Re: Dynamic L2L VPN on a PIX 525 - Page 2

jimerino · ‎09-13-2005

I've a PIX 525 with the new 7.0.4 software version.

I try to do an VPN connection using a SOHO client with a pre-share key, 3des, md5 and aggresive-mode with diffie-hellman group 1.

I'll try everything and allways get the following message when I debug:

[IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list

[IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 192.168.1.103, IKE AM Responder FSM error history (struct &0x3841238) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_CHK_PROPOSAL-->AM_BLD_MSG2, EV_TEST_CERT-->AM_BLD_MSG2, EV_SECRET_KEY_OK

[IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 192.168.1.103, IKE SA AM:99290bd9 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

[IKEv1 DEBUG]: sending delete/delete with reason message

[IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Removing peer from peer table failed, no match!

Sep 13 12:54:12 [IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Error: Unable to remove PeerTblEntry

The tunnel policy is dynamic because the router client ip will be dynamic.

My questions: Why the DefaultRAGroup is involved if I try to get a L2L tunnel? How can I got a dynamic tunnel and that the group policy applied will be the DefaultL2LGroup?

How can avoid the xauth in that configuration?

Thanks in advance,

Jose I. Merino

Patrick Laidlaw · ‎10-15-2007

could you post your config for the remote end also.

Patrick

smunzani · ‎10-15-2007

Here is the remote site config which runs PIX-525 IOS 6.3.5.

Patrick Laidlaw · ‎10-16-2007

Hello,

So here is what you need at your central site to match the incomming l2l vpn. I think this should take care of your problem. If your still haveing problems with Authentication you can edit the "group-policy DefaultL2LGroup attributes" and disable user-authentication. Shooting from the hip on that group-policy.

******************************* ASA Central Site

!make this central acl exacly opposite of your remote acl.

access-list l2l-central-remote permit ip object-group my-net(local subnet) object-group your-net(remote subnet)

crypto map vpn-map 20 match address l2l-central-remote

crypto map vpn-map 20 set transform-set AES256-SHA

********************525 Remote Site**** Just some clean up easier to read long term.

!Just a little clean up easier to track long term

no isakmp policy 31 authentication pre-share

no isakmp policy 31 encryption aes-256

no isakmp policy 31 hash sha

no isakmp policy 31 group 2

no isakmp policy 31 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Patrick

smunzani · ‎10-17-2007

Patrick,

These didn't help. When I run those 2 entries on central site, I get incomplete map message and it doesn't work.

my ASA(config)# crypto map vpn-map 500 match address l2l-central-remote

WARNING: The crypto map entry is incomplete!

my ASA(config)# crypto map vpn-map 500 set transform-se aes256-sha

WARNING: The crypto map entry is incomplete!

I fixed my issue by re-keying both ends. On Default-L2L-Group key and for remote site "isakmp key xxxxx address xx.xx.xx.xx" entry.

I guess, my keys were incorrect hence it wasn't matching on L2LGroup and falling back to RAGroup.