09-13-2005 04:09 AM
I've a PIX 525 with the new 7.0.4 software version.
I try to do an VPN connection using a SOHO client with a pre-share key, 3des, md5 and aggresive-mode with diffie-hellman group 1.
I'll try everything and allways get the following message when I debug:
[IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list
[IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 192.168.1.103, IKE AM Responder FSM error history (struct &0x3841238) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_CHK_PROPOSAL-->AM_BLD_MSG2, EV_TEST_CERT-->AM_BLD_MSG2, EV_SECRET_KEY_OK
[IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 192.168.1.103, IKE SA AM:99290bd9 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
[IKEv1 DEBUG]: sending delete/delete with reason message
[IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Removing peer from peer table failed, no match!
Sep 13 12:54:12 [IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Error: Unable to remove PeerTblEntry
The tunnel policy is dynamic because the router client ip will be dynamic.
My questions: Why the DefaultRAGroup is involved if I try to get a L2L tunnel? How can I got a dynamic tunnel and that the group policy applied will be the DefaultL2LGroup?
How can avoid the xauth in that configuration?
Thanks in advance,
Jose I. Merino
11-21-2006 01:07 PM
Hi Jose
I am with this problem. Did you solve it?
Can you help me?
Thanks in advance
Oswaldo Franzin
11-22-2006 12:06 AM
Yes, put the blame on PIX software 7.0 version.
Downgrade to 6.3 version and the problems will vanish.
12-05-2006 12:21 PM
Hi Jose
I noticed your answer only today.
Thank you very much, and YES I DID IT!!!!
By the way, I think that there are a
simple solution for it!
I did hundreds of tests using all kind of
configurations with no success. Something
is wrong! This feature is very common and
used widely in VPN?s with ADSL and Cables
and there are very few persons claiming
for help or a solution.
I?m just now with a PIX-515E v.7.2 for
tests during next 2 weeks. If I got some
results I?ll inform you as soon as
it works.
Thanks again
Franzin
12-07-2006 01:10 AM
Yes, it's a very common problem a hub and spoke solution.
The key is the new 7.x version doesn't support the client wild-card. I mean, the "isakmp key
You can do a spoke and hub configuration in the 7.x version but only if you know the ip of all your vpn clients writting a isakmp key entry for each vpn client with it's ip address.
This is a good example:
What's happen with a client with a dynamic ip? I think that Cisco considers there's impossible to have a "hardware" vpn client (ADSL or cable) with a dynamic ip, because only you can configure that clients with soft vpn client.
In my firm we need the 525 to give access aprox. 400 vpn clients. The configuration is a 525 with another 525 failover unit. All the clients have an fixed ip address, but I don't think that write 400 times "isakmp key cisco123 address
Why punish Cisco to me writting 400 times the same phrase? I don't know. I'm not Bart Simpson writting in the blackboard "I will not burp in class"
The vpn hub is in production and (obviously) I can't made any test (if not, my boos punish to me writting in the blackboard 10.000 times (or more) "I will not play with a system in production").
In a month (I hope) will be a new backup system and I can play with it freely. I promise to install 7.2 pix software version and I'll try it.
Then if you need the PIX for a configuration like mine (lot of vpn clients) or you have vpn clients with a dynamic ip, think again before use 7.x version.
12-20-2006 10:56 AM
Hi Jose
As I had mentioned, I prepared a PIX 515E v.7.2(1) at my lab and tried during Monday and Tuesday get the right configuration to permit dynamic tunnels for site to site connections.
In my case, we use DLink (DI-804HV) and Nortel (Contivity 100) as remote VPN devices and PIX 515E as concentrators. We have 120 tunnels, most of them using ADSL access with dynamic public IP. We have also, 80 users that can connect through Cisco VPN Client using notebooks or desktops.
As you have mentioned, the problem to establish a tunnel with a non configured remote IP peer was that DefaultRAGroup take precedence over the correct DefaultL2LGroup. After some (exhaustive) tests, I got success using the command:
tunnel-group-map default-group DefaultL2LGroup
that change de precedence of groups maps, giving to DefaultL2LGroup the high precedence.
It worked fine with 5 tunnels using 8 different public IP on remote sites. I think that this solved the problem. The Cisco Client works fine also, using the correct group map. I didn?t test this configuration with other clients (Microsoft).
By the way, I have noticed that:
1.PIX v.7.x is much more restricted to close tunnels with non Cisco devices. With DLINK only using PFS Group2 I get success on ISAKMP negotiation.
2.The use of IPSEC over TCP (port 10000) works fine, but in some Windows desktops I needed to shutdown the MS-Firewall (but not in all).
3.Aggressive mode of DI-804HV didn?t work with PIX v.7.x
I tested also, the url-server configuration, inspection (IM inspection) and HTTP authorization. New problems come up:
1.If I include the IM inspection in the default policy, all HTTP traffic wasn?t tested. Websense was active and up, but no queries was sent from PIX to Websense server.
2.Configuring a new inspection map and applying to outside interface, IM was inspected and only users configured in a regex login-name had access. BUT large packets (more than 1400 bytes) from FTP, telnet, ssh and remote desktop over tunnels stop working and the sessions dropped. Eliminating IM inspection all return to work fine.
3. Using HTTP authorization through PIX with a RADIUS Server, it works fine. But the session ends with the timeout xlate (10 minutes on tests). If you increase this time, you will increase your memory usage with xlate contexts.
So, for my point of view:
1.Use of inspection has performance problems and a lot of side effects.
2.Integration with Websense works fine.
3.Http Authorization can consume too much memory and users will become very nervous.
4.VPN works like version 6.3.5 (lan-to-lan) and IPSEC over TCP will solve a lot of problems due to the fact that in Brazil ISP?s are filtering or reducing priority of UDP traffic (to avoid VoIP).
That?s all.
Thank you for your help, and if you desire more information send a e-mail.
Franzin
04-09-2007 11:50 PM
Hi Franzin,
You're a great help. Thanks for sharing the result of your tests. I've been struggling to make the VPN link between a hub site with PIX 515-E (with static link) and a spoke site with a n 1841 (dynamic link (ADSL).
Just added the line (which I guess is the key to make this work) and the pre-shared key and boom, the link is back. If it's possible to rate 10, I would for this post.
tunnel-group-map default-group DefaultL2LGroup
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *********
Thanks once again.
Archie
09-27-2007 05:05 PM
I configured as per your template and I am getting like attached debug message. It seems to process L2L default group, pass Phase-1 successfully but then doesn't end cleanly. Any ideas?
I substituted my remote firewall(pix-501) outside interface address(dhcp client) with xx.xx.xx.xx for security reasons.
Thanks in advance,
Sam
10-12-2007 11:42 AM
Hello, looiking through your logs:
Sep 27 17:38:08 [IKEv1]: Group = DefaultL2LGroup, IP = XX.XX.XX.XX, All IPSec SA proposals found unacceptable!
Looks to me like you don't have the same settings on both side check that your using the same transform sets.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 10 match address vpn-acl-site1
crypto map outside_map 10 set peer x.x.x.x
crypto map outside_map 10 set transform-set ESP-3DES-MD5
10-12-2007 11:53 AM
You are correct. I had dynamic map with 2 instances. e.g.
crypto dynamic-map client-vpn 98 set transform-set aes256-sha 3des-sha
crypto dynamic-map client-vpn 99 set transform-set 3des-sha
My dynamic map was using 3des-sha which was lower in priority and never getting evaluated. I changed it to single entry like below and it worked after that.
crypto dynamic-map client-vpn 98 set transform-set aes256-sha 3des-sha
This one is solved.
I have another firewall where it keep evaluating against default-RA-Group for some reason. My config and debug is as below.
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group-map default-group DefaultL2LGroup
Sanitized DEBUG:
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Cisco Unity client VID
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 000000a5)
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing NAT-Discovery payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing NAT-Discovery payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Discovery payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Discovery payload
Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash
Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, Connection landed on tunnel_group DefaultRAGroup
Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Generating keys for Responder...
Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, processing ID payload
Oct 12 12:47:34 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, ID_IPV4_ADDR ID received
xx.xx.xx.xx
Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, processing hash payload
Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Computing hash for ISAKMP
Oct 12 12:47:34 [IKEv1]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, Connection landed on tunnel_group DefaultRAGroup
Oct 12 12:47:34 [IKEv1]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Freeing previously allocated memory for authorization-dn-attributes
Any ideas?
10-15-2007 10:51 AM
Hello,
Is this suppose to by a dynamic VPN on this firewall and which device is this debug from?
Patrick
10-15-2007 11:06 AM
Debug is from the ASA5520 that terminates dynamic lan-to-lan tunnels. PIX 6.3.5 code always worked because of its support for
isakmp key ****** 0.0.0.0 capability. ASAs are really pain for dynamic VPNs.
10-15-2007 11:13 AM
I was able to get something similar to this working a while back. The one thing was that it took 8-10 minutes for the tunnel to come up. It would continue to land on DefaultRAGroup for a while until it finally landed on the L2L group and the tunnel came up.
10-15-2007 11:18 AM
Hello,
Well it sounds like your trying to do an EZVPN which requires these things. Without seeing your full config I would not really be able to tell you whats going on.
Here is a link to setup ezvpn.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
There is another way to do the L2L with a dynamic ip address on the remote end but I don't have time to go into that right this second.
Patrick
10-15-2007 11:32 AM
Patrick,
Thanks a lot for the link. What I am trying to achieve is dynamic-to-static ipsec VPN not ezvpn. Below is an example link. I need equivalent of this on the ASA working.
Whenever you have time, I would appreciate any information on another way you just mentioned.
My sanitized config is attached.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide