributes

address-pool VPNtest

default-group-policy cisco_client_vpn

tunnel-group cisco_client_vpn ipsec-attributes

pre-shared-key *

tunnel-group cisco_client_vpn ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

Could it be that my problem has to do with with:

- the crypto (dynamic-)map. Numbers 20, 40?

- no routes defined by the VPN-client wizard?

- no reverse route injection configured?

And what IPSec transformsets are offred by the VPN-clients?



Ivan Martinon Thu, 06/11/2009 - 06:46

Jaap, I actually meant the transform set take off the transport mode for testing, that is typically used for L2TP over IPSec Clients not IPSec.

routes should not be required as it should use the ASA default gateway.

jlaay-diode Thu, 06/11/2009 - 06:00

Hi Ivan,

It must have been to early for me this morning :).

Followed your advice and deleted:

- crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA


- TRANS_ESP_3DES_SHA (as first option) to crypto dynamic-map outside_dyn_map 40 set transform-set vpnclient ESP-DES-MD5 ESP-3DES-MD5 ESP-3DES-SHA

and it works !!! :)

The L2TP is also still working.

It seems that my 5505 (and the other AS-models?) does/do not like two lines with 'crypto dynamic-map', i.c. 20 & 40.

Is this a flaw in the handling?

Anyway, thanks a lot for your help.




This Discussion