02-24-2012 12:23 PM
So far I have a complete phase 1, and an almost complete phase 2, but one thing I can't figure out. I see this in the debug.
peer is not authenticated by xauth - drop connection.
I get it right after the proxy is setup.
Here is my config
group-policy DefaultRAGroup attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
password-storage enable
nem enable
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
I have tried many different configurations on both sides, but they all fail with the same error of peer not authenticated by xauth.
Solved! Go to Solution.
02-24-2012 12:50 PM
Don't use DefaultRAGroup - I think that means you it will automatically try to build a user VPN rather than a dynamic L2L.
Change the pre-shared key on the DefaultRAGroup to be something else (so it doesn't match what the other side is sending). Put all the config you have for DefaultRAGroup tunnel-groupp and group-policy on DefaultL2LGroup tunnel-group and group-policy instead.
Usually the DefaultRAGroup is a 'remote-access' type which doesn't mean L2L. DefaultL2LGroup should hopefully fix it.
02-24-2012 12:31 PM
Hmmm, it looks like you have xauth turned off (ikev1 user-authentication none) - can you turn on debugs (debug crypto isakmp 127) when you try to connect and post those?
--Jason
02-24-2012 12:37 PM
I have tried it with it on, with it off and always the same thing comes back.
Here is aaa common 50 debug
Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: DefaultRAGroup
Resp:
grp_policy_ioctl(0x0a250e40, 114698, 0xa9372788)
grp_policy_ioctl: Looking up DefaultRAGroup
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 114, pAcb = 0xadae6da0
AAA task: aaa_process_msg(0xa9373220) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
------------------
Tunnel Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 14 "DefaultRAGroup"
2 User-Password(2) 0 0xae048023 ** Unresolved Attribute **
user policy attributes:
None
tunnel policy attributes:
1 Idle-Timeout(28) 4 0
2 Tunnelling-Protocol(4107) 4 12
3 Store-PW(4112) 4 1
4 Group-Policy(4121) 14 "DefaultRAGroup"
5 Network-Extension-Mode-Allowed(4160) 4 1
AAA API: In aaa_close
AAA API: In aaa_send_acct_start
AAA task: aaa_process_msg(0xa9373220) received message type 3
In aaai_close_session (114)
AAA API: In aaa_open
AAA session opened: handle = 115
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0xa9373220) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(DefaultRAGroup)
Got server ID 0 for group policy DB
and isakmp 127 with the relevant information. Up to this point it passes.
Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.253.20.0--255.255.255.0
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload: Address 10.253.20.0, Mask 255.255.255.0, Protocol 0, Port 0
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, processing ID payload
Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR ID received
66.252.79.16
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x., Received local Proxy Host data in ID Payload: Address x.x.x.x, Protocol 0, Port 0
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xace21cd8, mess id 0xb4d2530a)!
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xace21cd8)
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, sending delete/delete with reason message
02-24-2012 12:40 PM
Dynamic L2L VPN running on ASA or RV042, which is hub or which is spoke ?
Please post your config on the forum, for easier trouble shoot.
thanks
02-24-2012 12:44 PM
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set L2TP-Droid esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-Droid mode transport
crypto ipsec ikev1 transform-set EZVPN esp-aes-256 esp-sha-hmac
crypto dynamic-map L2TP 10 set ikev1 transform-set L2TP-Droid ESP-AES-256-MD5 EZVPN
crypto map VPN 20 ipsec-isakmp dynamic L2TP
crypto map VPN interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 25
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
password-storage enable
nem enable
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
EZVPN, L2L VPN WebVPN(anyconnect) and Client VPN do work, as well as the L2TP droid VPN
05-29-2012 12:39 PM
could you give the config of rv042 and ASA5510 now ,i have the config like you but could not ! what your asa and rv042 ver ?
02-24-2012 12:50 PM
Don't use DefaultRAGroup - I think that means you it will automatically try to build a user VPN rather than a dynamic L2L.
Change the pre-shared key on the DefaultRAGroup to be something else (so it doesn't match what the other side is sending). Put all the config you have for DefaultRAGroup tunnel-groupp and group-policy on DefaultL2LGroup tunnel-group and group-policy instead.
Usually the DefaultRAGroup is a 'remote-access' type which doesn't mean L2L. DefaultL2LGroup should hopefully fix it.
02-24-2012 01:17 PM
Jason, You are the MAN! Worked like a charm. Once I got the keys straight it came right up and I was able to route into the network.
02-24-2012 12:58 PM
Hi there,
Here is a link to estiablish Dynamic L2L tunnel configuration very easy to follow and you may change crypto syntax to reflect your version of ASA.
I hope that helps.
Thanks
Rizwan Rafeek
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: