cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
8
Replies

remote access vpn error

mcoroghidaf
Level 1
Level 1

i got the following error while running Remote Access VPN using CA:

i am configuring remote access vpn on cisco asa5500 and i have this error: Aug 06 12:18:59 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2

!

Attempt to get Phase 1 ID data failed while constructing ID

please what is the cause of this error?

who has noticed this and what is the solution?

I HAVE ATTACHED FOR CONFIG FOR REFFERENCE

thanks for your response in advance.

8 Replies 8

stoneystone
Level 1
Level 1

Do you have a full config? One thing, do you have a group-policy for 'wcsa_Remote'?

default-group-policy wcsa_Remote - where is this pointing?

i thought you were able to see the attachment.

The configuration is below:

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 1000

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 1100

authentication rsa-sig

encryption aes

hash md5

group 1

lifetime 86400

crypto isakmp policy 65530

authentication rsa-sig

encryption aes

hash sha

group 5

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

group-policy defaultgroup internal

group-policy Defaultgroup internal

group-policy Defaultgroup attributes

default-domain value wcsa.com

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 10.13.200.113

address-pools value Certvpnip

tunnel-group DefaultRAGroup general-attributes

address-pool Certvpnip

address-pool certvpnip

authentication-server-group ACS LOCAL

tunnel-group DefaultRAGroup ipsec-attributes

trust-point major

tunnel-group wcsa_Remote type remote-access

tunnel-group wcsa_Remote general-attributes

address-pool wcsaVPN

authentication-server-group ACS

accounting-server-group ACS

default-group-policy wcsa_Remote

tunnel-group wcsa_Remote ipsec-attributes

pre-shared-key *

tunnel-group defaultgroup type remote-access

tunnel-group defaultgroup general-attributes

address-pool Certvpnip

tunnel-group defaultgroup ipsec-attributes

trust-point major

You still don't have your full running-config, or at least I couldn't download it.

As far as your problem:

What is this line?

'crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn'

Doesn't that look confusing? You defined certvpn earlier in the config with this: 'crypto ipsec transform-set certvpn esp-aes esp-sha-hmac'

Also: you don't have a transform-set that will work with this:

crypto isakmp policy 1100

authentication rsa-sig

encryption aes

hash md5

group 1

From the fragment of the running-config you posted, you have a lot of items that appear could be cleaned up.

i have attached it for your ref.

can u help with the transform-set?

this was added to see it i could get it running:

crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn

This config file is really confusing. It looks like someone was throwing commands at it to make something work.

What exactly are you trying to do? Are you trying to configure a VPN Client?

Here is a config that builds a dynamic vpn, using a vpn client. You need to fill your information in where needed.

!First, set an access-list for Split tunnels if you want to internet access while connected:

access-list Split_VPN_List permit ip 10.0.0.0 255.0.0.0 10.199.199.0 255.255.255.0

!Setup the encryption types

crypto ipsec transform-set certvpn esp-aes esp-sha-hmac

crypto dynamic-map Outside_dyn_map 50 set transform-set certvpn

crypto dynamic-map Outside_dyn_map 50 set reverse-route

crypto map crymap 90 ipsec-isakmp dynamic Outside_dyn_map

! SETUP THE 'NAME' FOR THE VPN CLIENT

group-policy vpnclient internal

group-policy vpnclient attributes

! ALLOWS FOR INTERNET ACCESS WHILE LOGGED ON

split-tunnel-policy tunnelspecified

! POINT TO THE ACCESS-LIST

split-tunnel-network-list value Split_VPN_List

! 'NAME'

tunnel-group vpnclient type ipsec-ra

tunnel-group vpnclient general-attributes

address-pool Certvpnip //// If this is the pool you want to use

// use these if you are not using another server for verification of user/password

default-group-policy vpnclient ///Group name in your client

tunnel-group vpnclient ipsec-attributes

pre-shared-key 'put_key_here' ///password in your client

See how this works for you.

thanks for the response.

the preshared key vpn is working , i only have issues with the CA one.

Your response will be appreciated.

Yes.

that is a Remote ACCESS VPN using CA authentication.

also note that there is an exist remote access vpn using preshared key and that one is working fine.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: