Windows XP Remote Access IPSEC VPN client with ASA 5505

Unanswered Question
May 10th, 2010

HI,

I am using an ASA 5505 device that already contains one L2L IPSEC VPN  to add another Remote ACCESS VPN Connection. I am able to add the IPSEC Remote Access VPN with the wizard. But whenever I try to connect with the WIndows XP IPSEC L2TP over PPP VPN Client I dont seem to get to the ASA at all . I am a little confussed is to what I need to do on the firewall/router that the XP machine uses to connect to the internet. I am also not sure about NAT-T and how to configure it on the DEVICE. IT is currently disabled for the outside interface for because of the existing L2L VPN. Depenind on the PPP options that I use I get either 789 or 792 errors on teh XP client. I would like to use a separate IP address on the Cisco ASA 5505 for this remote access VPN too so it has its own dedicated remote access line. I hope somebody can help me. I have been playing with 2 groups for this setting - deg and shanthi.

I have turned on debug on the XP machine.

And this is what OAKLEY.log shows.

5-10: 13:02:31:98:1a90 Starting Negotiation: src = 10.1.1.105.0500, dst = 64.223.187.116.0500, proto = 17, context = 00000000, ProxySrc = 10.1.1.105.1701, ProxyDst = 64.223.187.116.1701 SrcMask = 0.0.0.0 DstMask = 0.0.0.0
5-10: 13:02:31:98:1a90 constructing ISAKMP Header
5-10: 13:02:31:98:1a90 constructing SA (ISAKMP)
5-10: 13:02:31:98:1a90 Constructing Vendor MS NT5 ISAKMPOAKLEY
5-10: 13:02:31:98:1a90 Constructing Vendor FRAGMENTATION
5-10: 13:02:31:98:1a90 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
5-10: 13:02:31:98:1a90 Constructing Vendor Vid-Initial-Contact
5-10: 13:02:31:98:1a90
5-10: 13:02:31:98:1a90 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:31:98:1a90 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:31:98:1a90   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:31:98:1a90   R-COOKIE 0000000000000000
5-10: 13:02:31:98:1a90   exchange: Oakley Main Mode
5-10: 13:02:31:98:1a90   flags: 0
5-10: 13:02:31:98:1a90   next payload: SA
5-10: 13:02:31:98:1a90   message ID: 00000000
5-10: 13:02:31:98:1a90 Ports S:f401 D:f401
5-10: 13:02:31:98:1a90 Activating InitiateEvent 00000790
5-10: 13:02:32:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 1
5-10: 13:02:32:114:d84
5-10: 13:02:32:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:32:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:32:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:32:114:d84   R-COOKIE 0000000000000000
5-10: 13:02:32:114:d84   exchange: Oakley Main Mode
5-10: 13:02:32:114:d84   flags: 0
5-10: 13:02:32:114:d84   next payload: SA
5-10: 13:02:32:114:d84   message ID: 00000000
5-10: 13:02:32:114:d84 Ports S:f401 D:f401
5-10: 13:02:34:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 2
5-10: 13:02:34:114:d84
5-10: 13:02:34:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:34:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:34:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:34:114:d84   R-COOKIE 0000000000000000
5-10: 13:02:34:114:d84   exchange: Oakley Main Mode
5-10: 13:02:34:114:d84   flags: 0
5-10: 13:02:34:114:d84   next payload: SA
5-10: 13:02:34:114:d84   message ID: 00000000
5-10: 13:02:34:114:d84 Ports S:f401 D:f401
5-10: 13:02:38:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 3
5-10: 13:02:38:114:d84
5-10: 13:02:38:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:38:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:38:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:38:114:d84   R-COOKIE 0000000000000000
5-10: 13:02:38:114:d84   exchange: Oakley Main Mode
5-10: 13:02:38:114:d84   flags: 0
5-10: 13:02:38:114:d84   next payload: SA
5-10: 13:02:38:114:d84   message ID: 00000000
5-10: 13:02:38:114:d84 Ports S:f401 D:f401
5-10: 13:02:46:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 4
5-10: 13:02:46:114:d84
5-10: 13:02:46:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:46:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:46:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:46:114:d84   R-COOKIE 0000000000000000
5-10: 13:02:46:114:d84   exchange: Oakley Main Mode
5-10: 13:02:46:114:d84   flags: 0
5-10: 13:02:46:114:d84   next payload: SA
5-10: 13:02:46:114:d84   message ID: 00000000
5-10: 13:02:46:114:d84 Ports S:f401 D:f401
5-10: 13:03:02:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 5
5-10: 13:03:02:114:d84
5-10: 13:03:02:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:03:02:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:03:02:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:03:02:114:d84   R-COOKIE 0000000000000000
5-10: 13:03:02:114:d84   exchange: Oakley Main Mode
5-10: 13:03:02:114:d84   flags: 0
5-10: 13:03:02:114:d84   next payload: SA
5-10: 13:03:02:114:d84   message ID: 00000000
5-10: 13:03:02:114:d84 Ports S:f401 D:f401
5-10: 13:03:28:113:1a90 SA Dead. sa:000DC510 status:35f0
5-10: 13:03:28:113:1a90 isadb_set_status sa:000DC510 centry:00000000 status 35f0
5-10: 13:03:28:129:1a90 Key Exchange Mode (Main Mode)
5-10: 13:03:28:129:1a90 Source IP Address 10.1.1.105  Source IP Address Mask 255.255.255.255  Destination IP Address 64.223.187.116  Destination IP Address Mask 255.255.255.255  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr 10.1.1.105  IKE Peer Addr 64.223.187.116
5-10: 13:03:28:129:1a90
5-10: 13:03:28:129:1a90 Me
5-10: 13:03:28:129:1a90 IKE SA deleted before establishment completed
5-10: 13:03:28:129:1a90 0x0 0x0
5-10: 13:03:28:129:1a90 isadb_set_status InitiateEvent 00000790: Setting Status 35f0
5-10: 13:03:28:129:1a90 Clearing sa 000DC510 InitiateEvent 00000790
5-10: 13:03:28:129:1a90 constructing ISAKMP Header
5-10: 13:03:28:129:1a90 constructing DELETE. MM 000DC510
5-10: 13:03:28:129:1a90
5-10: 13:03:28:129:1a90 Sending: SA = 0x000DC510 to 64.223.187.116:Type 1.500
5-10: 13:03:28:129:1a90 ISAKMP Header: (V1.0), len = 56
5-10: 13:03:28:129:1a90   I-COOKIE 73e9a6aab49ffc62
5-10: 13:03:28:129:1a90   R-COOKIE 0000000000000000
5-10: 13:03:28:129:1a90   exchange: ISAKMP Informational Exchange
5-10: 13:03:28:129:64c CloseNegHandle 00000790
5-10: 13:03:28:129:1a90   flags: 0
5-10: 13:03:28:129:1a90   next payload: DELETE
5-10: 13:03:28:129:1a90   message ID: 2eb35a91
5-10: 13:03:28:129:1a90 Ports S:f401 D:f401
5-10: 13:03:28:129:1a90 ClearFragList
5-10: 13:03:28:129:64c SE cookie 73e9a6aab49ffc62
5-10: 13:03:28:129:64c isadb_schedule_kill_oldPolicy_sas: 89a76518-8a95-4639-9c5661534054ae45 4
5-10: 13:03:28:129:269c isadb_schedule_kill_oldPolicy_sas: ef9062e8-bcbe-4795-9667ae4dd227061b 3
5-10: 13:03:28:129:11c0 isadb_schedule_kill_oldPolicy_sas: 6bb966c8-2ac0-44b9-9732106ef3f6ab18 2
5-10: 13:03:28:129:64c isadb_schedule_kill_oldPolicy_sas: a5446db4-7e04-4f59-b306045e4b09ba35 1
5-10: 13:03:28:129:1a90 entered kill_old_policy_sas 4
5-10: 13:03:28:129:1a90 entered kill_old_policy_sas 3
5-10: 13:03:28:129:1a90 entered kill_old_policy_sas 2
5-10: 13:03:28:129:1a90 entered kill_old_policy_sas 1

The cisco configuration is as follows.

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name DEGREEC
enable password E2RGHC5amLxsHJ0v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 168.233.6.50 AdaptiveCool1
name 168.233.6.51 AdaptiveCool2
name 192.168.168.61 Ax-Supervisor
name 64.223.187.114 CiscoRouter
name 64.223.187.115 AXExternal
name 64.223.187.1 RangeSubnet
name 216.126.60.123 INTEQ
name 64.65.199.197 mail
name 64.223.187.116 GeneralVpn description Remote Access
name 192.168.168.250 One
name 192.168.168.252 three
name 192.168.168.251 two
name 64.65.199.194 DegreeC
!

!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address CiscoRouter 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4

interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec Welcome to $(hostname) at $(domain)
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.168.1
name-server 71.243.0.12
name-server 68.237.161.12
domain-name DEGREEC
object-group service AdaptivePorts tcp
description All Ports used by AX-Supervisor
port-object eq 1911
port-object eq 3011
port-object eq www

object-group service pingport tcp
port-object eq 1911
object-group network VPNClients
network-object host One
network-object host two
network-object host three
object-group service VPNPorts udp
description VPN Ports
port-object eq 1701
port-object eq isakmp
object-group protocol VPNIP
description IP ports for WIndows
protocol-object esp
protocol-object ah
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any object-group AdaptivePorts
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any object-group AdaptivePorts
access-list outside_cryptomap_2 extended permit ip host Ax-Supervisor host AdaptiveCool2
access-list outside_access_in_1 extended permit ip host INTEQ any

access-list outside_access_in_1 extended permit tcp host mail any eq smtp
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit ip 64.223.187.0 255.255.255.0 any
access-list outside_access_in_1 extended permit tcp any any
access-list outside_access_in_1 extended permit udp host DegreeC object-group VPNPorts host GeneralVpn object-group VPNPorts
access-list outside_access_in_1 extended permit object-group VPNIP host DegreeC host GeneralVpn
access-list inside_access_in_1 extended permit ip host INTEQ any
access-list inside_access_in_1 extended permit tcp host mail any eq smtp
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit ip 192.168.168.0 255.255.255.0 any
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended permit tcp any any
access-list VPN_traffic extended permit ip host AXExternal host AdaptiveCool1
access-list VPN_traffic extended permit ip host AXExternal host AdaptiveCool2
access-list 121 extended permit ip host Ax-Supervisor host AdaptiveCool2
access-list 121 extended permit ip host AdaptiveCool2 host Ax-Supervisor
access-list 120 extended permit udp host 168.233.1.110 host CiscoRouter eq isakmp
access-list 120 extended permit udp host CiscoRouter eq isakmp host 168.233.1.110
access-list 101 extended permit ip host AXExternal host AdaptiveCool1
access-list 101 extended permit ip host AXExternal host AdaptiveCool2
access-list 141 extended permit ip host Ax-Supervisor host AdaptiveCool1

access-list 141 extended permit ip host Ax-Supervisor host AdaptiveCool2
access-list inside_nat_static extended permit ip host Ax-Supervisor host INTEQ
access-list outside_nat_static extended permit tcp host INTEQ eq www host Ax-Supervisor
access-list outside_nat_static_2 extended permit tcp host INTEQ eq 3011 host Ax-Supervisor
access-list outside_nat_static_1 extended permit tcp host INTEQ eq 1911 host Ax-Supervisor
access-list inside_nat_static_1 extended permit tcp host Ax-Supervisor eq www host INTEQ
access-list inside_nat_static_2 extended permit tcp host Ax-Supervisor eq 1911 host INTEQ
access-list inside_nat_static_3 extended permit tcp host Ax-Supervisor eq 3011 host INTEQ
access-list outside_nat_static_3 extended permit tcp host mail eq smtp host Ax-Supervisor
access-list inside_nat_static_4 extended permit tcp host Ax-Supervisor eq smtp host mail
access-list outside_nat_static_5 extended permit tcp host INTEQ eq 37 host Ax-Supervisor
access-list outside_nat_static_4 extended permit udp host INTEQ eq time host Ax-Supervisor
access-list inside_nat_static_5 extended permit udp host Ax-Supervisor eq time host INTEQ
access-list inside_nat_static_6 extended permit tcp host Ax-Supervisor eq 37 host INTEQ
access-list inside_nat0_outbound extended permit ip host Ax-Supervisor 192.168.168.248 255.255.255.248
access-list deg_splitTunnelAcl standard permit host Ax-Supervisor
access-list shanthi_splitTunnelAcl standard permit host Ax-Supervisor
pager lines 22
logging enable
logging buffered debugging
logging asdm debugging
mtu inside 1500

mtu outside 1500
ip local pool VPNClients One-192.168.168.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3011 access-list inside_nat_static_3
static (inside,outside) tcp interface 1911 access-list inside_nat_static_2
static (inside,outside) tcp interface www access-list inside_nat_static_1
static (outside,inside) tcp CiscoRouter www access-list outside_nat_static
static (outside,inside) tcp CiscoRouter 1911 access-list outside_nat_static_1
static (outside,inside) tcp CiscoRouter 3011 access-list outside_nat_static_2
static (inside,outside) udp interface time access-list inside_nat_static_5
static (outside,inside) udp CiscoRouter time access-list outside_nat_static_4
static (inside,outside) tcp interface 37 access-list inside_nat_static_6
static (inside,outside) tcp interface smtp access-list inside_nat_static_4
static (outside,inside) tcp CiscoRouter 37 access-list outside_nat_static_5

static (outside,inside) tcp CiscoRouter smtp access-list outside_nat_static_3
static (inside,outside) AXExternal  access-list 141
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 RangeSubnet 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.168.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_MD5
crypto map inside_map 1 match address VPN_traffic
crypto map inside_map 1 set peer 168.233.1.110
crypto map inside_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des

hash sha
group 2
lifetime 86400
crypto isakmp policy 4
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 6
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30

authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value DEGREEC
group-policy deg internal
group-policy deg attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value deg_splitTunnelAcl
group-policy shanthi internal
group-policy shanthi attributes

vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value shanthi_splitTunnelAcl
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
username shanthi password txofwH67fJtRlmBR encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPNClients
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 168.233.1.110 type ipsec-l2l
tunnel-group 168.233.1.110 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group deg type ipsec-ra
tunnel-group deg general-attributes
address-pool VPNClients
default-group-policy deg
tunnel-group deg ipsec-attributes
pre-shared-key *
tunnel-group shanthi type ipsec-ra
tunnel-group shanthi general-attributes

unnel-group shanthi general-attributes
address-pool VPNClients
default-group-policy shanthi
tunnel-group shanthi ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp

inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:17cfa366e6127d0dccef895b75a7e3d4
: end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 05/10/2010 - 11:33

Shanthi,

You can connect an IPsec VPN client software connection to the ASA along with the Site-to-Site tunnels or you can use the native windows VPN connection using L2TP/IPsec.

You can't create a regular PPTP connection to the ASA.

What type of VPN client connection did you create on the wizard on the ASA and which client type connection are you using on the client machine itself?

Federico.

Samuel Saunders Mon, 05/10/2010 - 12:30

I am assuming that the ASA device is the VPN server and I configured the Remote Access VPN wiht IPSEC preshared Key, no authentication,  do not check peer validation with LOCAL authentication. I have configured Windows XP IPSEC policies to allow SDES MD5 ESP with PPP chap 2. I am basically using the Windows VPN Client set up as an L2TP over PPP and then setting the IPSEC policies to match up with the one I have on the 5505.

I hope this helps. I am confused as to whether the 5505 external IP address assigned to the VPN should see the internal address of the Windows Client  because if you see the debug log it shows 10.1.1.105:500 trying to connect to 64.223.187.116. Also my original external IP for the device is 64.223.187.114. But I want to use 64.223.187.116 for the remote VPN clients to connect.

Shanthi

Federico Coto F... Mon, 05/10/2010 - 12:52

You can connect L2TP/IPsec correct.
This is using no special VPN client (windows native client) along with IPsec encryption.
Basically L2TP is the tunneling protocol and IPsec will do the encryption.

You can connect to any public IP address, but that address has to be assigned to an interface on the ASA
(or redirected in some way).

For example:


If your outside IP of the ASA is 64.223.187.114, you cannot have the VPN clients connected to 64.223.187.116
because both IPs belong to the same subnet (therefore you cannot have another ASA interface with the .116 address)

Is there a special reason you don't want to use the external IP of the ASA for VPN termination?

Federico.

Samuel Saunders Mon, 05/10/2010 - 13:27

NOt necessarily. When we did the L2L VPN we used another external IP 115 to connect the L2L network and then added rules to with the external IP. I thought I could do the same here. Currently even if I use the external IP of the VPN I am not getting to the ASA. And I am wondering why that is. I can ping the address. I guess if I am coming into the external IP I need to add rules to allow the VPN ports and the UDP ports. I am not sure which ports exactly I need to open up on both my firewall and ASA device.

Federico Coto F... Mon, 05/10/2010 - 14:05

Shanti,

As per the L2L tunnels do you mind showing the configuration to allow the tunnel termination on IP .115 (if the outside IP is .116)?

As per the remote VPN not working (even terminating the tunnel on the outside IP of the ASA), we can check it out.

What's the output of:

sh cry isa sa

sh cry ips sa

For this client?

Federico.

mopaul Mon, 05/10/2010 - 14:18



Hi Shanthi,

I understand that you are trying to connect the windows l2tp/ipsec to ASA and is not working at the moment. I ran a quick scan, and found there are commands that are missing. For instance, ppp-attributes are missing fof the Default RA group (to which windows client are connecting) , local user with ms-chap keyword is missing.

Please do refer the configuration link below.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#pix


In addition to what is mentioned in the above link, please do run the following commands to make your software and windows ipsec client working together on ASA. Also, this should get you rid of Error 789 which is mainly for encryption.

no crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map (will break your Dynamic IPsec tunnel)
crypto dynamic-map outside_dyn_map 1 set pfs
crypto dynamic-map outside_dyn_map 1 set transform-set ESP-3DES-MD5 TRANS_ESP_3DES_MD5
crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map (Reapply this command once the above two statements are configured)


I see that you have UDP open for selective traffic. I would suggest you to open UDP 500,4500, and esp from your windows's client machine public ip address and the ASA outside interface ip.

HTH...

Regards
Mohit

Samuel Saunders Mon, 05/10/2010 - 14:25

I am not using the DEFault RA group. I created my own ipsec-ra group. I am assuming that that group will be activated for IPSEC. because those are the ipsec rules I am using. Is that not true.

Thanks

Shanthi

Samuel Saunders Mon, 05/10/2010 - 15:00

Thanks Mohit for pointing out the DefaultRAGroup. I seemed to have missed that. I also was not sure about hte mschhap keyword. I am going to add it in now.

I guess I am gooing to start over and see what I have.

Shanthi

Samuel Saunders Mon, 05/10/2010 - 15:04

Hi Frederico,

This is what the ASA has for configuration.

AXExternal is ....115 while the external interface is .......114.

ciscoasa# sh cry isa sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 168.233.1.110
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ciscoasa# sh cry ips sa
interface: outside
    Crypto map tag: inside_map, seq num: 1, local addr: CiscoRouter

      access-list VPN_traffic permit ip host AXExternal host AdaptiveCool2
      local ident (addr/mask/prot/port): (AXExternal/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (AdaptiveCool2/255.255.255.255/0/0)
      current_peer: 168.233.1.110

      #pkts encaps: 862, #pkts encrypt: 862, #pkts digest: 862
      #pkts decaps: 932, #pkts decrypt: 932, #pkts verify: 932
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 862, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: CiscoRouter, remote crypto endpt.: 168.233.1.110

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 357573EC

    inbound esp sas:
      spi: 0x0E3B0E1B (238751259)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16, crypto-map: inside_map
         sa timing: remaining key lifetime (kB/sec): (3824855/21629)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x357573EC (896889836)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16, crypto-map: inside_map
         sa timing: remaining key lifetime (kB/sec): (3824892/21629)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: inside_map, seq num: 1, local addr: CiscoRouter

      access-list VPN_traffic permit ip host AXExternal host AdaptiveCool1
      local ident (addr/mask/prot/port): (AXExternal/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (AdaptiveCool1/255.255.255.255/0/0)
      current_peer: 168.233.1.110

      #pkts encaps: 689, #pkts encrypt: 689, #pkts digest: 689
      #pkts decaps: 737, #pkts decrypt: 737, #pkts verify: 737
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 689, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: CiscoRouter, remote crypto endpt.: 168.233.1.110

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8E2A0ABE

    inbound esp sas:
      spi: 0xA1E2C46D (2715993197)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16, crypto-map: inside_map
         sa timing: remaining key lifetime (kB/sec): (3824891/21531)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x8E2A0ABE (2385119934)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 16, crypto-map: inside_map
         sa timing: remaining key lifetime (kB/sec): (3824911/21528)
         IV size: 8 bytes
         replay detection support: Y

Federico Coto F... Mon, 05/10/2010 - 15:09

From the output, this is what i see....

AXExternal = Is an internal device on your LAN

AdaptiveCool = Is an internal device on the remote LAN

The tunnel is established against remote IP 168.233.1.110

The ASA IP (as you say, can't see it here) is .114

This means that the VPN tunnel is established between (.114 and 168.233.1.110)

But the actual communication through the tunnel is from .115 or AXExternal to AdaptiveCool

Isn't it?

Federico.

mopaul Mon, 05/10/2010 - 15:10

Shanthi,

For L2tp/ipsec the request will fall on DefaultRa group. Along with l2tp-ipsec protocol in the default group-policy, also add the ipsec protocol.

Apply the configuration using the document that i shared in this post and also run those 4 commands that i have mentioned.

Waiting to see how it goes..



Regards
Mohit

mopaul Mon, 05/10/2010 - 15:13


Would request you to run the command "no names" and then gather the requested input from the ASA. It would be easy for us to see the ip address and answer your questions accordingly


Regards

Mohit

Samuel Saunders Mon, 05/10/2010 - 15:53

Hi,

I am pasting conf with 'no names'

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name DEGREEC
enable password E2RGHC5amLxsHJ0v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 168.233.6.50 AdaptiveCool1
name 168.233.6.51 AdaptiveCool2
name 192.168.168.61 Ax-Supervisor
name 64.223.187.114 CiscoRouter
name 64.223.187.115 AXExternal
name 64.223.187.1 RangeSubnet
name 216.126.60.123 INTEQ
name 64.65.199.197 mail
name 64.223.187.116 GeneralVpn description Remote Access
name 192.168.168.250 One
name 192.168.168.252 three
name 192.168.168.251 two
name 64.65.199.194 DegreeC
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 64.223.187.114 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec Welcome to $(hostname) at $(domain)
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.168.1
name-server 71.243.0.12
name-server 68.237.161.12
domain-name DEGREEC
object-group service AdaptivePorts tcp
description All Ports used by AX-Supervisor
port-object eq 1911
port-object eq 3011
port-object eq www
ciscoasa(config)# show running-config
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name DEGREEC
enable password E2RGHC5amLxsHJ0v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
no names
name 168.233.6.50 AdaptiveCool1
name 168.233.6.51 AdaptiveCool2
name 192.168.168.61 Ax-Supervisor
name 64.223.187.114 CiscoRouter
name 64.223.187.115 AXExternal
name 64.223.187.1 RangeSubnet
name 216.126.60.123 INTEQ
name 64.65.199.197 mail
name 64.223.187.116 GeneralVpn description Remote Access
name 192.168.168.250 One
name 192.168.168.252 three
name 192.168.168.251 two
name 64.65.199.194 DegreeC
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address 64.223.187.114 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec Welcome to $(hostname) at $(domain)
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.168.1
name-server 71.243.0.12
name-server 68.237.161.12
domain-name DEGREEC
object-group service AdaptivePorts tcp
description All Ports used by AX-Supervisor
port-object eq 1911
port-object eq 3011
port-object eq www
object-group service pingport tcp
port-object eq 1911
object-group network VPNClients
network-object host 192.168.168.250
network-object host 192.168.168.251
network-object host 192.168.168.252
object-group service VPNPorts udp
description VPN Ports
port-object eq 1701
port-object eq isakmp
object-group protocol VPNIP
description IP ports for WIndows
protocol-object esp
protocol-object ah
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any object-group AdaptivePo
rts
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any object-group AdaptiveP
orts
access-list outside_cryptomap_2 extended permit ip host 192.168.168.61 host 168.
233.6.51
access-list outside_access_in_1 extended permit ip host 216.126.60.123 any
access-list outside_access_in_1 extended permit tcp host 64.65.199.197 any eq sm
tp
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit ip 64.223.187.0 255.255.255.0 an
y
access-list outside_access_in_1 extended permit ip any any
access-list outside_access_in_1 extended permit tcp any any
access-list outside_access_in_1 extended permit udp host 64.65.199.194 object-gr
oup VPNPorts host 64.223.187.116 object-group VPNPorts
access-list outside_access_in_1 extended permit object-group VPNIP host 64.65.19
9.194 host 64.223.187.116
access-list inside_access_in_1 extended permit ip host 216.126.60.123 any
access-list inside_access_in_1 extended permit tcp host 64.65.199.197 any eq smt
p
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit ip 192.168.168.0 255.255.255.0 an
y
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended permit tcp any any
access-list VPN_traffic extended permit ip host 64.223.187.115 host 168.233.6.50

access-list VPN_traffic extended permit ip host 64.223.187.115 host 168.233.6.51

access-list 121 extended permit ip host 192.168.168.61 host 168.233.6.51
access-list 121 extended permit ip host 168.233.6.51 host 192.168.168.61
access-list 120 extended permit udp host 168.233.1.110 host 64.223.187.114 eq is
akmp
access-list 120 extended permit udp host 64.223.187.114 eq isakmp host 168.233.1
.110
access-list 101 extended permit ip host 64.223.187.115 host 168.233.6.50
access-list 101 extended permit ip host 64.223.187.115 host 168.233.6.51
access-list 141 extended permit ip host 192.168.168.61 host 168.233.6.50
access-list 141 extended permit ip host 192.168.168.61 host 168.233.6.51
access-list inside_nat_static extended permit ip host 192.168.168.61 host 216.12
6.60.123
access-list outside_nat_static extended permit tcp host 216.126.60.123 eq www ho
st 192.168.168.61
access-list outside_nat_static_2 extended permit tcp host 216.126.60.123 eq 3011
host 192.168.168.61
access-list outside_nat_static_1 extended permit tcp host 216.126.60.123 eq 1911
host 192.168.168.61
access-list inside_nat_static_1 extended permit tcp host 192.168.168.61 eq www h
ost 216.126.60.123
access-list inside_nat_static_2 extended permit tcp host 192.168.168.61 eq 1911
host 216.126.60.123
access-list inside_nat_static_3 extended permit tcp host 192.168.168.61 eq 3011
host 216.126.60.123
access-list outside_nat_static_3 extended permit tcp host 64.65.199.197 eq smtp
host 192.168.168.61
access-list inside_nat_static_4 extended permit tcp host 192.168.168.61 eq smtp
host 64.65.199.197
access-list outside_nat_static_5 extended permit tcp host 216.126.60.123 eq 37 h
ost 192.168.168.61
access-list outside_nat_static_4 extended permit udp host 216.126.60.123 eq time
host 192.168.168.61
access-list inside_nat_static_5 extended permit udp host 192.168.168.61 eq time
host 216.126.60.123
access-list inside_nat_static_6 extended permit tcp host 192.168.168.61 eq 37 ho
st 216.126.60.123
access-list inside_nat0_outbound extended permit ip host 192.168.168.61 192.168.
168.248 255.255.255.248
access-list deg_splitTunnelAcl standard permit host 192.168.168.61
access-list shanthi_splitTunnelAcl standard permit host 192.168.168.61
access-list DefaultRAGroup_splitTunnelAcl standard permit host 192.168.168.61
pager lines 22
logging enable
logging buffered debugging
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool VPNClients 192.168.168.250-192.168.168.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3011 access-list inside_nat_static_3
static (inside,outside) tcp interface 1911 access-list inside_nat_static_2
static (inside,outside) tcp interface www access-list inside_nat_static_1
static (outside,inside) tcp 64.223.187.114 www access-list outside_nat_static
static (outside,inside) tcp 64.223.187.114 1911 access-list outside_nat_static_1

static (outside,inside) tcp 64.223.187.114 3011 access-list outside_nat_static_2

static (inside,outside) udp interface time access-list inside_nat_static_5
static (outside,inside) udp 64.223.187.114 time access-list outside_nat_static_4

static (inside,outside) tcp interface 37 access-list inside_nat_static_6
static (inside,outside) tcp interface smtp access-list inside_nat_static_4
static (outside,inside) tcp 64.223.187.114 37 access-list outside_nat_static_5
static (outside,inside) tcp 64.223.187.114 smtp access-list outside_nat_static_3

static (inside,outside) 64.223.187.115  access-list 141
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 64.223.187.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.168.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map inside_map 1 match address VPN_traffic
crypto map inside_map 1 set peer 168.233.1.110
crypto map inside_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 4
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 6
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0

group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
default-domain value DEGREEC
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
username shanthi password ncm4gaPlcqhvkrYkuJCdcA== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPNClients
default-group-policy DefaultRAGroup_1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
tunnel-group 168.233.1.110 type ipsec-l2l
tunnel-group 168.233.1.110 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:17cfa366e6127d0dccef895b75a7e3d4
: end

Federico Coto F... Mon, 05/10/2010 - 15:58

Shanthi,

The VPN tunnel is terminating on IP 64.223.187.114
You can check this because the crypto map is applied to this interface:
crypto map inside_map interface outside
Now, the host you're talking about: name 64.223.187.115 AXExternal
is the host communicating through the tunnel.

So, were back to the point where the VPN needs to be terminated on an IP that belongs to an interface on the ASA.
Then, the devices that communicate through the tunnel, could be any other devices, in this case AXExternal.

Federico.

Samuel Saunders Mon, 05/10/2010 - 16:09

HI Frederico,

You are right. I was thinking of it like I might use any ip. Thanks for that. I have changed it now.

Shanthi

Samuel Saunders Mon, 05/10/2010 - 16:07

My windows client is behind a linux firewall with rules set up with iptables. Dont I have to change the firewall rules to allow the relevant ports.

Shanthi

Federico Coto F... Mon, 05/10/2010 - 16:17

Yes,

If it's behind any other kind of Firewall, you need to make sure that Firewall allows the IPsec and L2TP protocols.

Federico.

Samuel Saunders Tue, 05/11/2010 - 07:39

Hi,

I really want to thank all of you for your replies. I tried very hard last night to get the configuration to work. I changed the default RA Group but now my exisiting L2L connection is broken. Because both the L2L and RA   tunnels terminate at the external IP of the device something has gotten changed on the L2L also. Sigh! I need to debug this. I am in teh process of signing up for Cisco support because I cant seem to get a handle on what is wrong. I did waht Mohit said but I was curious as to why you used the number 1 for the dynamic map. Cisco documentation says you should keep the higher numbers for the Dynamic maps. Also currently all ipsec connections are tyriung both the L2L and the RA. So I need to shutdown the RA so that the L2L client at least works. I did open up all the necessary ports on my firewall and I am able to connect with a Cisco client. The windows client is the problem.

But thank you all for your prompt and enthusiastic help. I hope I can  solve my current problem quickly. If any of you have suggestions please let me know. It is going to be a while before Cisco contracts go through.

Thanks

Shanthi

mopaul Tue, 05/11/2010 - 10:01

Hi Shanthi,

I agree as per Cisco documentation you need to assign a higher sequence id for dynamic map because when tunnel negotiates on ASA, dynamic takes precendence and maps are checked in sequence. What i suggested you was the creation of the dynamic map with an id of 1, what matter is on which sequence # you BIND the maps on the interface. If you check the configuration again, dynamic map should still be bound with static map with 65535 i.e higher than static


HTH...

Regards,
Mohit

Actions

This Discussion