Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec VPN to asa 5520

Hi,

First of all I have to admit that I'm not very well versed in Cisco gear or IPSEC connections in general so apologies if I'm doing something really obviously stupid, but I have checked through any stuff I could find on the internet about setting up IPSEC VPN.

The setup I have is an asa 5520 firewall (o/s 8.2) which for the moment is connected to a temporary home broadband style internet connection for testing purposes. The netopia router is configured to allow ipsec passthrough and to forward ports UDP 62515, TCP 10000, UDP 4500, UDP 500 to the asa 5520.

I am trying to connein from a laptop with windows firewall turned off and cisco vpn client version 5.0.02.0090.

I have run through the ipsec setup wizard several times trying different options. most of the time nothing comes up in the log to show that a connection has been attempted but there is one way i can set up the options that produces the following on the firewall log:

4|Sep 24 2010|13:54:29|713903|||||Group = VPNtest9, IP = 86.44.x.x, Error: Unable to remove PeerTblEntry

3|Sep 24 2010|13:54:29|713902|||||Group = VPNtest9, IP = 86.44.x.x, Removing peer from peer table failed, no match!

6|Sep 24 2010|13:54:21|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:21|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 24 2010|13:54:16|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:16|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 24 2010|13:54:11|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:11|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1

6|Sep 24 2010|13:54:06|302015|86.44.x.x|51905|192.168.0.27|500|Built inbound UDP connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) to identity:192.168.0.27/500 (192.168.0.27/500)

and this in the client log:

Cisco Systems VPN Client Version 5.0.02.0090

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 5.1.2600 Service Pack 3

24 13:54:08.250 09/24/10 Sev=Info/4 CM/0x63100002

Begin connection process

25 13:54:08.265 09/24/10 Sev=Info/4 CM/0x63100004

Establish secure connection

26 13:54:08.265 09/24/10 Sev=Info/4 CM/0x63100024

Attempt connection with server "213.94.x.x"

27 13:54:08.437 09/24/10 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with 213.94.x.x.

28 13:54:08.437 09/24/10 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 213.94.x.x

29 13:54:08.484 09/24/10 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

30 13:54:08.484 09/24/10 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

31 13:54:13.484 09/24/10 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

32 13:54:13.484 09/24/10 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x

33 13:54:18.484 09/24/10 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

34 13:54:18.484 09/24/10 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x

35 13:54:23.484 09/24/10 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

36 13:54:23.484 09/24/10 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x

37 13:54:28.484 09/24/10 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=36C50ACCE984B0B0 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

38 13:54:28.984 09/24/10 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=36C50ACCE984B0B0 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

39 13:54:28.984 09/24/10 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "213.94.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"

40 13:54:28.984 09/24/10 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

41 13:54:28.984 09/24/10 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

42 13:54:28.984 09/24/10 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

43 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

44 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

45 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

46 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

I have full http connectivity from the internet to a machine on the inside of the asa 5520 so i think the static routing and NAT'ing should be ok, but i'm happy to provide any details.

Can anyone see what i'm doing wrong?

Thanks,

Sam

  • Remote Access
Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPSec VPN to asa 5520

Pls add the following policy:

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

Can you also run debug on the ASA:

debug cry isa

debug cry ipsec

and collect the debug output after trying to connect.

15 REPLIES
Cisco Employee

Re: IPSec VPN to asa 5520

Please change or add phase 1 policy (isakmp policy) with group 2.

Can you share the ASA configuration, in particular: "show run crypto isakmp" output, pls.

New Member

Re: IPSec VPN to asa 5520

Hi Halijenn,

Heres the output from that command:

Result of the command: "show run crypto isakmp"

crypto isakmp enable Internet

crypto isakmp policy 1

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 50

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 60

crypto isakmp ipsec-over-tcp port 10000

"Please change or add phase 1 policy (isakmp policy) with group 2."

I'm going to try to do that now but i'm not sure how...

Is it some thing to do with "Perfect Forwarding Security" and "Diffie Helman Group2" (I knew I shouldn't have messed with that setting)

Cisco Employee

Re: IPSec VPN to asa 5520

Pls add the following policy:

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

Can you also run debug on the ASA:

debug cry isa

debug cry ipsec

and collect the debug output after trying to connect.

New Member

Re: IPSec VPN to asa 5520

ok, at this point i will have to admit i really am very new to this stuff, i was using the asdm gui for all the configuration, when i copy and paste

" crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2"

into the cli that you can get into from the asdm i get "error invalid input detected"

thanks so much for for helping me with this but could you give me instructions aimed at closer to my level of stupidity?

Thanks again,

Sam

New Member

Re: IPSec VPN to asa 5520

ok sorry found it in the gui  added it, testing now

Thanks,

New Member

Re: IPSec VPN to asa 5520

Cool! thats got rid of the :

"5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1"

messages, but were still getting the other ones.

(all this stuff:

4|Sep 24 2010|13:54:29|713903|||||Group = VPNtest9, IP = 86.44.x.x, Error: Unable to remove PeerTblEntry

3|Sep 24 2010|13:54:29|713902|||||Group = VPNtest9, IP = 86.44.x.x, Removing peer from peer table failed, no match!

6|Sep 24 2010|13:54:21|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:21|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 24 2010|13:54:16|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:16|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.

6|Sep 24 2010|13:54:11|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM

5|Sep 24 2010|13:54:11|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.)

New Member

Re: IPSec VPN to asa 5520

"Can you also run debug on the ASA:

debug cry isa

debug cry ipsec"

I'm getting "debug comands are not supported in CLI window"

New Member

Re: IPSec VPN to asa 5520

ok, i've connected in through hyperterminal and run
debug cry isa

debug cry ipsec

but it just goes straight back to command prompt, do these commands generate log files somewhere?

Thanks,

Sam

New Member

Re: IPSec VPN to asa 5520

ah, got it:

OutsideFW1/pri/act# show run crypto isakmp

crypto isakmp enable Internet

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 60

crypto isakmp ipsec-over-tcp port 10000

OutsideFW1/pri/act# show run crypto ipsec

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

OutsideFW1/pri/act#

44653
Views
0
Helpful
15
Replies
This widget could not be displayed.