Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
3
Replies

L2TP with DES encryption using ASA 5505-K8

porodnoves
Level 1
Level 1

‎08-13-2014 09:39 AM

Hi all,


I have ASA 5505-K8. K8 means that it is NPE (No Payload Encryption) without support of 3DES and RSA. I want to set up a VPN connection to its inside network. It is required that built-in Windows (including Win 7) VPN-client could connect to it.

Here's what I currently have:

 

Config:
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
clear config dhcpd
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.5.1.200 255.255.255.0
 no shutdown
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.4.33 255.255.255.0
 no shutdown
!
interface Ethernet0/0
 switchport access vlan 2
 no shutdown
!
interface Ethernet0/1
 switchport access vlan 1
 no shutdown
!
interface Ethernet0/2
 switchport access vlan 1
 no shutdown
!
interface Ethernet0/3
 switchport access vlan 1
 no shutdown
!
interface Ethernet0/4
 switchport access vlan 1
 no shutdown
!
interface Ethernet0/5
 switchport access vlan 1
 no shutdown
!
interface Ethernet0/6
 switchport access vlan 1
 no shutdown
!
interface Ethernet0/7
 switchport access vlan 1
 no shutdown
!
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.168.5.101
 name-server 192.168.5.202
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.5.1.201-10.5.1.211
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
!
crypto isakmp enable outside
!
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec transform-set ESP-DES-MD5_TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5_TRANS mode transport
crypto dynamic-map DYN_OUTSIDE 20 set transform-set ESP-DES-MD5_TRANS
crypto map MAP_OUTSIDE 20 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface outside
!
group-policy L2TP_IPSEC internal
group-policy L2TP_IPSEC attributes
 vpn-tunnel-protocol l2tp-ipsec
!
telnet timeout 5
ssh timeout 5
console timeout 0
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password iYb1uda7WlEYsoDvQIotKg== nt-encrypted
!

tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool
 default-group-policy L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key ******
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
: end

 

I also tried replaceing
crypto ipsec transform-set ESP-DES-MD5_TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5_TRANS mode transport
crypto dynamic-map DYN_OUTSIDE 20 set transform-set ESP-DES-MD5_TRANS
with
crypto ipsec transform-set ESP-DES-SHA1_TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA1_TRANS mode transport
crypto dynamic-map DYN_OUTSIDE 20 set transform-set ESP-DES-SHA1_TRANS

My windows VPN-client settings are:
Host name or IP-address: 192.168.4.33
Type of VPN-connection: L2TP IPsec VPN (pre-share key is provided)
Encryption: I've tried all the options.
Authentication: MS-CHAP v2

I've also switched on using of DES for VPN in registry:

[hkey_local_machine\system\currentcontrolset\services\rasman\parameters]
"AllowL2TPWeakCrypto"=dword:00000001

My laptop is connected directly to ASA's ethernet 0/0 port.

In logs it says  All SA proposals found unacceptable.


Log output:
%ASA-7-713236: IP = 192.168.4.30, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 492
%ASA-7-715047: IP = 192.168.4.30, processing SA payload
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
%ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
%ASA-7-713236: IP = 192.168.4.30, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 360
%ASA-7-713906: IP = 192.168.4.30, All SA proposals found unacceptable
%ASA-3-713048: IP = 192.168.4.30, Error processing payload: Payload ID: 1
%ASA-7-715065: IP = 192.168.4.30, IKE MM Responder FSM error history (struct &0xc6f93d18)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_START, EV_RCV_MSG-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM-->MM_START, EV_START_MM
%ASA-7-713906: IP = 192.168.4.30, IKE SA MM:1e335531 terminating:  flags 0x01000002, refcnt 0, tuncnt 0
%ASA-7-713906: IP = 192.168.4.30, sending delete/delete with reason message

What am I doing wrong?

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎08-13-2014 11:55 AM

All ASA images are K8. 

To obtain free 3DES/AES license:

https://supportforums.cisco.com/document/67701/asa-versions-image-names-and-licensing#Free_3DESAES_license:

 

It is very possible that Windows7 does not support DES (same way it does not support MD5). 

 

M.

0 Helpful

porodnoves
Level 1
Level 1
In response to Marcin Latosiewicz

‎08-13-2014 10:15 PM

I have an NPE image. NPE means No Payload Encryption. This type of image doesn't support strong encryption even if 3DES/AES license is installed.

This is because of the laws in my country. They allow using hardware with strong encryption algorithms only after you get a special allowanse. That's why I have to use DES.

0 Helpful

porodnoves
Level 1
Level 1

‎08-13-2014 10:21 PM

I have finally made it to connect to cisco using VPN.

The problem was that windows client needed DH group 1.

So after changing group 2 to group 1 in crypto isakmp policy 10 everything gone right.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents