Cisco VPN Client and Windows XP VPN Client IPSec to ASA

Answered Question
Sep 17th, 2009
User Badges:

I have configured ASA for IPSec VPN communication through Cisco VPN Client and XP VPN client. I can connect successfully with Cisco VPN Client, but I get an error when connecting with XP client. Debug says "misconfigured groups and transport/tunneling mode" I know, they both use different methods, transport and tunneling and I think I configured both. Take a look at config.

P.S. One weird thing - when I connect with Windows Server 2003 VPN client, I get no error. The only difference is that XP client is behind an ADSL router and Server client is directly connected to the Internet having on one of his interfaces public IP address. Can NAT in XP case be an issue?


Config is:

!

interface GigabitEthernet0/2.30

description Remote Access

vlan 30

nameif remote-access

security-level 0

ip address 85.*.*.1 255.255.255.0

!

access-list 110 extended permit ip any any

access-list nat extended permit tcp any host 10.254.17.10 eq ssh

access-list nat extended permit tcp any host 10.254.17.26 eq ssh

access-list nonat extended permit ip any any

access-list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

access-list nonat-vpn extended permit ip any 192.168.121.0 255.255.255.0

access-list split-tunnel standard permit 192.168.121.0 255.255.255.0

flow-export destination inside-Bct 192.168.1.27 9996

ip local pool raccess 192.168.121.60-192.168.121.120 mask 255.255.255.0

arp timeout 14400

global (outside-Baku) 1 interface

global (outside-Ganja) 2 interface

nat (inside-Bct) 0 access-list nonat-vpn

nat (inside-Bct) 1 access-list nat

nat (inside-Bct) 2 access-list nat-ganja

access-group rdp out interface outside-Ganja

!

route remote-access 0.0.0.0 0.0.0.0 85.*.*.2 1

route outside-Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

route outside-Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

route outside-Baku 192.168.39.0 255.255.255.0 10.254.17.10 1

route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

route outside-Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec transform-set newset esp-aes esp-md5-hmac

crypto ipsec transform-set vpnclienttrans esp-3des esp-md5-hmac

crypto ipsec transform-set vpnclienttrans mode transport

crypto ipsec transform-set raccess esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 214748364

crypto ipsec security-association lifetime kilobytes 214748364

crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess

crypto map vpnclientmap 30 ipsec-isakmp dynamic dyn1

crypto map vpnclientmap interface remote-access

crypto isakmp identity address

crypto isakmp enable vpntest

crypto isakmp enable outside-Baku

crypto isakmp enable outside-Ganja

crypto isakmp enable remote-access

crypto isakmp enable inside-Bct

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

no crypto isakmp nat-traversal

no vpn-addr-assign aaa

telnet timeout 5

ssh 192.168.1.0 255.255.255.192 outside-Baku

ssh 10.254.17.26 255.255.255.255 outside-Baku

ssh 10.254.17.18 255.255.255.255 outside-Baku

ssh 10.254.17.10 255.255.255.255 outside-Baku

ssh 10.254.17.26 255.255.255.255 outside-Ganja

ssh 10.254.17.18 255.255.255.255 outside-Ganja

ssh 10.254.17.10 255.255.255.255 outside-Ganja

ssh 192.168.1.0 255.255.255.192 inside-Bct

group-policy vpn internal

group-policy vpn attributes

dns-server value 192.168.1.3

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value bct.az

tunnel-group DefaultRAGroup general-attributes

address-pool raccess

authentication-server-group TACACS

default-group-policy vpn

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

Correct Answer by ggilbert about 7 years 8 months ago

Hello,


For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.


Please look at the configuration given below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml


or


http://tinyurl.com/5t67hd


Please look at the tunnel-group section of ASA config.


There is a tunnel-group called as "rtptacvpn" and a pre-shared key associated with it. This group name is the one used with the VPN Client group name.


So, you would need a specific tunnel-group name configured along with a pre-shared key and use that on the Cisco VPN Client.



Secondly, since you are behind an ADSL router, I am sure its configured for NAT. Can you please turn on NAT-T on your ASA.


"crypto isakmp nat-traversal"


Third, change the transform set to


crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess



Let me know the result.


Thanks

Gilbert


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ggilbert Thu, 09/17/2009 - 08:32
User Badges:
  • Cisco Employee,

Hello,


For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.


Please look at the configuration given below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml


or


http://tinyurl.com/5t67hd


Please look at the tunnel-group section of ASA config.


There is a tunnel-group called as "rtptacvpn" and a pre-shared key associated with it. This group name is the one used with the VPN Client group name.


So, you would need a specific tunnel-group name configured along with a pre-shared key and use that on the Cisco VPN Client.



Secondly, since you are behind an ADSL router, I am sure its configured for NAT. Can you please turn on NAT-T on your ASA.


"crypto isakmp nat-traversal"


Third, change the transform set to


crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess



Let me know the result.


Thanks

Gilbert


fgasimzade Thu, 09/17/2009 - 08:36
User Badges:

Thank you for your reply!


I have a tunnel group configured, and it is:

tunnel-group DefaultRAGroup general-attributes

address-pool raccess

authentication-server-group TACACS

default-group-policy vpn

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *


Cisco VPN Client works fine, not issues with that.


Secondly, You said to change the transform set, but it is already as you posted. Mistake?

ggilbert Thu, 09/17/2009 - 12:09
User Badges:
  • Cisco Employee,

If the VPN client took that transform-set and if it works, then dont worry about it.


So, everything is working now.


Gilbert

Actions

This Discussion