09-13-2005 04:09 AM
I've a PIX 525 with the new 7.0.4 software version.
I try to do an VPN connection using a SOHO client with a pre-share key, 3des, md5 and aggresive-mode with diffie-hellman group 1.
I'll try everything and allways get the following message when I debug:
[IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list
[IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 192.168.1.103, IKE AM Responder FSM error history (struct &0x3841238) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_CHK_PROPOSAL-->AM_BLD_MSG2, EV_TEST_CERT-->AM_BLD_MSG2, EV_SECRET_KEY_OK
[IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 192.168.1.103, IKE SA AM:99290bd9 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
[IKEv1 DEBUG]: sending delete/delete with reason message
[IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Removing peer from peer table failed, no match!
Sep 13 12:54:12 [IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Error: Unable to remove PeerTblEntry
The tunnel policy is dynamic because the router client ip will be dynamic.
My questions: Why the DefaultRAGroup is involved if I try to get a L2L tunnel? How can I got a dynamic tunnel and that the group policy applied will be the DefaultL2LGroup?
How can avoid the xauth in that configuration?
Thanks in advance,
Jose I. Merino
10-15-2007 01:06 PM
could you post your config for the remote end also.
Patrick
10-15-2007 01:27 PM
10-16-2007 12:26 PM
Hello,
So here is what you need at your central site to match the incomming l2l vpn. I think this should take care of your problem. If your still haveing problems with Authentication you can edit the "group-policy DefaultL2LGroup attributes" and disable user-authentication. Shooting from the hip on that group-policy.
******************************* ASA Central Site
!make this central acl exacly opposite of your remote acl.
access-list l2l-central-remote permit ip object-group my-net(local subnet) object-group your-net(remote subnet)
crypto map vpn-map 20 match address l2l-central-remote
crypto map vpn-map 20 set transform-set AES256-SHA
********************525 Remote Site**** Just some clean up easier to read long term.
!Just a little clean up easier to track long term
no isakmp policy 31 authentication pre-share
no isakmp policy 31 encryption aes-256
no isakmp policy 31 hash sha
no isakmp policy 31 group 2
no isakmp policy 31 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
Patrick
10-17-2007 05:05 PM
Patrick,
These didn't help. When I run those 2 entries on central site, I get incomplete map message and it doesn't work.
my ASA(config)# crypto map vpn-map 500 match address l2l-central-remote
WARNING: The crypto map entry is incomplete!
my ASA(config)# crypto map vpn-map 500 set transform-se aes256-sha
WARNING: The crypto map entry is incomplete!
I fixed my issue by re-keying both ends. On Default-L2L-Group key and for remote site "isakmp key xxxxx address xx.xx.xx.xx" entry.
I guess, my keys were incorrect hence it wasn't matching on L2LGroup and falling back to RAGroup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide