09-17-2009 07:16 AM - edited 02-21-2020 04:20 PM
I have configured ASA for IPSec VPN communication through Cisco VPN Client and XP VPN client. I can connect successfully with Cisco VPN Client, but I get an error when connecting with XP client. Debug says "misconfigured groups and transport/tunneling mode" I know, they both use different methods, transport and tunneling and I think I configured both. Take a look at config.
P.S. One weird thing - when I connect with Windows Server 2003 VPN client, I get no error. The only difference is that XP client is behind an ADSL router and Server client is directly connected to the Internet having on one of his interfaces public IP address. Can NAT in XP case be an issue?
Config is:
!
interface GigabitEthernet0/2.30
description Remote Access
vlan 30
nameif remote-access
security-level 0
ip address 85.*.*.1 255.255.255.0
!
access-list 110 extended permit ip any any
access-list nat extended permit tcp any host 10.254.17.10 eq ssh
access-list nat extended permit tcp any host 10.254.17.26 eq ssh
access-list nonat extended permit ip any any
access-list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh
access-list nonat-vpn extended permit ip any 192.168.121.0 255.255.255.0
access-list split-tunnel standard permit 192.168.121.0 255.255.255.0
flow-export destination inside-Bct 192.168.1.27 9996
ip local pool raccess 192.168.121.60-192.168.121.120 mask 255.255.255.0
arp timeout 14400
global (outside-Baku) 1 interface
global (outside-Ganja) 2 interface
nat (inside-Bct) 0 access-list nonat-vpn
nat (inside-Bct) 1 access-list nat
nat (inside-Bct) 2 access-list nat-ganja
access-group rdp out interface outside-Ganja
!
route remote-access 0.0.0.0 0.0.0.0 85.*.*.2 1
route outside-Baku 10.254.17.24 255.255.255.248 10.254.17.10 1
route outside-Baku 192.1.1.0 255.255.255.0 10.254.17.10 1
route outside-Baku 192.168.39.0 255.255.255.0 10.254.17.10 1
route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1
route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1
route outside-Baku 192.168.208.16 255.255.255.240 10.254.17.10 1
route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set newset esp-aes esp-md5-hmac
crypto ipsec transform-set vpnclienttrans esp-3des esp-md5-hmac
crypto ipsec transform-set vpnclienttrans mode transport
crypto ipsec transform-set raccess esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 214748364
crypto ipsec security-association lifetime kilobytes 214748364
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
crypto map vpnclientmap 30 ipsec-isakmp dynamic dyn1
crypto map vpnclientmap interface remote-access
crypto isakmp identity address
crypto isakmp enable vpntest
crypto isakmp enable outside-Baku
crypto isakmp enable outside-Ganja
crypto isakmp enable remote-access
crypto isakmp enable inside-Bct
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
telnet timeout 5
ssh 192.168.1.0 255.255.255.192 outside-Baku
ssh 10.254.17.26 255.255.255.255 outside-Baku
ssh 10.254.17.18 255.255.255.255 outside-Baku
ssh 10.254.17.10 255.255.255.255 outside-Baku
ssh 10.254.17.26 255.255.255.255 outside-Ganja
ssh 10.254.17.18 255.255.255.255 outside-Ganja
ssh 10.254.17.10 255.255.255.255 outside-Ganja
ssh 192.168.1.0 255.255.255.192 inside-Bct
group-policy vpn internal
group-policy vpn attributes
dns-server value 192.168.1.3
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value bct.az
tunnel-group DefaultRAGroup general-attributes
address-pool raccess
authentication-server-group TACACS
default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
Solved! Go to Solution.
09-17-2009 08:32 AM
Hello,
For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.
Please look at the configuration given below:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
or
Please look at the tunnel-group section of ASA config.
There is a tunnel-group called as "rtptacvpn" and a pre-shared key associated with it. This group name is the one used with the VPN Client group name.
So, you would need a specific tunnel-group name configured along with a pre-shared key and use that on the Cisco VPN Client.
Secondly, since you are behind an ADSL router, I am sure its configured for NAT. Can you please turn on NAT-T on your ASA.
"crypto isakmp nat-traversal"
Third, change the transform set to
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
Let me know the result.
Thanks
Gilbert
09-17-2009 08:32 AM
Hello,
For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.
Please look at the configuration given below:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805734ae.shtml
or
Please look at the tunnel-group section of ASA config.
There is a tunnel-group called as "rtptacvpn" and a pre-shared key associated with it. This group name is the one used with the VPN Client group name.
So, you would need a specific tunnel-group name configured along with a pre-shared key and use that on the Cisco VPN Client.
Secondly, since you are behind an ADSL router, I am sure its configured for NAT. Can you please turn on NAT-T on your ASA.
"crypto isakmp nat-traversal"
Third, change the transform set to
crypto dynamic-map dyn1 1 set transform-set vpnclienttrans raccess
Let me know the result.
Thanks
Gilbert
09-17-2009 08:36 AM
Thank you for your reply!
I have a tunnel group configured, and it is:
tunnel-group DefaultRAGroup general-attributes
address-pool raccess
authentication-server-group TACACS
default-group-policy vpn
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
Cisco VPN Client works fine, not issues with that.
Secondly, You said to change the transform set, but it is already as you posted. Mistake?
09-17-2009 12:09 PM
If the VPN client took that transform-set and if it works, then dont worry about it.
So, everything is working now.
Gilbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide