Cisco ASA 5505 VPN problem

raaka-arska · ‎05-10-2012

Hi!

I'm having trouble configuring Remote Access VPN. I get the following error, when trying to establish VPN using Windows 7 64-bit built-in client:

Group = DefaultRAGroup, IP = xx.xx.xx.xx, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device

Group = DefaultRAGroup, IP = xx.xx.xx.xx, PHASE 1 COMPLETED

IP = xx.xx.xx.xx, Keep-alives configured on but peer does not support keep-alives (type = None)

Group = DefaultRAGroup, IP = xx.xx.xx.xx, All IPSec SA proposals found unacceptable!

Group = DefaultRAGroup, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0xd8c25848, mess id 0x1)!

Group = DefaultRAGroup, IP = xx.xx.xx.xx, Removing peer from correlator table failed, no match!

Group = DefaultRAGroup, IP = xx.xx.xx.xx, Session is being torn down. Reason: Phase 2 Mismatch

Group = DefaultRAGroup, Username = , IP = xx.xx.xx.xx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

VPN configuration on the ASA:

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS-AES-256-SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 3 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside

tunnel-group DefaultRAGroup general-attributes
address-pool AquaVPN
authentication-server-group WMServer
default-group-policy AquamecVPN
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

Any ideas what might be wrong?

Best regards,

Tapio Rantanen

Jennifer Halim · ‎05-13-2012

Try to remove "transport mode" from the configuration as follows:

no crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

no crypto ipsec transform-set TRANS-AES-256-SHA mode transport

Assuming that you are not terminating L2TP over IPsec, but just normal remote IPSec VPN Client.

raaka-arska · ‎05-14-2012

Thanks for assistance Jennifer, but it didn't help. I'm still getting the same error. Any suggestions would be appreciated

Best regards,

Tapio Rantanen

Jennifer Halim · ‎05-14-2012

Try to add the following:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 ESP-3DES-MD5