i got the following error while running Remote Access VPN using CA:
i am configuring remote access vpn on cisco asa5500 and i have this error: Aug 06 12:18:59 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
Attempt to get Phase 1 ID data failed while constructing ID
please what is the cause of this error?
who has noticed this and what is the solution?
I HAVE ATTACHED FOR CONFIG FOR REFFERENCE
thanks for your response in advance.
Do you have a full config? One thing, do you have a group-policy for 'wcsa_Remote'?
default-group-policy wcsa_Remote - where is this pointing?
i thought you were able to see the attachment.
The configuration is below:
crypto isakmp policy 30
crypto isakmp policy 1000
crypto isakmp policy 1100
crypto isakmp policy 65530
crypto isakmp policy 65535
crypto isakmp ipsec-over-tcp port 10000
group-policy defaultgroup internal
group-policy Defaultgroup internal
group-policy Defaultgroup attributes
default-domain value wcsa.com
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.13.200.113
address-pools value Certvpnip
tunnel-group DefaultRAGroup general-attributes
authentication-server-group ACS LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
tunnel-group wcsa_Remote type remote-access
tunnel-group wcsa_Remote general-attributes
tunnel-group wcsa_Remote ipsec-attributes
tunnel-group defaultgroup type remote-access
tunnel-group defaultgroup general-attributes
tunnel-group defaultgroup ipsec-attributes
You still don't have your full running-config, or at least I couldn't download it.
As far as your problem:
What is this line?
'crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn'
Doesn't that look confusing? You defined certvpn earlier in the config with this: 'crypto ipsec transform-set certvpn esp-aes esp-sha-hmac'
Also: you don't have a transform-set that will work with this:
crypto isakmp policy 1100
From the fragment of the running-config you posted, you have a lot of items that appear could be cleaned up.
This config file is really confusing. It looks like someone was throwing commands at it to make something work.
What exactly are you trying to do? Are you trying to configure a VPN Client?
Here is a config that builds a dynamic vpn, using a vpn client. You need to fill your information in where needed.
!First, set an access-list for Split tunnels if you want to internet access while connected:
access-list Split_VPN_List permit ip 10.0.0.0 255.0.0.0 10.199.199.0 255.255.255.0
!Setup the encryption types
crypto ipsec transform-set certvpn esp-aes esp-sha-hmac
crypto dynamic-map Outside_dyn_map 50 set transform-set certvpn
crypto dynamic-map Outside_dyn_map 50 set reverse-route
crypto map crymap 90 ipsec-isakmp dynamic Outside_dyn_map
! SETUP THE 'NAME' FOR THE VPN CLIENT
group-policy vpnclient internal
group-policy vpnclient attributes
! ALLOWS FOR INTERNET ACCESS WHILE LOGGED ON
! POINT TO THE ACCESS-LIST
split-tunnel-network-list value Split_VPN_List
tunnel-group vpnclient type ipsec-ra
tunnel-group vpnclient general-attributes
address-pool Certvpnip //// If this is the pool you want to use
// use these if you are not using another server for verification of user/password
default-group-policy vpnclient ///Group name in your client
tunnel-group vpnclient ipsec-attributes
pre-shared-key 'put_key_here' ///password in your client
See how this works for you.
that is a Remote ACCESS VPN using CA authentication.
also note that there is an exist remote access vpn using preshared key and that one is working fine.