08-06-2009 09:30 AM
i have these error while doing remote vpn to my network: Aug 06 12:18:59 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Attempt to get Phase 1 ID data failed while constructing ID
08-09-2009 01:02 PM
attached is the configuration:
thanks for the response. i have checked and checked and i seem not to be sighting the error. below is my config:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3des-md5 esp-aes esp-sha-hmac
crypto ipsec transform-set certvpn esp-aes esp-sha-hmac
crypto ipsec transform-set cert esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 21 set transform-set certvpn
crypto dynamic-map Outside_dyn_map 21 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 21 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 31 set transform-set cert ESP-3DES-SHA ESP-3des-md5 certvpn
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto ca trustpoint major
enrollment url http://major:80/certsrv/mscep/mscep.dll
subject-name CN=bng-asa.wcsa.com,OU=ict,O=wcsa lng,C=ng,St=la,L=hq
serial-number
keypair dmzca
crl configure
crypto ca certificate chain major
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 1000
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 1100
authentication rsa-sig
encryption aes
hash md5
group 1
lifetime 86400
crypto isakmp policy 65530
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
group-policy defaultgroup internal
group-policy Defaultgroup internal
group-policy Defaultgroup attributes
default-domain value wcsa.com
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.13.200.113
address-pools value Certvpnip
tunnel-group DefaultRAGroup general-attributes
address-pool Certvpnip
address-pool certvpnip
authentication-server-group ACS LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
trust-point major
tunnel-group wcsa_Remote type remote-access
tunnel-group wcsa_Remote general-attributes
address-pool wcsaVPN
authentication-server-group ACS
accounting-server-group ACS
default-group-policy wcsa_Remote
tunnel-group wcsa_Remote ipsec-attributes
pre-shared-key *
tunnel-group defaultgroup type remote-access
tunnel-group defaultgroup general-attributes
address-pool Certvpnip
tunnel-group defaultgroup ipsec-attributes
trust-point major
please, note that we have two tunnels and one is working perfectly, except fpr the CA one!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: