dynamic-to-static VPN problem

puggedo · ‎11-17-2008

Hi Guys, How are you?

I need to configure ASA 5505 as central point with static IP. I already saw "PIX/ASA 7.x PIX-to-PIX Dynamic-to-Static IPsec with NAT and VPN Client Configuration Example" guide.

But the problem is when I use "isakmp key password address 0.0.0.0 netmask 0.0.0.0" command I got a error menssage saying that DefaultRAGroup is already using pre-shared-key. I already tried to configure DefaultL2LGroup and I get the same error.

I tried to configure DefaultRAGroup with "no pre-shared" but after few seconds it lost effect.

Should I remove DefaultRAGroup ?

tstanik · ‎11-21-2008

For verifying the configuration for defaultl2lgroup here is the example it may help you

tunnel-group DefaultL2LGroup type ipsec-l2l

tunnel-group DefaultL2LGroup general-attributes

no accounting-server-group

default-group-policy DfltGrpPolicy

tunnel-group DefaultL2LGroup ipsec-attributes

no pre-shared-key

peer-id-validate req

no chain

no trust-point

isakmp keepalive threshold 10 retry 2

puggedo · ‎11-21-2008

Hi thx for reply!

I found something interesting.

On bugtool kit i found the bug CSCsk39154:

"PIX/ASA dynamic lan to lan vpn tunnels fail negotiation with version 8.0.2.16"

Ok version 8.0.2.16 but there is more:

1st Found-In

7.0

8.0(2.16)

Fixed-In

8.0(2.19)

8.1(0.74)

7.2(4)

8.2(0.67)

7.2(3.5)

7.0(7.6)

7.1(2.65)

My ASA version is 7.2(3) and it got fixed-in 7.2(3.5). It sounds like my version is bugged, but im gonna try your suggestion! THX.

acomiskey · ‎11-21-2008

That is a pix 6.x command.