Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA5505 - VPNclient > All IPSEC SA proposals found unacceptible

Hi all,

Trying to get CiscoVPN client (5.0.02.0090) on Vista Home Premium connect to ASA5505.

As the title says the SA proposals are found unacceptible.

And although I've been searching for solutions all over the place I 've not found a working solution yet.

Could anyone help me please?

Thanx

Jaap

1. The config and debug are attached

2. Tested with both users > same result

3. Authentication MS-Chap V2 used > Vista

5 REPLIES

Re: ASA5505 - VPNclient > All IPSEC SA proposals found unaccepti

This most likely is due to trasnport mode being chosen as the ipsec transformset, go ahead and change it or remove it, unless you have l2tp over ipsec you don't need that setup.

New Member

Re: ASA5505 - VPNclient > All IPSEC SA proposals found unaccepti

Hi,

Thanks for your answer.

I think you are referring to the group-policy DefaultRAGroup?

The group-policy used for testing the Cisco VPN-client (with user Graham) is 'cisco_client_vpn' with one of the attributes being 'vpn-tunnel-protocol IPSec'.

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol l2tp-ipsec

group-policy cisco_client_vpn internal

group-policy cisco_client_vpn attributes

dns-server value 10.16.0.20

vpn-tunnel-protocol IPSec

default-domain value diode-networks.local

username graham password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted privilege 0

username graham attributes

vpn-group-policy cisco_client_vpn

username jaap password cCiE5PO1AMnFfx.p encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool VPNtest

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group cisco_client_vpn type ipsec-ra

tunnel-group cisco_client_vpn general-attributes

address-pool VPNtest

default-group-policy cisco_client_vpn

tunnel-group cisco_client_vpn ipsec-attributes

pre-shared-key *

tunnel-group cisco_client_vpn ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

Could it be that my problem has to do with with:

- the crypto (dynamic-)map. Numbers 20, 40?

- no routes defined by the VPN-client wizard?

- no reverse route injection configured?

And what IPSec transformsets are offred by the VPN-clients?

Thanx,

Jaap

Re: ASA5505 - VPNclient > All IPSEC SA proposals found unaccepti

Jaap, I actually meant the transform set take off the transport mode for testing, that is typically used for L2TP over IPSec Clients not IPSec.

routes should not be required as it should use the ASA default gateway.

New Member

Re: ASA5505 - VPNclient > All IPSEC SA proposals found unaccepti

Hi Ivan,

It must have been to early for me this morning :).

Followed your advice and deleted:

- crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

Added:

- TRANS_ESP_3DES_SHA (as first option) to crypto dynamic-map outside_dyn_map 40 set transform-set vpnclient ESP-DES-MD5 ESP-3DES-MD5 ESP-3DES-SHA

and it works !!! :)

The L2TP is also still working.

It seems that my 5505 (and the other AS-models?) does/do not like two lines with 'crypto dynamic-map', i.c. 20 & 40.

Is this a flaw in the handling?

Anyway, thanks a lot for your help.

Greetz

Jaap

Re: ASA5505 - VPNclient > All IPSEC SA proposals found unaccepti

Great news!

288
Views
15
Helpful
5
Replies
CreatePlease to create content