05-10-2012 11:32 PM
Hi!
I'm having trouble configuring Remote Access VPN. I get the following error, when trying to establish VPN using Windows 7 64-bit built-in client:
Group = DefaultRAGroup, IP = xx.xx.xx.xx, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Group = DefaultRAGroup, IP = xx.xx.xx.xx, PHASE 1 COMPLETED
IP = xx.xx.xx.xx, Keep-alives configured on but peer does not support keep-alives (type = None)
Group = DefaultRAGroup, IP = xx.xx.xx.xx, All IPSec SA proposals found unacceptable!
Group = DefaultRAGroup, IP = xx.xx.xx.xx, QM FSM error (P2 struct &0xd8c25848, mess id 0x1)!
Group = DefaultRAGroup, IP = xx.xx.xx.xx, Removing peer from correlator table failed, no match!
Group = DefaultRAGroup, IP = xx.xx.xx.xx, Session is being torn down. Reason: Phase 2 Mismatch
Group = DefaultRAGroup, Username = , IP = xx.xx.xx.xx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
VPN configuration on the ASA:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS-AES-256-SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 3 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group DefaultRAGroup general-attributes
address-pool AquaVPN
authentication-server-group WMServer
default-group-policy AquamecVPN
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
Any ideas what might be wrong?
Best regards,
Tapio Rantanen
05-13-2012 12:48 AM
Try to remove "transport mode" from the configuration as follows:
no crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
no crypto ipsec transform-set TRANS-AES-256-SHA mode transport
Assuming that you are not terminating L2TP over IPsec, but just normal remote IPSec VPN Client.
05-14-2012 01:29 AM
Thanks for assistance Jennifer, but it didn't help. I'm still getting the same error. Any suggestions would be appreciated
Best regards,
Tapio Rantanen
05-14-2012 03:02 AM
Try to add the following:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 2 ESP-3DES-MD5
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide