Solved: ASA Pre shared key

swashbuckler · ‎10-14-2013

I am currently using an ASA 5550 version 8.2 anwith ASDM version 6.2.

I have a ASA 5505 in remote area and cannot connect via VPN.

My logs say maybe mismatched pre-shared key.

On my 5550, via the ASDM I used the command more system:running-config and it will not show my pre shared key in plain text, only shows a *.

Any help would be appreciated.

Jouni Forss · ‎10-14-2013

Hi,

The command should work.

I guess you could always consider using the CLI and inserting the command.

If that produces the same result you should probably consider that you might have copy/pasted the "*" as the actual PSK at some point?

I created an example "tunnel-group" in my ASA with commands

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key TESTPSK

ASA# sh run tunnel-group 1.1.1.1

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key *****

I view it with "more system:running-config"

ASA# more system:running-config | begin tunnel-group 1.1.1.1

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key TESTPSK

So works as expected

- Jouni

View solution in original post

Jouni Forss · ‎10-14-2013

Hi,

The command should work.

I guess you could always consider using the CLI and inserting the command.

If that produces the same result you should probably consider that you might have copy/pasted the "*" as the actual PSK at some point?

I created an example "tunnel-group" in my ASA with commands

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key TESTPSK

ASA# sh run tunnel-group 1.1.1.1

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key *****

I view it with "more system:running-config"

ASA# more system:running-config | begin tunnel-group 1.1.1.1

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

ikev1 pre-shared-key TESTPSK

So works as expected

- Jouni

swashbuckler · ‎10-14-2013

I went through the CLI and it worked.

It looks like the pre-shared key is the same, so I do not know why I am getting the following:

Group = DefaultL2LGroup, IP = 62.73.210.70, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting

Group = DefaultL2LGroup, IP = 62.73.210.70, Removing peer from peer table failed, no match!

Group = DefaultL2LGroup, IP = 62.73.210.70, Error: Unable to remove PeerTblEntry

Bobby

Jouni Forss · ‎10-14-2013

Hi,

Naturally if you can share both ASAs VPN configurations then I could go through them

- Jouni

swashbuckler · ‎10-14-2013

Remote asa:

interface Vlan1
nameif inside
security-level 100
ip address 10.200.1.209 255.255.255.240
!
interface Vlan2
nameif outside
security-level 0
ip address 172.25.62.226 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 255                                                                                                 .255.255.0
access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 25                                                                                                 5.255.252.0
access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 25                                                                                                 5.255.255.0
access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 2                                                                                                 55.255.252.0
access-list 100 extended permit tcp host 89.254.12.35 host 10.200.1.213 eq www
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.25.62.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set mytrans esp-des esp-md5-hmac
crypto map mymap 10 match address VPNL2L
crypto map mymap 10 set peer 65.181.59.210
crypto map mymap 10 set transform-set mytrans
crypto map mymap 10 set security-association lifetime seconds 3600
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5
ssh 10.199.1.0 255.255.255.0 inside
ssh 10.10.144.0 255.255.252.0 inside
ssh timeout 5
console timeout 0

tunnel-group 65.181.59.210 type ipsec-l2l
tunnel-group 65.181.59.210 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:65a0d93601b90ccc07830cddd673e13c
: end

Local ASA:

ASA Version 8.2(1)
!

!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.181.59.210 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.199.1.2 255.255.255.0
!
interface GigabitEthernet0/2
nameif insideNOV
security-level 100
ip address 10.10.144.47 255.255.252.0
!
interface GigabitEthernet0/3
shutdown
no nameif
security-level 100
no ip address
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name Rignet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service WML tcp
description Remote wits data access
port-object range 1 65535
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_9 any host 65.181.59.219
access-list aclin extended permit object-group DM_INLINE_SERVICE_3 any host 65.181.59.216
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_6 any host 65.181.59.220
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_5 host 10.199.1.2 host 65.181.59.210
access-list aclin extended permit object-group DM_INLINE_SERVICE_1 any host 65.181.59.222
access-list no-nat remark Local Rules
access-list no-nat extended permit ip Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list no-nat remark Local Rules
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 10.200.1.80 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 ENI 255.255.255.240
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 ENI 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 Norway_Office 255.255.255.240
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 Norway_Office 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 BobbyVPN 255.255.255.0
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 BobbyVPN 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp interface inside any
access-list inside_access_in remark Block port 135 for port scanning
access-list inside_access_in extended deny 135 any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list test extended permit icmp any any echo
access-list test extended permit icmp any any echo-reply
access-list InsideNOV_access_in extended permit ip 10.200.0.0 255.255.0.0 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_4 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_12 Norway_Office 255.255.255.240 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_8 BobbyVPN 255.255.255.0 10.10.144.0 255.255.252.0
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_8 any any
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_5 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_6 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list inside_acl extended permit object-group DM_INLINE_PROTOCOL_10 10.200.0.0 255.255.0.0 Rignet 255.255.255.0
access-list inside_acl extended deny object-group DM_INLINE_PROTOCOL_11 host 192.168.56.1 any
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list inside_access_in_1 extended permit ip Rignet 255.255.255.0 Rignet 255.255.255.0
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 BobbyVPN 255.255.255.0 Rignet 255.255.255.0
access-list inside_access_in_2 extended permit object-group DM_INLINE_SERVICE_11 Rignet 255.255.255.0 Rignet 255.255.255.0
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu outside 1500
mtu inside 1500
mtu insideNOV 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any insideNOV
icmp permit any echo-reply insideNOV
icmp permit any echo insideNOV
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 65.181.57.51 netmask 255.255.255.255
nat (outside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list no-nat
nat (inside) 1 Rignet 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 65.181.59.222 10.199.1.23 netmask 255.255.255.255
static (inside,outside) 65.181.59.219 10.199.1.27 netmask 255.255.255.255
static (inside,outside) 65.181.59.216 10.199.1.54 netmask 255.255.255.255
static (inside,outside) 65.181.59.220 10.199.1.26 netmask 255.255.255.255
access-group aclin in interface outside
access-group inside_access_in_1 in interface inside
access-group InsideNOV_access_in in interface insideNOV
route outside 0.0.0.0 0.0.0.0 65.181.59.209 1
route inside 153.15.156.217 255.255.255.255 65.181.57.51 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec stop
snmp-server enable traps entity config-change
sysopt connection tcpmss 1100
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set mySET esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set security-association lifetime seconds 28800
crypto dynamic-map myDYN-MAP 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map myMAP 65000 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto ca trustpoint Intelliserv.rignet.local
enrollment terminal
subject-name CN=Rignet5550
keypair IntelliServ.rignet.local
crl configure
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=Rignet5550
password *
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5
console timeout 0
management-access inside
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
nem enable
username GaileyB password 0oaTL6AGb4l6JKde encrypted privilege 15
username rignetadmin password 3R8hQCl0jw5iU/r3 encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group mytunnel type remote-access
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
pre-shared-key *
tunnel-group 164.85.0.18 type ipsec-l2l
tunnel-group 164.85.0.18 ipsec-attributes
peer-id-validate cert
chain
tunnel-group-map default-group DefaultL2LGroup
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class-default
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a84cff45794fa5021237d51d5f87461e
: end

Jouni Forss · ‎10-14-2013

Hi,

The configuration seems to me be something that I have certainly never tried.

If I have Dynamic Public IP on the other end and Static Public IP on the other end I have typically resorted to EasyVPN Client in NEM (Network Extension Mode).

This situation reminded me of this Cisco document

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml

Maybe it might help you out getting the L2L VPN setup

It has an example Main Site with ASA with Static Public IP address and 2 Spoke sites which both have Dynamic Public IP. One of them is ASA and one of them Cisco IOS Router.

- Jouni