Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASK THE EXPERTS - IP SECURITY VPN

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on IP Security VPN  with Cisco experts Syed Ziaullah and Sundar Srinivasaraghavan.  Syed is a customer support engineer at Cisco's Technical Assistance Center in the VPN and security domain, where he has worked for more than four years. He helps a variety of Cisco customers in configuring new network setups as well as troubleshooting their existing network issues related to security. Syed holds CCIE certification (CCIE # 19264) in Security.  Sundar is a customer support engineer at Cisco in the High Touch Technical Support (HTTS) Security team, providing configuration and troubleshooting assistance to customers through service requests. He has been with Cisco for more than 10 years and has extensive experience in installation, configuration, and troubleshooting of IPsec VPNs. He holds CCIE certification (CCIE # 6415) in both Routing & Switching and Security.

 

Remember to use the rating system to let Syed and Sundar know if you have received an adequate response.

 

Syed and Sundar might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 2, 2010. Visit this forum often to view responses to your questions and the questions of other community members.

83 REPLIES

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi,

Thank you for the opportunity, I have two general questions...

1. Is there any plan for the ASA to support GRE? (if not, what are the reasons?)
2. I know that GETVPN can be implemented over a WAN, can it be implemented over the Internet? (if so, what are the conns?)

Thank you :-)

Federico.

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Federico,

The GRE termination is not supported on the ASA yet but its on the roadmap for ASA.

The GETVPN technology preserves the IP address therefore if your internal network is private IP then its not routable.however, if you make every IP as routable then it will be a security concern as your internal IP will be visible to the outside world.

hope this answers your question.

thanks

-Syed / Sundar

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Syed,

I was trying to understand topic of EasyVPN and RADIUS.

Here is the problem.

Will appreciate your insight.

Thank you,

Paul

EasyVPN and RADIUS authentication and Authorization question:

R6 is an EzVPN server.

R4 is an EzVPN client.

When I use local authentication and authorization, everything is working perfect.

Unfortunately when I am enabling RADIUS authentication and authorization, it fails.

R6#

conf t
aaa new-model
aaa authentication login TACAUTH group radius
aaa authorization network TACAUTH group radius

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
exit

crypto ipsec transform-set TS1 esp-3des esp-sha-hmac
exit

ip local pool VPN_POOL1 44.44.100.1 44.44.100.100

access-list 150 permit ip 66.66.66.66 0.0.0.0 any


# R2 Client Mode VPN
crypto isakmp client configuration group VPN_GROUP2
acl 150
key cisco123
pool VPN_POOL1
save-password
exit


# ISAKMP Profile for R2 Client Mode VPN
crypto isakmp profile ISAKMP_PROF2
match identity group VPN_GROUP2
client authentication list TACAUTH
isakmp authorization list TACAUTH
client configuration address respond
virtual-template 3
exit

crypto ipsec profile IPSEC_PROF1
set transform-set TS1
exit

# Use this Template for R2 Client Mode VPN
interface Virtual-Template3 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROF1
exit

end

wr mem

R4#

interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
exit

crypto ipsec client ezvpn CLIENT
connect auto
group VPN_GROUP2 key cisco123
mode client
peer 44.44.2.6
virtual-interface 1
username vpnuser2 password cisco123
xauth userid mode local
exit

interface Loopback4
crypto ipsec client ezvpn CLIENT inside
exit       
interface Loopback44
crypto ipsec client ezvpn CLIENT inside
exit
interface FastEthernet0/0
description Internet Connection
crypto ipsec client ezvpn CLIENT
exit
end
wr mem

On Cisco ACS I configured 2 users:

1) VPN_GROUP2 password cisco

ipsec:tunnel-type=ESP
ipsec:key-exchange=ike
ipsec:tunnel-password=cisco123
ipsec:addr-pool=VPN_POOL1
ipsec:inacl=150
ipsec:save-password=1

[6] Service-Type: Outbound

[064] Tunnel-Type: IP ESP

[069] Tunnel-Password: cisco123

2) vpnuser2 password cisco123

ipsec:user-vpn-group=VPN_GROUP2
ipsec:user-save-password=1

Scenario 1:

aaa authentication login TACAUTH group radius
aaa authorization network TACAUTH local

username vpnser2 password cisco

*Feb 19 21:48:27.779: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=vpnuser2  Group=VPN_GROUP2  Server_public_addr=44.44.2.6 
*Feb 19 21:48:30.059: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=vpnuser2  Group=VPN_GROUP2  Server_public_addr=44.44.2.6  Assigned_client_addr=44.44.100.3 
*Feb 19 21:48:30.067: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
*Feb 19 21:48:31.951: %LINK-3-UPDOWN: Interface Loopback10000, changed state to up
*Feb 19 21:48:32.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
*Feb 19 21:48:36.243: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

ACS Passed authentication log:

06/21/201021:31:41Authen OKvpnuser2Default Group44.44.4.4044.44.2.6(Default)................R6..
06/21/201021:06:19Authen OKvpnuser2Default Group44.44.4.4144.44.2.6(Default)................R6..

Scenario 2:

aaa authentication login TACAUTH group radius
aaa authorization network TACAUTH group radius
no username vpnser2 password cisco

Debug:

R6#
*Jun 22 01:34:13.199: ISAKMP (1003): received packet from 44.44.4.4 dport 500 sport 500 Global (R) QM_IDLE     
*Jun 22 01:34:13.199: ISAKMP: set new node -351141363 to QM_IDLE     
*Jun 22 01:34:13.203: ISAKMP:(1003): processing HASH payload. message ID = -351141363
*Jun 22 01:34:13.203: ISAKMP:received payload type 18
*Jun 22 01:34:13.203: ISAKMP:(1003):Processing delete with reason payload
*Jun 22 01:34:13.203: ISAKMP:(1003):delete doi = 1
*Jun 22 01:34:13.203: ISAKMP:(1003):delete protocol id = 1
*Jun 22 01:34:13.203: ISAKMP:(1003):delete spi_size =  16
*Jun 22 01:34:13.203: ISAKMP:(1003):delete num spis = 1
*Jun 22 01:34:13.203: ISAKMP:(1003):delete_reason = 8
*Jun 22 01:34:13.203: ISAKMP:(1003): processing DELETE_WITH_REASON payload, message ID = -351141363, reason: Unknown delete reason!
*Jun 22 01:34:13.203: ISAKMP:(1003):peer does not do paranoid keepalives.

*Jun 22 01:34:13.203: ISAKMP:(1003):peer does not do paranoid keepalives.

*Jun 22 01:34:13.203: ISAKMP:(1003):deleting SA reason "Death by tree-walk" state (R) QM_IDLE       (peer 44.44.4.4)
*Jun 22 01:34:13.203: ISAKMP:(1003):deleting node -351141363 error FALSE reason "Informational (in) state 1"
*Jun 22 01:34:13.203: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 22 01:34:13.203: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Jun 22 01:34:13.203: IPSEC(key_engine_delete_sas): delete all SAs shared with peer 44.44.4.4
*Jun 22 01:34:13.203: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 44.44.2.6, sa_proto= 50,
    sa_spi= 0xFAC29DF0(4207058416),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2005
    sa_lifetime(k/sec)= (4378165/3600),
  (identity) local= 44.44.2.6, remote= 44.44.4.4,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Jun 22 01:34:13.207: IPSEC(update_current_outbound_sa): updated peer 44.44.4.4 current outbound sa to SPI 0
*Jun 22 01:34:13.207: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 44.44.4.4, sa_proto= 50,
    sa_spi= 0xCE0E33BF(3457037247),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2006
    sa_lifetime(k/sec)= (4378165/3600),
  (identity) local= 44.44.2.6, remote= 44.44.4.4,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Jun 22 01:34:13.207: IPSEC(rte_mgr): VPN Route Event rekey so decrement refcount for peer 44.44.4.4
*Jun 22 01:34:13.207: ISAKMP: set new node 1766126451 to QM_IDLE     
*Jun 22 01:34:13.211: ISAKMP:(1003): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) QM_IDLE     
*Jun 22 01:34:13.211: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Jun 22 01:34:13.211: ISAKMP:(1003):purging node 1766126451
*Jun 22 01:34:13.211: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jun 22 01:34:13.211: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_DEST_SA

*Jun 22 01:34:13.211: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Jun 22 01:34:13.219: IPSEC(rte_mgr): VPN Route Event Deleting dynamic maps for peer 44.44.4.4
*Jun 22 01:34:13.219: IPSEC(rte_mgr): VPN Route Event Delete ident remove routes from static map for peer 44.44.4.4
*Jun 22 01:34:13.223: ISAKMP:(1003):deleting SA reason "Death by tree-walk" state (R) QM_IDLE       (peer 44.44.4.4)
*Jun 22 01:34:13.223: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Jun 22 01:34:13.223: ISAKMP (1003): returning address 44.44.100.3 to pool
*Jun 22 01:34:13.223: ISAKMP: Unlocking peer struct 0x4930F5D4 for isadb_mark_sa_deleted(), count 0
*Jun 22 01:34:13.223: ISAKMP: returning address 44.44.100.3 to pool
*Jun 22 01:34:13.223: ISAKMP: Deleting peer node by peer_reap for 44.44.4.4: 4930F5D4
*Jun 22 01:34:13.223: ISAKMP: returning address 44.44.100.3 to pool
*Jun 22 01:34:13.223: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jun 22 01:34:13.223: ISAKMP:(1003):Old State = IKE_DEST_SA  New State = IKE_DEST_SA

*Jun 22 01:34:13.227: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jun 22 01:34:15.099: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (N) NEW SA
*Jun 22 01:34:15.099: ISAKMP: Created a peer struct for 44.44.4.4, peer port 500
*Jun 22 01:34:15.099: ISAKMP: New peer created peer = 0x4930F5D4 peer_handle = 0x80000035
*Jun 22 01:34:15.099: ISAKMP: Locking peer struct 0x4930F5D4, refcount 1 for crypto_isakmp_process_block
*Jun 22 01:34:15.099: ISAKMP: local port 500, remote port 500
*Jun 22 01:34:15.099: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 49D71674
*Jun 22 01:34:15.099: ISAKMP:(0): processing SA payload. message ID = 0
*Jun 22 01:34:15.099: ISAKMP:(0): processing ID payload. message ID = 0
*Jun 22 01:34:15.099: ISAKMP (0): ID payload
        next-payload : 13
        type         : 11
        group id     : VPN_GROUP2
        protocol     : 17
        port         : 0
        length       : 18
*Jun 22 01:34:15.099: ISAKMP:(0):: peer matches ISAKMP_PROF2 profile
*Jun 22 01:34:15.099: ISAKMP:(0):Setting client config settings 49BC8A44
*Jun 22 01:34:15.103: ISAKMP:(0):(Re)Setting client xauth list  and state
*Jun 22 01:34:15.103: ISAKMP/xauth: initializing AAA request
*Jun 22 01:34:15.103: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 01:34:15.103: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jun 22 01:34:15.103: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jun 22 01:34:15.103: ISAKMP (0): vendor ID is NAT-T v7
*Jun 22 01:34:15.103: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 22 01:34:15.103: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 22 01:34:15.103: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 22 01:34:15.103: ISAKMP:(0): Authentication by xauth preshared
*Jun 22 01:34:15.103: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Jun 22 01:34:15.103: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.103: ISAKMP:      keylength of 128
*Jun 22 01:34:15.103: ISAKMP:      hash SHA
*Jun 22 01:34:15.103: ISAKMP:      default group 2
*Jun 22 01:34:15.103: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.103: ISAKMP:      life type in seconds
*Jun 22 01:34:15.103: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.103: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.103: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.103: ISAKMP:(0):Checking ISAKMP transform 2 against priority 1 policy
*Jun 22 01:34:15.103: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.103: ISAKMP:      keylength of 128
*Jun 22 01:34:15.103: ISAKMP:      hash MD5
*Jun 22 01:34:15.103: ISAKMP:      default group 2
*Jun 22 01:34:15.103: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.103: ISAKMP:      life type in seconds
*Jun 22 01:34:15.103: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 3 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 192
*Jun 22 01:34:15.107: ISAKMP:      hash SHA
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 4 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 192
*Jun 22 01:34:15.107: ISAKMP:      hash MD5
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 5 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 256
*Jun 22 01:34:15.107: ISAKMP:      hash SHA
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 6 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 256
*Jun 22 01:34:15.107: ISAKMP:      hash MD5
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 7 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 128
*Jun 22 01:34:15.107: ISAKMP:      hash SHA
*Jun 22 01:34:15.107: ISAKMP:      default group 2
*Jun 22 01:34:15.107: ISAKMP:      auth pre-share
*Jun 22 01:34:15.107: ISAKMP:      life type in seconds
*Jun 22 01:34:15.107: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.107: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.107: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.107: ISAKMP:(0):Checking ISAKMP transform 8 against priority 1 policy
*Jun 22 01:34:15.107: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.107: ISAKMP:      keylength of 128
*Jun 22 01:34:15.111: ISAKMP:      hash MD5
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 9 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.111: ISAKMP:      keylength of 192
*Jun 22 01:34:15.111: ISAKMP:      hash SHA
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 10 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.111: ISAKMP:      keylength of 192
*Jun 22 01:34:15.111: ISAKMP:      hash MD5
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 11 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.111: ISAKMP:      keylength of 256
*Jun 22 01:34:15.111: ISAKMP:      hash SHA
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 12 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption AES-CBC
*Jun 22 01:34:15.111: ISAKMP:      keylength of 256
*Jun 22 01:34:15.111: ISAKMP:      hash MD5
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth pre-share
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Encryption algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 13 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption 3DES-CBC
*Jun 22 01:34:15.111: ISAKMP:      hash SHA
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):Hash algorithm offered does not match policy!
*Jun 22 01:34:15.111: ISAKMP:(0):atts are not acceptable. Next payload is 3
*Jun 22 01:34:15.111: ISAKMP:(0):Checking ISAKMP transform 14 against priority 1 policy
*Jun 22 01:34:15.111: ISAKMP:      encryption 3DES-CBC
*Jun 22 01:34:15.111: ISAKMP:      hash MD5
*Jun 22 01:34:15.111: ISAKMP:      default group 2
*Jun 22 01:34:15.111: ISAKMP:      auth XAUTHInitPreShared
*Jun 22 01:34:15.111: ISAKMP:      life type in seconds
*Jun 22 01:34:15.111: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
*Jun 22 01:34:15.111: ISAKMP:(0):atts are acceptable. Next payload is 3
*Jun 22 01:34:15.115: ISAKMP:(0):Acceptable atts:actual life: 86400
*Jun 22 01:34:15.115: ISAKMP:(0):Acceptable atts:life: 0
*Jun 22 01:34:15.115: ISAKMP:(0):Fill atts in sa vpi_length:4
*Jun 22 01:34:15.115: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
*Jun 22 01:34:15.115: ISAKMP:(0):Returning Actual lifetime: 86400
*Jun 22 01:34:15.115: ISAKMP:(0)::Started lifetime timer: 86400.

*Jun 22 01:34:15.115: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Jun 22 01:34:15.115: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Jun 22 01:34:15.115: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
*Jun 22 01:34:15.115: ISAKMP (0): vendor ID is NAT-T v7
*Jun 22 01:34:15.115: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID is NAT-T v3
*Jun 22 01:34:15.115: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Jun 22 01:34:15.115: ISAKMP:(0): vendor ID is NAT-T v2
*Jun 22 01:34:15.115: ISAKMP:(0): processing KE payload. message ID = 0
*Jun 22 01:34:15.163: ISAKMP:(0): processing NONCE payload. message ID = 0
*Jun 22 01:34:15.163: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.163: ISAKMP:(0): vendor ID is DPD
*Jun 22 01:34:15.163: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.163: ISAKMP:(0): vendor ID seems Unity/DPD but major 204 mismatch
*Jun 22 01:34:15.163: ISAKMP:(0): vendor ID is XAUTH
*Jun 22 01:34:15.163: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.163: ISAKMP:(0): claimed IOS but failed authentication
*Jun 22 01:34:15.163: ISAKMP:(0): processing vendor id payload
*Jun 22 01:34:15.163: ISAKMP:(0): vendor ID is Unity
*Jun 22 01:34:15.163: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH
*Jun 22 01:34:15.163: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_AM_AAA_AWAIT

*Jun 22 01:34:15.167: RADIUS/ENCODE(00000039):Orig. component type = VPN_IPSEC
*Jun 22 01:34:15.167: RADIUS:  AAA Unsupported Attr: interface         [175] 9  
*Jun 22 01:34:15.167: RADIUS:   34 34 2E 34 34 2E 32                             [44.44.2]
*Jun 22 01:34:15.167: RADIUS(00000039): Config NAS IP: 0.0.0.0
*Jun 22 01:34:15.167: RADIUS/ENCODE(00000039): acct_session_id: 57
*Jun 22 01:34:15.167: RADIUS(00000039): sending
*Jun 22 01:34:15.167: RADIUS/ENCODE: Best Local IP-Address 44.44.2.6 for Radius-Server 44.44.2.100
*Jun 22 01:34:15.167: RADIUS(00000039): Send Access-Request to 44.44.2.100:1645 id 1645/52, len 96
*Jun 22 01:34:15.167: RADIUS:  authenticator BA 5B AF 6B 3C 98 69 7C - 3E 66 3F 32 EE D5 1D DE
*Jun 22 01:34:15.167: RADIUS:  User-Name           [1]   12  "VPN_GROUP2"
*Jun 22 01:34:15.167: RADIUS:  User-Password       [2]   18  *
*Jun 22 01:34:15.167: RADIUS:  Calling-Station-Id  [31]  11  "44.44.4.4"
*Jun 22 01:34:15.167: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
*Jun 22 01:34:15.167: RADIUS:  NAS-Port            [5]   6   1                        
*Jun 22 01:34:15.167: RADIUS:  NAS-Port-Id         [87]  11  "44.44.2.6"
*Jun 22 01:34:15.171: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
*Jun 22 01:34:15.171: RADIUS:  NAS-IP-Address      [4]   6   44.44.2.6                
*Jun 22 01:34:15.175: RADIUS: Received from id 1645/52 44.44.2.100:1645, Access-Reject, len 32
*Jun 22 01:34:15.175: RADIUS:  authenticator 72 D6 E8 BA D4 D7 C7 3C - 37 10 37 DE 10 D8 C4 94
*Jun 22 01:34:15.175: RADIUS:  Reply-Message       [18]  12 
*Jun 22 01:34:15.175: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    [Rejected??]
*Jun 22 01:34:15.175: RADIUS(00000039): Received from id 1645/52
*Jun 22 01:34:15.179: RADIUS/DECODE: Reply-Message fragments, 10, total 10 bytes
*Jun 22 01:34:15.179: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Jun 22 01:34:15.179: ISAKMP:(0):SA is doing pre-shared key authentication plus XAUTH using id type ID_IPV4_ADDR
*Jun 22 01:34:15.179: ISAKMP (0): ID payload
        next-payload : 10
        type         : 1
        address      : 44.44.2.6
        protocol     : 0
        port         : 0
        length       : 12
*Jun 22 01:34:15.179: ISAKMP:(0):Total payload length: 12
*Jun 22 01:34:15.179: ISAKMP:(0): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jun 22 01:34:15.179: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 01:34:15.179: ISAKMP:(0):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY
*Jun 22 01:34:15.179: ISAKMP:(0):Old State = IKE_R_AM_AAA_AWAIT  New State = IKE_R_AM2

*Jun 22 01:34:25.095: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Jun 22 01:34:25.095: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 22 01:34:25.095: ISAKMP:(0): retransmitting due to retransmit phase 1
*Jun 22 01:34:25.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Jun 22 01:34:25.595: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Jun 22 01:34:25.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Jun 22 01:34:25.595: ISAKMP:(0): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jun 22 01:34:25.595: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 01:34:26.595: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Jun 22 01:34:26.595: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 22 01:34:26.595: ISAKMP:(0): retransmission skipped for phase 1 (time since last transmission 1000)
*Jun 22 01:34:35.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Jun 22 01:34:35.595: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Jun 22 01:34:35.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Jun 22 01:34:35.595: ISAKMP:(0): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jun 22 01:34:35.595: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 01:34:36.095: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Jun 22 01:34:36.095: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 22 01:34:36.095: ISAKMP:(0): retransmission skipped for phase 1 (time since last transmission 500)
*Jun 22 01:34:45.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH...
*Jun 22 01:34:45.595: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Jun 22 01:34:45.595: ISAKMP:(0): retransmitting phase 1 AG_INIT_EXCH
*Jun 22 01:34:45.595: ISAKMP:(0): sending packet to 44.44.4.4 my_port 500 peer_port 500 (R) AG_INIT_EXCH
*Jun 22 01:34:45.595: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Jun 22 01:34:46.095: ISAKMP (0): received packet from 44.44.4.4 dport 500 sport 500 Global (R) AG_INIT_EXCH
*Jun 22 01:34:46.095: ISAKMP:(0): phase 1 packet is a duplicate of a previous packet.
*Jun 22 01:34:46.095: ISAKMP:(0): retransmission skipped for phase 1 (time since last transmission 500)

ACS Server Failed authentication log:

06/21/201021:35:32Authen failedVPN_GROUP2Default Group44.44.4.4(Default)ACS password invalid....144.44.2.6..........R6..ACS....
06/21/201021:34:49Authen failedVPN_GROUP2Default Group44.44.4.4(Default)ACS password invalid....044.44.2.6..........R6..

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Paul,

thanks for posting the question with excellent details.

In your second scenario the router is actually contacting the ACS server with the username VPN_GROUP2 and the password for this username should be "cisco" (lowercase). Sundar (my colleague) actually replicated your config here in the lab and it worked fine. the only time he saw your issue was when the password was set to uppercase "CISCO". can you pls doublecheck the password on your ACS for the user VPN_GROUP2?

thanks

Syed / Sundar

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Syed,

Thank you for your help! Actually the main reason that it was failing was the password.

In my scenario I used cisco123 as a password everywhere, on ACS, R6, R4, R2. For some reason it works with cisco, but refuses to work with cisco123, which seems like a bug to me.

I put together an article with screenshots describing this setup. Thought it might be helpful for all of us studying for CCIE Security

http://www.isrcomputing.com/knowledge-base/46-ccie-security-pursuit/183-ccie-security-vpn-study-guide-dynamic-vti-radius-aaa

Good Luck,

Paul

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

Just in case you want to try replicate "cisco123" issue

CiscoSecure ACS
Release 4.1(4) Build 13 Patch 12

R6#show ver
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 19-Oct-09 17:38 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

R6 uptime is 6 hours, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2800nm-adventerprisek9-mz.124-24.T2.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html you require further assistance please contact us by sending email to
export@cisco.com. 2811 (revision 53.50) with 223232K/38912K bytes of memory.
Processor board ID FTX1123F068
2 FastEthernet interfaces
3 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
251904K bytes of ATA CompactFlash (Read/Write)

If

Cisco

Configuration register is 0x2142 (will be 0x2102 at next reload)

R6#

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Paul,

this restriction of using "cisco" as a password is well documented in the config guide. I dont have the link for the guide right now handy, i will send it to you tomorrow morning once i will be in the office.

thanks

-Syed

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

Syed,

That is good for a router that has the standard cli interface. Both the

RVS4000 and the SA520 have a web based interface only. The document you

reference is of no use.

Pete.

Community Member

Cisco 2921 ISR ipsec vpn established but cannot ping lan to lan

Hi, I am building an Ipsec vpn tunnel between two sites and the tunnel using an ADSL router and two Cisco 2921 ISR G2 routers (a redundant pair). I am using ipsec stateful failover to make the two routers redundant. The tunnel goes up and the failover works fine as well. I have one issue though, I cannot ping from one lan to another. Would you please have any suggestion as to what the issue might be ? Thanks in advance for your answer.

Cisco Employee

Re: Cisco 2921 ISR ipsec vpn established but cannot ping lan to

Hi Elkharraze,

Couple of things you need to check.

1. If your one side is going out after the PAT then make sure that NAT-T is enabled and udp port 4500 is allowed in your netwrk.

2. You need to check if the encryption domain include your lan segment as well as the remote lan segment.

3. check if the remote site is encrypting the traffic or not. if its encrypting the traffic then check on the headend if its decrypting the traffic or not. This will show us if the packets are getting dropped in the middle. Reverse the process to make sure if headend is also encrypting fine.

Hope this helps.

Thanks

-Syed

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Syed / Sundar,

First off thank you for opening this discussion on IP Sec VPN, it is sure to serve the CSC community well.

I have a question(s) regarding the troubleshooting of Cisco VPN client connectivity issues on the ASA 5500 series.

If you have users connecting to a corporate network using either their Cisco VPN client or/ Anyconnect and maybe from time to time one or two of the users claim to  have an unstable VPN connection with their applications it can be quite challenging to locate the underlying issue. On the other hand If all RA VPN users could not establish a connection it would likely be for more obvious reasons.

Looking through the ASA's VPN monitoring features there seems to be few tools for troubleshooting RA VPN client established session(s). Usually you are either troubleshooting wheather the RA VPN client can connect or can not connect. Troubleshooting while a particular VPN client session may be experiencing application instabilities (slowness or applications hangs) over their tunnel session while (in most cases) not actually losing their VPN session can be very challenging indeed.

Are there any good tools/suggestions for focusing troubleshooting efforts on the type of issue(s) as described above?

Thanks,

Brandon

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Brandon,

i agree that troubleshooting such issues are challenging. here is how I approach this issue.

Assuming client is complaining about the application slowness:

i would first want to check the round trip time to the VPN server public IP address from the client PC to make sure there is no significant ISP delay.

then i will check the RTT for the ASA / VPN server's inside IP address.

depending on where we are seeing the delay we need to proceed accordingly on that front.

the other thing which is worth while to check is to do sniffer capture on the client side or the application server to see if there are retransmission. based on my experience retransmission is another important fact in slowing the application down. If there are lots of retransmission then the most likely cause is the packet loss somewhere in the path.

You may need to run sniffer capture on vpnserver outside interface and client interface simultaneously to identify if there is packet loss. ESP packets can be checked in the wireshark by using the sequence numbers.

hope this answers your question. if you have any followup question pls feel free to ask any time.

thanks

-Syed

Community Member

two DMVPN Spokes behind ASA doing hide-NAT to the Internet

this means that an ASA is lieing in between DMVPN hub and spoke.

Does this scenario require as special configuration of the ASA? Up to now the setup is not working, we are facing the following problem:

The central DMVPN Hub shows a 'invalid SPI' error, because both spokes coming up with the same IP address (ASA hide-NAT) at the DMVPN hub.

thx

Holger

Community Member

Re: two DMVPN Spokes behind ASA doing hide-NAT to the Internet

Appendix:

only one of the spokes is able to establish an connection (eigrp neighborship is up) to the central hub, the other one show that the crypto session is UP-ACTIVE, but one eigrp neighborship.

Resetting the cryto session of the active spoke result in activating the second spoke, but then the formerly active spoke lost the eigrp neighborship.


asa/pri/act# sh conn lon | in customer
UDP outside:b.b.b.b/4500 (b.b.b.b/4500) customer:10.1.1.100/4500 (a.a.a.a/63943), flags -, idle 3s, uptime 16h29m, timeout 2m0s, bytes 4274181
UDP outside:b.b.b.b/4500 (b.b.b.b/4500) customer:10.1.1.101/4500 (a.a.a.a/39870), flags -, idle 1s, uptime 16h37m, timeout 2m0s, bytes 3512027
UDP outside:c.c.c.c/4500 (c.c.c.c/4500) customer:10.1.1.100/4500 (a.a.a.a/63943), flags -, idle 0s, uptime 16h29m, timeout 2m0s, bytes 4052125
UDP outside:c.c.c.c/4500 (c.c.c.c/4500) customer:10.1.1.101/4500 (a.a.a.a/39870), flags -, idle 0s, uptime 16h37m, timeout 2m0s, bytes 5446799

Cisco Employee

Re: two DMVPN Spokes behind ASA doing hide-NAT to the Internet

Hi Holger,

can you pls send us the DMVPN releveant config from hub and spoke? also which version of code you are running on hub and spoke?

thanks

-Syed /  Sundar

Cisco Employee

Re: two DMVPN Spokes behind ASA doing hide-NAT to the Internet

Hi Holger,

you need to use the NAT and not the PAT if your both Spokes are behind the same ASA. you can configure static translation on ASA for both the spoke interface IP address and that should take care of your eigrp issue.

here is some more information about the NAT for DMVPN

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1122466

pls let me know if you have any further questions.

thanks

-Syed

Community Member

Re: two DMVPN Spokes behind ASA doing hide-NAT to the Internet

Hi Syed,

thx for your reply, I read the document about NAT for DMVPN. Thus we can say it is not possible to run two DMVPN spokes behind one PAT device when both spokes are translated to the same public IP adfdress. Is it correct?

I have only a few information about the spoke, because I'm not responsible for the DMVPN installation. Only the Internet Firewall is operated by us.

DMVPN spoke is a Cisco 871 running Cisco IOS c870-advipservicesk9-mz.124-15.T7.bin

# crypto profile used for tunnel protection work in ipsec transport mode

interface: Tunnelx
    <--- omitted --->
   current_peer x.x.x.x port 4500

<--- omitted --->

     inbound esp sas:
      spi: 0xaaaaaaaaaaaaaa
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }

<--- omitted --->

best regards

Holger

Cisco Employee

Re: two DMVPN Spokes behind ASA doing hide-NAT to the Internet

Hi Holger,

Yes, 2 spokes getting PATed on same public IP is not supported.

here is the link about this restriction as well.

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftgreips.html#wp1039490

thanks

-Syed

Community Member

Re: two DMVPN Spokes behind ASA doing hide-NAT to the Internet

Hi Syed,

thx for your reply, my problem is SOLVED.

/Holger

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

A number of the clients I work with would like to use VPNs between sites.  I've looked at both the RVS4000 and the SA520.  Both have IPSEC VPN site to site capabilities.  The setup of both routers have easy setups.  Only problem is that there is no way to disable split tunneling.  A large vector for malware and viruses is users going to sites using the split tunnel and not going through the corporate firewall.  For the site to site VPN how can you turn off split tunneling?   The SSL VPN seems to be able to disable split tunneling for SSL VPN clients.

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Peter,

there is no concept of split tunnel in site to site vpn. in Site to site vpn you actually define the ACL for the traffic that needs to be encrypted. I have not done the configuration on RVS4000 by myself therefore not aware of the options available there. do you have the option of defing the vpn domain on this platform or it just encrypt anything coming from the inside vlan?

thanks

-Syed

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Peter,

I never sent you a link?

thanks

-Syed

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

Syed,

Right. I'm now concentrating on the SA520. Within the site to site

VPN how can the split tunneling be turned off?

Pete.

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Peter,

i think you want to send all traffic from the local subnet to go to the remote site?

In this case your vpn domain should be a.b.c.d to any and on the other side it should be mirror image.

try defining the Remote LAN as 0.0.0.0 0.0.0.0 and if it doesn't take this then my best guess is that it is not supported on this platform.

thanks

-Syed

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

Edit: Using the Cisco VPN Client 5.0.07.0290 on Windows XP 32bit

Hi,

I am having an issue connecting to a remote IPSEC VPN on a Cisco ASA 5505. I have tried both manual configuration and using ASDM's IPSEC VPN Wizard. Each time I connect, I can authenticate and then I receive an error at the client "Reason 433 not specified by peer" and on the ASA I see with crypto debugging the following:

Debug:

Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, IP = 69.30.17.149, process_attr(): Enter!
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, IP = 69.30.17.149, Processing MODE_CFG Reply attributes.
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: primary DNS = cleared
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: secondary DNS = cleared
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: primary WINS = cleared
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: secondary WINS = cleared
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: split tunneling list = avnt-group_splitTunnelAcl
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: IP Compression = disabled
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: Split Tunneling Policy = Split Network
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jun 23 10:33:32 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, User (avnt.admin) authenticated.
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing blank hash payload
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing qm hash payload
Jun 23 10:33:32 [IKEv1]: IP = 69.30.17.149, IKE_DECODE SENDING Message (msgid=346f083a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 64
Jun 23 10:33:32 [IKEv1]: IP = 69.30.17.149, IKE_DECODE RECEIVED Message (msgid=346f083a) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, process_attr(): Enter!
Jun 23 10:33:32 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Processing cfg ACK attributes
Jun 23 10:33:33 [IKEv1]: IP = 69.30.17.149, IKE_DECODE RECEIVED Message (msgid=3f82ad4b) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 191
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, process_attr(): Enter!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Processing cfg Request attributes
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for IPV4 address!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for IPV4 net mask!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for DNS server address!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for WINS server address!
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Received unsupported transaction mode attribute: 5
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Banner!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Save PW setting!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Default Domain Name!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Split Tunnel List!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Split DNS!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for PFS setting!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Client Browser Proxy Setting!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for backup ip-sec peer list!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for Application Version!
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Client Type: WinNT  Client Application Version: 5.0.07.0290
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for FWTYPE!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for DHCP hostname for DDNS is: LAB01!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, MODE_CFG: Received request for UDP Port!
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE received response of type [] to a request from the IP address utility
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Cannot obtain an IP address for remote peer
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE TM V6 FSM error history (struct &0xc9f6b1d0)  , :  TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE AM Responder FSM error history (struct &0xc9f6ea00)  , :  AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE SA AM:efd86a93 terminating:  flags 0x0945c001, refcnt 0, tuncnt 0
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, sending delete/delete with reason message
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing blank hash payload
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing IKE delete payload
Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, constructing qm hash payload
Jun 23 10:33:33 [IKEv1]: IP = 69.30.17.149, IKE_DECODE SENDING Message (msgid=48c593ff) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Removing peer from peer table failed, no match!
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Error: Unable to remove PeerTblEntry

Config:

hostname FW-AVANT
enable password sFHPoSNXoNmXBMbQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 69.30.50.142 AVANT_WEB_VIP description AVANT WEB VIP (inside)
!
interface Vlan1
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Vlan2
  nameif outside
  security-level 0
  ip address 69.30.33.246 255.255.255.248
!
interface Vlan10
  nameif Inside
  security-level 100
  ip address 69.30.50.129 255.255.255.240
!
interface Ethernet0/0
  description Connection to Agr107 1/19 (outside)
  switchport access vlan 2
!
interface Ethernet0/1
  description Connection to AVANT_SLB_A (inside)
  switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
object-group network ES_NETWORKS
  network-object 69.30.17.0 255.255.255.0
  network-object 69.30.2.0 255.255.255.0
  network-object 69.30.19.0 255.255.255.0
object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
access-list ACL-OUTSIDE_in remark ****** Inbound access to AVANT_WEB servers from outside ******
access-list ACL-OUTSIDE_in extended permit object-group TCPUDP any host AVANT_WEB_VIP eq www
access-list ACL-OUTSIDE_in extended permit tcp any host AVANT_WEB_VIP eq https
access-list ACL-OUTSIDE_in remark ****** Allow ICMP In ******
access-list ACL-OUTSIDE_in extended permit icmp any any log disable
access-list ACL-OUTSIDE_in remark ****** Allow ES Networks Access ******
access-list ACL-OUTSIDE_in extended permit ip object-group ES_NETWORKS any log disable
access-list avnt-group_splitTunnelAcl standard permit 69.30.50.128 255.255.255.240
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu outside 1500
mtu Inside 1500
ip local pool avntpool 69.30.50.130-69.30.50.132
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
access-group ACL-OUTSIDE_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.30.33.241 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 69.30.17.0 255.255.255.0 outside
snmp-server host outside 69.30.2.38 community marzatax
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local
telnet timeout 5
ssh 69.30.17.0 255.255.255.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 206.103.37.4 source outside prefer
webvpn
group-policy avnt-group internal
group-policy avnt-group attributes
  vpn-tunnel-protocol IPSec svc
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value avnt-group_splitTunnelAcl
  address-pools value avntpool
username avnt.admin password /Lrz8JA7Xitr16AN encrypted privilege 0
username avnt.admin attributes
  vpn-group-policy avnt-group
tunnel-group avnt-group type remote-access
tunnel-group avnt-group general-attributes
  address-pool avntpool
  default-group-policy avnt-group
tunnel-group avnt-group ipsec-attributes
  pre-shared-key *
!
class-map inspection_default
  match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
  parameters
   message-length maximum 512
policy-map global_policy
  class inspection_default
   inspect dns preset_dns_map
   inspect ftp
   inspect h323 h225
   inspect h323 ras
   inspect rsh
   inspect rtsp
   inspect esmtp
   inspect sqlnet
   inspect skinny
   inspect sunrpc
   inspect xdmcp
   inspect sip
   inspect netbios
   inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:58dd50b73ef7454112659aa970bd633c
: end

Please help a girl out. I have spent too many hours trying to get this to work

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

the problem you are facing is due to the IP address assignment. pls check the following from the debugs

Jun 23 10:33:33 [IKEv1 DEBUG]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, IKE received response of type [] to a request from the IP address utility
Jun 23 10:33:33 [IKEv1]: Group = avnt-group, Username = avnt.admin, IP = 69.30.17.149, Cannot obtain an IP address for remote peer

you have configured the following on your ASA which is causing the issue.

no crypto isakmp nat-traversal
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
no vpn-addr-assign local

can you pls remove "no" from atleast these 2 commands and try again

crypto isakmp nat-traversal
vpn-addr-assign local

hope this help.

thanks

-Syed

Community Member

Re: ASK THE EXPERTS - IP SECURITY VPN

Hi Syed-

I did the recommended changes and I can now login! I also  changed the local pool to 172.16.32.18-172.16.32.30 addresses to save IP Addresses for the customer. The problem I am having now is that I cannot ping anything on the inside when I successfully connect to the vpn. I have the IPSec/UDP (NAT/PAT) setting set on my client as well.

Here is my revised config (removed bulk non-related lines):

ASA Version 8.2(1)
!
hostname FW-AVANT
enable password sFHPoSNXoNmXBMbQ encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 69.30.50.142 AVANT_WEB_VIP description AVANT WEB VIP (inside)
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address 69.30.33.246 255.255.255.248
!
interface Vlan10
nameif Inside
security-level 100
ip address 69.30.50.129 255.255.255.240
!            
interface Ethernet0/0
description Connection to Agr107 1/19 (outside)
switchport access vlan 2
!
interface Ethernet0/1
description Connection to AVANT_SLB_A (inside)
switchport access vlan 10
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!

protocol-object tcp
access-list avnt-group_splitTunnelAcl standard permit 69.30.50.128 255.255.255.240
access-list Inside_nat0_outbound extended permit ip 69.30.50.128 255.255.255.240 172.16.32.16 255.255.255.240
mtu Inside 1500
ip local pool avnt-pool 172.16.32.18-172.16.32.30 mask 255.255.255.240
global (outside) 1 interface
nat (Inside) 0 access-list Inside_nat0_outbound
access-group ACL-OUTSIDE_in in interface outside
route outside 0.0.0.0 0.0.0.0 69.30.33.241 1
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
no vpn-addr-assign aaa
no vpn-addr-assign dhcp
telnet timeout 5
ssh 69.30.17.0 255.255.255.0 outside
ssh timeout 5
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 206.103.37.4 source outside prefer
webvpn
group-policy avnt-group internal
group-policy avnt-group attributes
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value avnt-group_splitTunnelAcl
username avnt.admin password /Lrz8JA7Xitr16AN encrypted privilege 0
username avnt.admin attributes
vpn-group-policy avnt-group
tunnel-group avnt-group type remote-access
tunnel-group avnt-group general-attributes
address-pool avnt-pool
default-group-policy avnt-group
tunnel-group avnt-group ipsec-attributes
pre-shared-key *
!

Cisco Employee

Re: ASK THE EXPERTS - IP SECURITY VPN

can you pls out this command in the config of ASA

managment-access inside

now try to ping the inside interface IP address from the client. if you are unable to ping pls get me the output of the following command from ASA

show crypto isakmp sa

show crypto ipsec sa

thanks

-Syed

4400
Views
15
Helpful
83
Replies
CreatePlease to create content