remote access vpn error

Unanswered Question
Aug 7th, 2009
User Badges:

i got the following error while running Remote Access VPN using CA:


i am configuring remote access vpn on cisco asa5500 and i have this error: Aug 06 12:18:59 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2

!

Attempt to get Phase 1 ID data failed while constructing ID


please what is the cause of this error?

who has noticed this and what is the solution?

I HAVE ATTACHED FOR CONFIG FOR REFFERENCE

thanks for your response in advance.





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stoneystone Tue, 08/11/2009 - 18:56
User Badges:

Do you have a full config? One thing, do you have a group-policy for 'wcsa_Remote'?


default-group-policy wcsa_Remote - where is this pointing?



mcoroghidaf Wed, 08/12/2009 - 22:49
User Badges:

i thought you were able to see the attachment.

The configuration is below:


crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 1000

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 1100

authentication rsa-sig

encryption aes

hash md5

group 1

lifetime 86400

crypto isakmp policy 65530

authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

group-policy defaultgroup internal

group-policy Defaultgroup internal

group-policy Defaultgroup attributes

default-domain value wcsa.com

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 10.13.200.113

address-pools value Certvpnip

tunnel-group DefaultRAGroup general-attributes

address-pool Certvpnip

address-pool certvpnip

authentication-server-group ACS LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

trust-point major

tunnel-group wcsa_Remote type remote-access

tunnel-group wcsa_Remote general-attributes

address-pool wcsaVPN

authentication-server-group ACS

accounting-server-group ACS

default-group-policy wcsa_Remote

tunnel-group wcsa_Remote ipsec-attributes

pre-shared-key *

tunnel-group defaultgroup type remote-access

tunnel-group defaultgroup general-attributes

address-pool Certvpnip

tunnel-group defaultgroup ipsec-attributes

trust-point major

stoneystone Thu, 08/13/2009 - 04:26
User Badges:

You still don't have your full running-config, or at least I couldn't download it.


As far as your problem:

What is this line?

'crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn'


Doesn't that look confusing? You defined certvpn earlier in the config with this: 'crypto ipsec transform-set certvpn esp-aes esp-sha-hmac'


Also: you don't have a transform-set that will work with this:

crypto isakmp policy 1100

authentication rsa-sig

encryption aes

hash md5

group 1


From the fragment of the running-config you posted, you have a lot of items that appear could be cleaned up.



mcoroghidaf Thu, 08/13/2009 - 09:00
User Badges:

i have attached it for your ref.

can u help with the transform-set?


this was added to see it i could get it running:


crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn



stoneystone Sun, 08/16/2009 - 15:55
User Badges:

This config file is really confusing. It looks like someone was throwing commands at it to make something work.


What exactly are you trying to do? Are you trying to configure a VPN Client?





stoneystone Sun, 08/16/2009 - 18:59
User Badges:

Here is a config that builds a dynamic vpn, using a vpn client. You need to fill your information in where needed.


!First, set an access-list for Split tunnels if you want to internet access while connected:

access-list Split_VPN_List permit ip 10.0.0.0 255.0.0.0 10.199.199.0 255.255.255.0


!Setup the encryption types


crypto ipsec transform-set certvpn esp-aes esp-sha-hmac


crypto dynamic-map Outside_dyn_map 50 set transform-set certvpn

crypto dynamic-map Outside_dyn_map 50 set reverse-route

crypto map crymap 90 ipsec-isakmp dynamic Outside_dyn_map


! SETUP THE 'NAME' FOR THE VPN CLIENT


group-policy vpnclient internal

group-policy vpnclient attributes


! ALLOWS FOR INTERNET ACCESS WHILE LOGGED ON


split-tunnel-policy tunnelspecified


! POINT TO THE ACCESS-LIST


split-tunnel-network-list value Split_VPN_List


! 'NAME'

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool Certvpnip //// If this is the pool you want to use


// use these if you are not using another server for verification of user/password


default-group-policy vpnclient ///Group name in your client


tunnel-group vpnclient ipsec-attributes

pre-shared-key 'put_key_here' ///password in your client


See how this works for you.

mcoroghidaf Wed, 08/26/2009 - 23:43
User Badges:

thanks for the response.

the preshared key vpn is working , i only have issues with the CA one.

Your response will be appreciated.

mcoroghidaf Mon, 08/17/2009 - 03:39
User Badges:

Yes.

that is a Remote ACCESS VPN using CA authentication.

also note that there is an exist remote access vpn using preshared key and that one is working fine.

Actions

This Discussion