09-10-2012 12:49 AM - edited 03-11-2019 04:52 PM
Hi..
I have assigned a task to configure a vpn between windows 2008 server and cisco asa 5505, what kind of vpn should i go with as the windows 2008 server r2 is on cloud and is it possible to configure site-to-site vpn for this network senario or not.. i have been searching for information but could not find a solution to issue.. i have try ikev1/ipsec remote access vpn with l2tp with (CHAP, MS-CHAP v2) and couldn't find any document which will allow me to configure windows 2008 server to behave a client and connect it to asa, well what i did is that i configured a dail-up connnect with l2tp and found the following debug message
Sep 09 20:04:02 [IKEv1 DEBUG]IP = 172.16.32.5, Oakley proposal is acceptable
Sep 09 20:04:02 [IKEv1 DEBUG]IP = 172.16.32.5, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
Sep 09 20:04:03 [IKEv1]IP = 172.16.32.5, Connection landed on tunnel_group DefaultRAGroup
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Sep 09 20:04:03 [IKEv1]IP = 172.16.32.5, Connection landed on tunnel_group DefaultRAGroup
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, PHASE 1 COMPLETED
Sep 09 20:04:03 [IKEv1]IP = 172.16.32.5, Keep-alive type for this connection: None
Sep 09 20:04:03 [IKEv1]IP = 172.16.32.5, Keep-alives configured on but peer does not support keep-alives (type = None)
Sep 09 20:04:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 172.16.32.5, Starting P1 rekey timer: 21600 seconds.
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Received remote Proxy Host data in ID Payload: Address 172.16.32.5, Protocol 17, Port 1701
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Received local Proxy Host data in ID Payload: Address 192.168.168.2, Protocol 17, Port 0
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, L2TP/IPSec session detected.
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, QM IsRekeyed old sa not found by addr
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Sep 09 20:04:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 172.16.32.5, processing IPSec SA payload
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, All IPSec SA proposals found unacceptable!
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, QM FSM error (P2 struct &0xbc8c1cd8, mess id 0x1)!
Sep 09 20:04:03 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 172.16.32.5, IKE QM Responder FSM error history (struct &0xbc8c1cd8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Removing peer from correlator table failed, no match!
Sep 09 20:04:03 [IKEv1]Group = DefaultRAGroup, IP = 172.16.32.5, Session is being torn down. Reason: Phase 2 Mismatch
Sep 09 20:04:03 [IKEv1]Ignoring msg to mark SA with dsID 1974272 dead because SA deleted
I have also attached my asa configuration please find it below
what are the sa proposal which i can change to make connection ?
Thanks in advance !!!
Fareed
10-26-2012 03:13 AM
Hi
did you got it to work? Incase not, its possible.
make sure to change "bi-directional" to "answer-only" in the policy on the asa.
Use Ipsec and l2tp on the asa and on the W2008, and choose strong encryption here on the w2008.
Make sure that: protocol esp, udp port 1701 and udp ports 500 , 4500 are open for communicaton between the asa and w2008 on any firewalls between.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide