Remote vpn error

Unanswered Question
Aug 6th, 2009

i have these error while doing remote vpn to my network: Aug 06 12:18:59 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2

Attempt to get Phase 1 ID data failed while constructing ID

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mcoroghidaf Sun, 08/09/2009 - 13:02

attached is the configuration:

thanks for the response. i have checked and checked and i seem not to be sighting the error. below is my config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3des-md5 esp-aes esp-sha-hmac

crypto ipsec transform-set certvpn esp-aes esp-sha-hmac

crypto ipsec transform-set cert esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn

crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 21 set transform-set certvpn

crypto dynamic-map Outside_dyn_map 21 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 21 set security-association lifetime kilobytes 4608000

crypto dynamic-map Outside_dyn_map 31 set transform-set cert ESP-3DES-SHA ESP-3des-md5 certvpn

crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800

crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000

crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map

crypto map Outside_map interface Outside

crypto ca trustpoint major

enrollment url http://major:80/certsrv/mscep/mscep.dll

subject-name CN=bng-asa.wcsa.com,OU=ict,O=wcsa lng,C=ng,St=la,L=hq

serial-number

keypair dmzca

crl configure

crypto ca certificate chain major

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 1000

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 1100

authentication rsa-sig

encryption aes

hash md5

group 1

lifetime 86400

crypto isakmp policy 65530

authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

group-policy defaultgroup internal

group-policy Defaultgroup internal

group-policy Defaultgroup attributes

default-domain value wcsa.com

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 10.13.200.113

address-pools value Certvpnip

tunnel-group DefaultRAGroup general-attributes

address-pool Certvpnip

address-pool certvpnip

authentication-server-group ACS LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

trust-point major

tunnel-group wcsa_Remote type remote-access

tunnel-group wcsa_Remote general-attributes

address-pool wcsaVPN

authentication-server-group ACS

accounting-server-group ACS

default-group-policy wcsa_Remote

tunnel-group wcsa_Remote ipsec-attributes

pre-shared-key *

tunnel-group defaultgroup type remote-access

tunnel-group defaultgroup general-attributes

address-pool Certvpnip

tunnel-group defaultgroup ipsec-attributes

trust-point major

please, note that we have two tunnels and one is working perfectly, except fpr the CA one!

Actions

This Discussion