Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Dynamic L2L VPN on a PIX 525

I've a PIX 525 with the new 7.0.4 software version.

I try to do an VPN connection using a SOHO client with a pre-share key, 3des, md5 and aggresive-mode with diffie-hellman group 1.

I'll try everything and allways get the following message when I debug:

[IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Xauth required but selected Proposal does not support xauth, Check priorities of ike xauth proposals in ike proposal list

[IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 192.168.1.103, IKE AM Responder FSM error history (struct &0x3841238) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_CHK_PROPOSAL-->AM_BLD_MSG2, EV_TEST_CERT-->AM_BLD_MSG2, EV_SECRET_KEY_OK

[IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 192.168.1.103, IKE SA AM:99290bd9 terminating: flags 0x0100c001, refcnt 0, tuncnt 0

[IKEv1 DEBUG]: sending delete/delete with reason message

[IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Removing peer from peer table failed, no match!

Sep 13 12:54:12 [IKEv1]: Group = DefaultRAGroup, IP = 192.168.1.103, Error: Unable to remove PeerTblEntry

The tunnel policy is dynamic because the router client ip will be dynamic.

My questions: Why the DefaultRAGroup is involved if I try to get a L2L tunnel? How can I got a dynamic tunnel and that the group policy applied will be the DefaultL2LGroup?

How can avoid the xauth in that configuration?

Thanks in advance,

Jose I. Merino

18 REPLIES
New Member

Re: Dynamic L2L VPN on a PIX 525

Hi Jose

I am with this problem. Did you solve it?

Can you help me?

Thanks in advance

Oswaldo Franzin

New Member

Re: Dynamic L2L VPN on a PIX 525

Yes, put the blame on PIX software 7.0 version.

Downgrade to 6.3 version and the problems will vanish.

New Member

Re: Dynamic L2L VPN on a PIX 525

Hi Jose

I noticed your answer only today.

Thank you very much, and YES I DID IT!!!!

By the way, I think that there are a

simple solution for it!

I did hundreds of tests using all kind of

configurations with no success. Something

is wrong! This feature is very common and

used widely in VPN?s with ADSL and Cables

and there are very few persons claiming

for help or a solution.

I?m just now with a PIX-515E v.7.2 for

tests during next 2 weeks. If I got some

results I?ll inform you as soon as

it works.

Thanks again

Franzin

New Member

Re: Dynamic L2L VPN on a PIX 525

Yes, it's a very common problem a hub and spoke solution.

The key is the new 7.x version doesn't support the client wild-card. I mean, the "isakmp key address 0.0.0.0 netmask 0.0.0.0" command to accept any VPN client isn't supported (at least in the 7.0 version, I don't know if in the new 7.2 version is supported).

You can do a spoke and hub configuration in the 7.x version but only if you know the ip of all your vpn clients writting a isakmp key entry for each vpn client with it's ip address.

This is a good example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

What's happen with a client with a dynamic ip? I think that Cisco considers there's impossible to have a "hardware" vpn client (ADSL or cable) with a dynamic ip, because only you can configure that clients with soft vpn client.

In my firm we need the 525 to give access aprox. 400 vpn clients. The configuration is a 525 with another 525 failover unit. All the clients have an fixed ip address, but I don't think that write 400 times "isakmp key cisco123 address netmask 255.255.255.255" (or the new command in 7.x version "crypto map mymap set peer ") would be a great idea.

Why punish Cisco to me writting 400 times the same phrase? I don't know. I'm not Bart Simpson writting in the blackboard "I will not burp in class"

The vpn hub is in production and (obviously) I can't made any test (if not, my boos punish to me writting in the blackboard 10.000 times (or more) "I will not play with a system in production").

In a month (I hope) will be a new backup system and I can play with it freely. I promise to install 7.2 pix software version and I'll try it.

Then if you need the PIX for a configuration like mine (lot of vpn clients) or you have vpn clients with a dynamic ip, think again before use 7.x version.

New Member

Re: Dynamic L2L VPN on a PIX 525

Hi Jose

As I had mentioned, I prepared a PIX 515E v.7.2(1) at my lab and tried during Monday and Tuesday get the right configuration to permit dynamic tunnels for site to site connections.

In my case, we use DLink (DI-804HV) and Nortel (Contivity 100) as remote VPN devices and PIX 515E as concentrators. We have 120 tunnels, most of them using ADSL access with dynamic public IP. We have also, 80 users that can connect through Cisco VPN Client using notebooks or desktops.

As you have mentioned, the problem to establish a tunnel with a non configured remote IP peer was that DefaultRAGroup take precedence over the correct DefaultL2LGroup. After some (exhaustive) tests, I got success using the command:

tunnel-group-map default-group DefaultL2LGroup

that change de precedence of groups maps, giving to DefaultL2LGroup the high precedence.

It worked fine with 5 tunnels using 8 different public IP on remote sites. I think that this solved the problem. The Cisco Client works fine also, using the correct group map. I didn?t test this configuration with other clients (Microsoft).

By the way, I have noticed that:

1.PIX v.7.x is much more restricted to close tunnels with non Cisco devices. With DLINK only using PFS Group2 I get success on ISAKMP negotiation.

2.The use of IPSEC over TCP (port 10000) works fine, but in some Windows desktops I needed to shutdown the MS-Firewall (but not in all).

3.Aggressive mode of DI-804HV didn?t work with PIX v.7.x

I tested also, the url-server configuration, inspection (IM inspection) and HTTP authorization. New problems come up:

1.If I include the IM inspection in the default policy, all HTTP traffic wasn?t tested. Websense was active and up, but no queries was sent from PIX to Websense server.

2.Configuring a new inspection map and applying to outside interface, IM was inspected and only users configured in a regex login-name had access. BUT large packets (more than 1400 bytes) from FTP, telnet, ssh and remote desktop over tunnels stop working and the sessions dropped. Eliminating IM inspection all return to work fine.

3. Using HTTP authorization through PIX with a RADIUS Server, it works fine. But the session ends with the timeout xlate (10 minutes on tests). If you increase this time, you will increase your memory usage with xlate contexts.

So, for my point of view:

1.Use of inspection has performance problems and a lot of side effects.

2.Integration with Websense works fine.

3.Http Authorization can consume too much memory and users will become very nervous.

4.VPN works like version 6.3.5 (lan-to-lan) and IPSEC over TCP will solve a lot of problems due to the fact that in Brazil ISP?s are filtering or reducing priority of UDP traffic (to avoid VoIP).

That?s all.

Thank you for your help, and if you desire more information send a e-mail.

Franzin

New Member

Re: Dynamic L2L VPN on a PIX 525

Hi Franzin,

You're a great help. Thanks for sharing the result of your tests. I've been struggling to make the VPN link between a hub site with PIX 515-E (with static link) and a spoke site with a n 1841 (dynamic link (ADSL).

Just added the line (which I guess is the key to make this work) and the pre-shared key and boom, the link is back. If it's possible to rate 10, I would for this post.

tunnel-group-map default-group DefaultL2LGroup

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *********

Thanks once again.

Archie

New Member

Re: Dynamic L2L VPN on a PIX 525

I configured as per your template and I am getting like attached debug message. It seems to process L2L default group, pass Phase-1 successfully but then doesn't end cleanly. Any ideas?

I substituted my remote firewall(pix-501) outside interface address(dhcp client) with xx.xx.xx.xx for security reasons.

Thanks in advance,

Sam

Re: Dynamic L2L VPN on a PIX 525

Hello, looiking through your logs:

Sep 27 17:38:08 [IKEv1]: Group = DefaultL2LGroup, IP = XX.XX.XX.XX, All IPSec SA proposals found unacceptable!

Looks to me like you don't have the same settings on both side check that your using the same transform sets.

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 10 match address vpn-acl-site1

crypto map outside_map 10 set peer x.x.x.x

crypto map outside_map 10 set transform-set ESP-3DES-MD5

New Member

Re: Dynamic L2L VPN on a PIX 525

You are correct. I had dynamic map with 2 instances. e.g.

crypto dynamic-map client-vpn 98 set transform-set aes256-sha 3des-sha

crypto dynamic-map client-vpn 99 set transform-set 3des-sha

My dynamic map was using 3des-sha which was lower in priority and never getting evaluated. I changed it to single entry like below and it worked after that.

crypto dynamic-map client-vpn 98 set transform-set aes256-sha 3des-sha

This one is solved.

