02-24-2012 12:23 PM
So far I have a complete phase 1, and an almost complete phase 2, but one thing I can't figure out. I see this in the debug.
peer is not authenticated by xauth - drop connection.
I get it right after the proxy is setup.
Here is my config
group-policy DefaultRAGroup attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
password-storage enable
nem enable
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
I have tried many different configurations on both sides, but they all fail with the same error of peer not authenticated by xauth.
Solved! Go to Solution.
02-24-2012 12:50 PM
Don't use DefaultRAGroup - I think that means you it will automatically try to build a user VPN rather than a dynamic L2L.
Change the pre-shared key on the DefaultRAGroup to be something else (so it doesn't match what the other side is sending). Put all the config you have for DefaultRAGroup tunnel-groupp and group-policy on DefaultL2LGroup tunnel-group and group-policy instead.
Usually the DefaultRAGroup is a 'remote-access' type which doesn't mean L2L. DefaultL2LGroup should hopefully fix it.
02-24-2012 12:31 PM
Hmmm, it looks like you have xauth turned off (ikev1 user-authentication none) - can you turn on debugs (debug crypto isakmp 127) when you try to connect and post those?
--Jason
02-24-2012 12:37 PM
I have tried it with it on, with it off and always the same thing comes back.
Here is aaa common 50 debug
Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)
------------------------------------------------
AAA FSM: In AAA_BindServer
AAA_BindServer: Using server:
AAA FSM: In AAA_SendMsg
User: DefaultRAGroup
Resp:
grp_policy_ioctl(0x0a250e40, 114698, 0xa9372788)
grp_policy_ioctl: Looking up DefaultRAGroup
callback_aaa_task: status = 1, msg =
AAA FSM: In aaa_backend_callback
aaa_backend_callback: Handle = 114, pAcb = 0xadae6da0
AAA task: aaa_process_msg(0xa9373220) received message type 1
AAA FSM: In AAA_ProcSvrResp
Back End response:
------------------
Tunnel Group Policy Status: 1 (ACCEPT)
AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 14 "DefaultRAGroup"
2 User-Password(2) 0 0xae048023 ** Unresolved Attribute **
user policy attributes:
None
tunnel policy attributes:
1 Idle-Timeout(28) 4 0
2 Tunnelling-Protocol(4107) 4 12
3 Store-PW(4112) 4 1
4 Group-Policy(4121) 14 "DefaultRAGroup"
5 Network-Extension-Mode-Allowed(4160) 4 1
AAA API: In aaa_close
AAA API: In aaa_send_acct_start
AAA task: aaa_process_msg(0xa9373220) received message type 3
In aaai_close_session (114)
AAA API: In aaa_open
AAA session opened: handle = 115
AAA API: In aaa_process_async
aaa_process_async: sending AAA_MSG_PROCESS
AAA task: aaa_process_msg(0xa9373220) received message type 0
AAA FSM: In AAA_StartAAATransaction
AAA FSM: In AAA_InitTransaction
aaai_policy_name_to_server_id(DefaultRAGroup)
Got server ID 0 for group policy DB
and isakmp 127 with the relevant information. Up to this point it passes.
Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.253.20.0--255.255.255.0
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload: Address 10.253.20.0, Mask 255.255.255.0, Protocol 0, Port 0
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, processing ID payload
Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR ID received
66.252.79.16
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x., Received local Proxy Host data in ID Payload: Address x.x.x.x, Protocol 0, Port 0
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.
Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xace21cd8, mess id 0xb4d2530a)!
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xace21cd8)
Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, sending delete/delete with reason message
02-24-2012 12:40 PM
Dynamic L2L VPN running on ASA or RV042, which is hub or which is spoke ?
Please post your config on the forum, for easier trouble shoot.
thanks
02-24-2012 12:44 PM
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set L2TP-Droid esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-Droid mode transport
crypto ipsec ikev1 transform-set EZVPN esp-aes-256 esp-sha-hmac
crypto dynamic-map L2TP 10 set ikev1 transform-set L2TP-Droid ESP-AES-256-MD5 EZVPN
crypto map VPN 20 ipsec-isakmp dynamic L2TP
crypto map VPN interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 15
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 25
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 l2tp-ipsec
password-storage enable
nem enable
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
ikev1 user-authentication none
EZVPN, L2L VPN WebVPN(anyconnect) and Client VPN do work, as well as the L2TP droid VPN
05-29-2012 12:39 PM
could you give the config of rv042 and ASA5510 now ,i have the config like you but could not ! what your asa and rv042 ver ?
02-24-2012 12:50 PM
Don't use DefaultRAGroup - I think that means you it will automatically try to build a user VPN rather than a dynamic L2L.
Change the pre-shared key on the DefaultRAGroup to be something else (so it doesn't match what the other side is sending). Put all the config you have for DefaultRAGroup tunnel-groupp and group-policy on DefaultL2LGroup tunnel-group and group-policy instead.
Usually the DefaultRAGroup is a 'remote-access' type which doesn't mean L2L. DefaultL2LGroup should hopefully fix it.
02-24-2012 01:17 PM
Jason, You are the MAN! Worked like a charm. Once I got the keys straight it came right up and I was able to route into the network.
02-24-2012 12:58 PM
Hi there,
Here is a link to estiablish Dynamic L2L tunnel configuration very easy to follow and you may change crypto syntax to reflect your version of ASA.
I hope that helps.
Thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide