Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA5510 dynamic VPN from RV042

So far I have a complete phase 1, and an almost complete phase 2, but one thing I can't figure out. I see this in the debug.

peer is not authenticated by xauth - drop connection.

I get it right after the proxy is setup.

Here is my config

group-policy DefaultRAGroup attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1 l2tp-ipsec

password-storage enable

nem enable

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

ikev1 user-authentication none

I have tried many different configurations on both sides, but they all fail with the same error of peer not authenticated by xauth.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ASA5510 dynamic VPN from RV042

Don't use DefaultRAGroup  - I think that means you it will automatically try to build a user VPN rather than a dynamic L2L.

Change the pre-shared key on the DefaultRAGroup to be something else (so it doesn't match what the other side is sending).  Put all the config you have for DefaultRAGroup tunnel-groupp and group-policy on DefaultL2LGroup tunnel-group and group-policy instead. 

Usually the DefaultRAGroup is a 'remote-access' type which doesn't mean L2L.  DefaultL2LGroup should hopefully fix it.

8 REPLIES
Cisco Employee

ASA5510 dynamic VPN from RV042

Hmmm, it looks like you have xauth turned off (ikev1 user-authentication none) - can you turn on debugs (debug crypto isakmp 127) when you try to connect and post those?

--Jason

Community Member

ASA5510 dynamic VPN from RV042

I have tried it with it on, with it off and always the same thing comes back. 

Here is aaa common 50 debug

Initiating tunnel group policy lookup (Svr Grp: GROUP_POLICY_DB)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server:

AAA FSM: In AAA_SendMsg

User: DefaultRAGroup

Resp:

grp_policy_ioctl(0x0a250e40, 114698, 0xa9372788)

grp_policy_ioctl: Looking up DefaultRAGroup

callback_aaa_task: status = 1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 114, pAcb = 0xadae6da0

AAA task: aaa_process_msg(0xa9373220) received message type 1

AAA FSM: In AAA_ProcSvrResp

Back End response:

------------------

Tunnel Group Policy Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

  1     User-Name(1)     14    "DefaultRAGroup"

  2     User-Password(2)      0    0xae048023   ** Unresolved Attribute **

user policy attributes:

None

tunnel policy attributes:

  1     Idle-Timeout(28)      4    0

  2     Tunnelling-Protocol(4107)      4    12

  3     Store-PW(4112)      4    1

  4     Group-Policy(4121)     14    "DefaultRAGroup"

  5     Network-Extension-Mode-Allowed(4160)      4    1

AAA API: In aaa_close

AAA API: In aaa_send_acct_start

AAA task: aaa_process_msg(0xa9373220) received message type 3

In aaai_close_session (114)

AAA API: In aaa_open

AAA session opened: handle = 115

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(0xa9373220) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction

aaai_policy_name_to_server_id(DefaultRAGroup)

Got server ID 0 for group policy DB

and isakmp 127 with the relevant information. Up to this point it passes.

Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR_SUBNET ID received--10.253.20.0--255.255.255.0

Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, Received remote IP Proxy Subnet data in ID Payload:   Address 10.253.20.0, Mask 255.255.255.0, Protocol 0, Port 0

Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, processing ID payload

Feb 24 14:27:54 [IKEv1 DECODE]Group = DefaultRAGroup, IP = x.x.x.x, ID_IPV4_ADDR ID received

66.252.79.16

Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x., Received local Proxy Host data in ID Payload:  Address x.x.x.x, Protocol 0, Port 0

Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, peer is not authenticated by xauth - drop connection.

Feb 24 14:27:54 [IKEv1]Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0xace21cd8, mess id 0xb4d2530a)!

Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, IKE QM Responder FSM error history (struct &0xace21cd8)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent

Feb 24 14:27:54 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = x.x.x.x, sending delete/delete with reason message

ASA5510 dynamic VPN from RV042

Dynamic L2L VPN running on ASA or RV042, which is hub or which is spoke ?

Please post your config on the forum, for easier trouble shoot.

thanks

Community Member

ASA5510 dynamic VPN from RV042

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set L2TP-Droid esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set L2TP-Droid mode transport

crypto ipsec ikev1 transform-set EZVPN esp-aes-256 esp-sha-hmac

crypto dynamic-map L2TP 10 set ikev1 transform-set L2TP-Droid ESP-AES-256-MD5 EZVPN

crypto map VPN 20 ipsec-isakmp dynamic L2TP

crypto map VPN interface outside

crypto isakmp nat-traversal 3600

crypto ikev1 enable outside

crypto ikev1 policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 15

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 20

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 25

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-idle-timeout none

vpn-tunnel-protocol ikev1 l2tp-ipsec

password-storage enable

nem enable

tunnel-group DefaultRAGroup general-attributes

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

ikev1 user-authentication none

EZVPN, L2L VPN WebVPN(anyconnect) and Client VPN do work, as well as the L2TP droid VPN

Community Member

ASA5510 dynamic VPN from RV042

could you give the config of rv042 and ASA5510 now ,i have the config like you but could not ! what your asa and rv042 ver ?

Cisco Employee

ASA5510 dynamic VPN from RV042

Don't use DefaultRAGroup  - I think that means you it will automatically try to build a user VPN rather than a dynamic L2L.

Change the pre-shared key on the DefaultRAGroup to be something else (so it doesn't match what the other side is sending).  Put all the config you have for DefaultRAGroup tunnel-groupp and group-policy on DefaultL2LGroup tunnel-group and group-policy instead. 

Usually the DefaultRAGroup is a 'remote-access' type which doesn't mean L2L.  DefaultL2LGroup should hopefully fix it.

Community Member

ASA5510 dynamic VPN from RV042

Jason, You are the MAN!  Worked like a charm. Once I got the keys straight it came right up and I was able to route into the network.

ASA5510 dynamic VPN from RV042

Hi there,

Here is a link to estiablish Dynamic L2L tunnel configuration very easy to follow and you may change crypto syntax to reflect your version of ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml

I hope that helps.

Thanks

Rizwan Rafeek

2996
Views
0
Helpful
8
Replies
CreatePlease to create content