I have another firewall where it keep evaluating against default-RA-Group for some reason. My config and debug is as below.

tunnel-group DefaultL2LGroup ipsec-attributes

pre-shared-key *

tunnel-group-map default-group DefaultL2LGroup

Sanitized DEBUG:

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Received Cisco Unity client VID

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing VID payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 000000a5)

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing NAT-Discovery payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, processing NAT-Discovery payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing ke payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing nonce payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing Cisco Unity VID payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing xauth V6 VID payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send IOS VID

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing VID payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Discovery payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, constructing NAT-Discovery payload

Oct 12 12:47:34 [IKEv1 DEBUG]: IP = xx.xx.xx.xx, computing NAT Discovery hash

Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, Connection landed on tunnel_group DefaultRAGroup

Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Generating keys for Responder...

Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304

Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64

Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, processing ID payload

Oct 12 12:47:34 [IKEv1 DECODE]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, ID_IPV4_ADDR ID received

xx.xx.xx.xx

Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, processing hash payload

Oct 12 12:47:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Computing hash for ISAKMP

Oct 12 12:47:34 [IKEv1]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Oct 12 12:47:34 [IKEv1]: IP = xx.xx.xx.xx, Connection landed on tunnel_group DefaultRAGroup

Oct 12 12:47:34 [IKEv1]: Group = DefaultRAGroup, IP = xx.xx.xx.xx, Freeing previously allocated memory for authorization-dn-attributes

Any ideas?

Re: Dynamic L2L VPN on a PIX 525

Hello,

Is this suppose to by a dynamic VPN on this firewall and which device is this debug from?

Patrick

New Member

Re: Dynamic L2L VPN on a PIX 525

Debug is from the ASA5520 that terminates dynamic lan-to-lan tunnels. PIX 6.3.5 code always worked because of its support for

isakmp key ****** 0.0.0.0 capability. ASAs are really pain for dynamic VPNs.

Green

Re: Dynamic L2L VPN on a PIX 525

I was able to get something similar to this working a while back. The one thing was that it took 8-10 minutes for the tunnel to come up. It would continue to land on DefaultRAGroup for a while until it finally landed on the L2L group and the tunnel came up.

Re: Dynamic L2L VPN on a PIX 525

Hello,

Well it sounds like your trying to do an EZVPN which requires these things. Without seeing your full config I would not really be able to tell you whats going on.

Here is a link to setup ezvpn.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml

There is another way to do the L2L with a dynamic ip address on the remote end but I don't have time to go into that right this second.

Patrick

New Member

Re: Dynamic L2L VPN on a PIX 525

Patrick,

Thanks a lot for the link. What I am trying to achieve is dynamic-to-static ipsec VPN not ezvpn. Below is an example link. I need equivalent of this on the ASA working.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2308/products_configuration_example09186a0080094680.shtml

Whenever you have time, I would appreciate any information on another way you just mentioned.

My sanitized config is attached.

Re: Dynamic L2L VPN on a PIX 525

could you post your config for the remote end also.

Patrick

New Member

Re: Dynamic L2L VPN on a PIX 525

Here is the remote site config which runs PIX-525 IOS 6.3.5.

Re: Dynamic L2L VPN on a PIX 525

Hello,

So here is what you need at your central site to match the incomming l2l vpn. I think this should take care of your problem. If your still haveing problems with Authentication you can edit the "group-policy DefaultL2LGroup attributes" and disable user-authentication. Shooting from the hip on that group-policy.

******************************* ASA Central Site

!make this central acl exacly opposite of your remote acl.

access-list l2l-central-remote permit ip object-group my-net(local subnet) object-group your-net(remote subnet)

crypto map vpn-map 20 match address l2l-central-remote

crypto map vpn-map 20 set transform-set AES256-SHA

********************525 Remote Site**** Just some clean up easier to read long term.

!Just a little clean up easier to track long term

no isakmp policy 31 authentication pre-share

no isakmp policy 31 encryption aes-256

no isakmp policy 31 hash sha

no isakmp policy 31 group 2

no isakmp policy 31 lifetime 86400

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

Patrick

New Member

Re: Dynamic L2L VPN on a PIX 525

Patrick,

These didn't help. When I run those 2 entries on central site, I get incomplete map message and it doesn't work.

my ASA(config)# crypto map vpn-map 500 match address l2l-central-remote

WARNING: The crypto map entry is incomplete!

my ASA(config)# crypto map vpn-map 500 set transform-se aes256-sha

WARNING: The crypto map entry is incomplete!

I fixed my issue by re-keying both ends. On Default-L2L-Group key and for remote site "isakmp key xxxxx address xx.xx.xx.xx" entry.

I guess, my keys were incorrect hence it wasn't matching on L2LGroup and falling back to RAGroup.

596
Views
15
Helpful
18
Replies
CreatePlease to create content