cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
61989
Views
0
Helpful
15
Replies

IPSec VPN to asa 5520

cornmarket
Level 1
Level 1

Hi,

First of all I have to admit that I'm not very well versed in Cisco gear or IPSEC connections in general so apologies if I'm doing something really obviously stupid, but I have checked through any stuff I could find on the internet about setting up IPSEC VPN.

The setup I have is an asa 5520 firewall (o/s 8.2) which for the moment is connected to a temporary home broadband style internet connection for testing purposes. The netopia router is configured to allow ipsec passthrough and to forward ports UDP 62515, TCP 10000, UDP 4500, UDP 500 to the asa 5520.

I am trying to connein from a laptop with windows firewall turned off and cisco vpn client version 5.0.02.0090.

I have run through the ipsec setup wizard several times trying different options. most of the time nothing comes up in the log to show that a connection has been attempted but there is one way i can set up the options that produces the following on the firewall log:

4|Sep 24 2010|13:54:29|713903|||||Group = VPNtest9, IP = 86.44.x.x, Error: Unable to remove PeerTblEntry

3|Sep 24 2010|13:54:29|713902|||||Group = VPNtest9, IP = 86.44.x.x, Removing peer from peer table failed, no match!

6|Sep 24 2010|13:54:21|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:21|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 24 2010|13:54:16|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:16|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 24 2010|13:54:11|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:11|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

6|Sep 24 2010|13:54:06|302015|86.44.x.x|51905|192.168.0.27|500|Built inbound UDP connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) to identity:192.168.0.27/500 (192.168.0.27/500)

and this in the client log:

Cisco Systems VPN Client Version 5.0.02.0090

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

24 13:54:08.250 09/24/10 Sev=Info/4 CM/0x63100002

Begin connection process

25 13:54:08.265 09/24/10 Sev=Info/4 CM/0x63100004

Establish secure connection

26 13:54:08.265 09/24/10 Sev=Info/4 CM/0x63100024

Attempt connection with server "213.94.x.x"

27 13:54:08.437 09/24/10 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 213.94.x.x.

28 13:54:08.437 09/24/10 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 213.94.x.x

29 13:54:08.484 09/24/10 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

30 13:54:08.484 09/24/10 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

31 13:54:13.484 09/24/10 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

32 13:54:13.484 09/24/10 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x

33 13:54:18.484 09/24/10 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

34 13:54:18.484 09/24/10 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x

35 13:54:23.484 09/24/10 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

36 13:54:23.484 09/24/10 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x

37 13:54:28.484 09/24/10 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=36C50ACCE984B0B0 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

38 13:54:28.984 09/24/10 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=36C50ACCE984B0B0 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

39 13:54:28.984 09/24/10 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "213.94.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"

40 13:54:28.984 09/24/10 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

41 13:54:28.984 09/24/10 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

42 13:54:28.984 09/24/10 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

43 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

44 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

45 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

46 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

I have full http connectivity from the internet to a machine on the inside of the asa 5520 so i think the static routing and NAT'ing should be ok, but i'm happy to provide any details.

Can anyone see what i'm doing wrong?

Thanks,

Sam

1 Accepted Solution

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Pls add the following policy:

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

Can you also run debug on the ASA:

debug cry isa

debug cry ipsec

and collect the debug output after trying to connect.

View solution in original post

15 Replies 15

Jennifer Halim
Cisco Employee
Cisco Employee

Please change or add phase 1 policy (isakmp policy) with group 2.

Can you share the ASA configuration, in particular: "show run crypto isakmp" output, pls.

Hi Halijenn,

Heres the output from that command:

Result of the command: "show run crypto isakmp"

crypto isakmp enable Internet

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 60

crypto isakmp ipsec-over-tcp port 10000

"Please change or add phase 1 policy (isakmp policy) with group 2."

I'm going to try to do that now but i'm not sure how...

Is it some thing to do with "Perfect Forwarding Security" and "Diffie Helman Group2" (I knew I shouldn't have messed with that setting)

Jennifer Halim
Cisco Employee
Cisco Employee

Pls add the following policy:

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

Can you also run debug on the ASA:

debug cry isa

debug cry ipsec

and collect the debug output after trying to connect.

ok, at this point i will have to admit i really am very new to this stuff, i was using the asdm gui for all the configuration, when i copy and paste

" crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2"

into the cli that you can get into from the asdm i get "error invalid input detected"

thanks so much for for helping me with this but could you give me instructions aimed at closer to my level of stupidity?

Thanks again,

Sam

ok sorry found it in the gui  added it, testing now

Thanks,

Cool! thats got rid of the :

"5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1"

messages, but were still getting the other ones.

(all this stuff:

4|Sep 24 2010|13:54:29|713903|||||Group = VPNtest9, IP = 86.44.x.x, Error: Unable to remove PeerTblEntry

3|Sep 24 2010|13:54:29|713902|||||Group = VPNtest9, IP = 86.44.x.x, Removing peer from peer table failed, no match!

6|Sep 24 2010|13:54:21|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:21|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 24 2010|13:54:16|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:16|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 24 2010|13:54:11|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:11|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.)

"Can you also run debug on the ASA:

debug cry isa

debug cry ipsec"

I'm getting "debug comands are not supported in CLI window"

ok, i've connected in through hyperterminal and run
debug cry isa

debug cry ipsec

but it just goes straight back to command prompt, do these commands generate log files somewhere?

Thanks,

Sam

ah, got it:

OutsideFW1/pri/act# show run crypto isakmp

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 60

crypto isakmp ipsec-over-tcp port 10000

OutsideFW1/pri/act# show run crypto ipsec

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

OutsideFW1/pri/act#

ok i'm starting to get the hang of this cli thing heres the output from sh run attatched as a text file...

by the way thanks again Halijenn for the help with the first bunch of errors, now i understand what was going wrong there which is good

cornmarket
Level 1
Level 1

I've tried messing around with a few more settings on the vpn connection but i'm still getting:

 

4|Sep 27 2010|09:41:20|713903|||||Group = VPNtest9, IP = 86.x.x.x, Error: Unable to remove PeerTblEntry

3|Sep 27 2010|09:41:20|713902|||||Group = VPNtest9, IP = 86.x.x.x, Removing peer from peer table failed, no match!

6|Sep 27 2010|09:41:12|713905|||||Group = VPNtest9, IP = 86.x.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 27 2010|09:41:12|713201|||||Group = VPNtest9, IP = 86.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 27 2010|09:41:07|713905|||||Group = VPNtest9, IP = 86.x.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 27 2010|09:41:07|713201|||||Group = VPNtest9, IP = 86.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 27 2010|09:41:02|713905|||||Group = VPNtest9, IP = 86.x.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 27 2010|09:41:02|713201|||||Group = VPNtest9, IP = 86.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 27 2010|09:40:57|302015|86.x.x.x|59742|192.168.0.27|500|Built inbound UDP connection 11206 for Internet:86.x.x.x/59742 (86.x.x.x/59742) to identity:192.168.0.27/500 (192.168.0.27/500)

 

as best as i can understand this it means that the client is getting through ok to the ASA but is not receiving the messages back from the ASA to confirm the connection.

I dont think this should be a problem with the default route as i can browse the internet ok from a laptop on the inside of the firewall.

could it be to do with my NAT settings or access rules?

Thanks,

Sam

Thanks for the config. That helps.

It seems that you have not configured any group-policy specifically for the tunnel-group, hence it defaults to use the default group-policy (DfltGrpPolicy).

Please add the following vpn protocol to the default group-policy:

group-policy DfltGrpPolicy attributes

     vpn-tunnel-protocol ipsec

Try to connect again, and let us know how it goes.

Hi Jennifer,

we got it working  i disconnected the laptop i was using to test the client from the connection it was connected to and connected it to the same network as the broadband router & the outside ip of the firewall. i immediately got a different bunch of errors on trying to connect but they were easily sorted.

this means that there was something wrong with the way the broadband router was passing the traffic. the broadband router is only there for test purposes anyway and once the firewall gets moved to our live network it will have a public ip so this is not a problem.

Thanks again for all your help

Great to hear it's working now.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: