Unable to setup a between windows 2008 server r2 and cisco asa 5505?

Fareeduddin Shaik · ‎09-10-2012

Hi..

I have assigned a task to configure a vpn between windows 2008 server and cisco asa 5505, what kind of vpn should i go with as the windows 2008 server r2 is on cloud and is it possible to configure site-to-site vpn for this network senario or not.. i have been searching for information but could not find a solution to issue.. i have try ikev1/ipsec remote access vpn with l2tp with (CHAP, MS-CHAP v2) and couldn't find any document which will allow me to configure windows 2008 server to behave a client and connect it to asa, well what i did is that i configured a dail-up connnect with l2tp and found the following debug message

Sep 09 20:04:02 [IKEv1 DEBUG]IP = 172.16.32.5, Oakley proposal is acceptable

Sep 09 20:04:02 [IKEv1 DEBUG]IP = 172.16.32.5, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1

Sep 09 20:04:03 [IKEv1]IP = 172.16.32.5, Connection landed on tunnel_group DefaultRAGroup

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Sep 09 20:04:03 [IKEv1]IP = 172.16.32.5, Connection landed on tunnel_group DefaultRAGroup

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, PHASE 1 COMPLETED

Sep 09 20:04:03 [IKEv1]IP = 172.16.32.5, Keep-alive type for this connection: None

Sep 09 20:04:03 [IKEv1]IP = 172.16.32.5, Keep-alives configured on but peer does not support keep-alives (type = None)

Sep 09 20:04:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 172.16.32.5, Starting P1 rekey timer: 21600 seconds.

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Received remote Proxy Host data in ID Payload: Address 172.16.32.5, Protocol 17, Port 1701

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Received local Proxy Host data in ID Payload: Address 192.168.168.2, Protocol 17, Port 0

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, L2TP/IPSec session detected.

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, QM IsRekeyed old sa not found by addr

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP

Sep 09 20:04:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 172.16.32.5, processing IPSec SA payload

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, All IPSec SA proposals found unacceptable!

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, QM FSM error (P2 struct &0xbc8c1cd8, mess id 0x1)!

Sep 09 20:04:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 172.16.32.5, IKE QM Responder FSM error history (struct &0xbc8c1cd8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Removing peer from correlator table failed, no match!

Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Session is being torn down. Reason: Phase 2 Mismatch

Sep 09 20:04:03 [IKEv1]Ignoring msg to mark SA with dsID 1974272 dead because SA deleted

I have also attached my asa configuration please find it below

what are the sa proposal which i can change to make connection ?

Thanks in advance !!!

Fareed

Ton V Engelen · ‎10-26-2012

Hi

did you got it to work? Incase not, its possible.

make sure to change "bi-directional" to "answer-only" in the policy on the asa.

Use Ipsec and l2tp on the asa and on the W2008, and choose strong encryption here on the w2008.

Make sure that: protocol esp, udp port 1701 and udp ports 500 , 4500 are open for communicaton between the asa and w2008 on any firewalls between.