Hi all

i am bad at configuring the Remote Access VPN --- please help me on this . i use 3des & AES we dont have the license

i have tried using "sysopt connection permit-vpn"

I have tried using both "same-security-traffic permit inter-interface"  &&  "same-security-traffic permit intra-interface" no luck , please help me on this

VPN configuration - configured using IPsec-Wizard

      access-list omsir_splitTunnelAcl standard permit 10.xxx.xxx.0 255.255.255.0

      access-list Inside_nat0_outbound_1 line 1 extended permit ip 10.xxx.xxx.0 255.255.255.0 10.xxx.xxx.0 255.255.255.0

      sysopt connection permit-vpn

      ip local pool ip-pool 10.xxx.xxx.1-10.xxx.xxx.1 mask 255.255.255.0

      group-policy omsir internal

      group-policy omsir attributes

        vpn-tunnel-protocol IPSec

        split-tunnel-policy   tunnelspecified

        split-tunnel-network-list value omsir_splitTunnelAcl

        dns-server value 10.xxx.xxx.x

        default-domain value domain.in

      tunnel-group omsir type remote-access

      tunnel-group omsir general-attributes

        default-group-policy omsir

        address-pool  ip-pool

      tunnel-group omsir ipsec-attributes

        pre-shared-key **********

      crypto isakmp policy 10 authen pre-share

      crypto isakmp policy 10 encrypt des

      crypto isakmp policy 10 hash sha

      crypto isakmp policy 10 group 2

      crypto isakmp policy 10 lifetime 86400

      crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

      crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set  ESP-DES-SHA ESP-DES-MD5

      crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

      crypto map Outside_map interface  Outside

      nat (Inside) 0 access-list Inside_nat0_outbound_1  tcp 0 0 udp 0

ASA logs - i have attached

Cisco VPN client - log

Cisco Systems VPN Client Version 5.0.03.0530

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.1.7600

Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      18:37:37.296  02/13/13  Sev=Info/4          CM/0x63100002

Begin connection process

2      18:37:37.301  02/13/13  Sev=Info/4          CM/0x63100004

Establish secure connection

3      18:37:37.302  02/13/13  Sev=Info/4          CM/0x63100024

Attempt connection with server "1xx.xxx.xx2"

4      18:37:37.307  02/13/13  Sev=Info/6          CM/0x6310002F

Allocated local TCP port 49661 for TCP connection.

5      18:37:39.465  02/13/13  Sev=Info/4          CM/0x63100029

TCP connection established on port 21000 with server "1xx.xxx.xx2"

6      18:37:39.979  02/13/13  Sev=Info/4          CM/0x63100024

Attempt connection with server "1xxx.xxx..2"

7      18:37:39.985  02/13/13  Sev=Info/6          IKE/0x6300003B

Attempting to establish a connection with 1.xxx.xxx.2.

8      18:37:40.000  02/13/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 1xx.xxx.xx2

9      18:37:40.234  02/13/13  Sev=Info/5          IKE/0x6300002F

Received ISAKMP packet: peer = 1xx.xxx.xx2

10     18:37:40.234  02/13/13  Sev=Info/4          IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO (FRAG) from 1xx.xxx.xx2

11     18:37:40.237  02/13/13  Sev=Info/5          IKE/0x6300002F

Received ISAKMP packet: peer = 1xx.xxx.xx2

12     18:37:40.237  02/13/13  Sev=Info/4          IKE/0x63000014

RECEIVING <<< ISAKMP OAK INFO (FRAG) from 1xx.xxx.xx2

13     18:37:40.237  02/13/13  Sev=Info/5          IKE/0x63000073

All fragments received.

14     18:37:40.237  02/13/13  Sev=Warning/2          IKE/0xE300009B

Invalid SPI size (PayloadNotify:116)

15     18:37:40.237  02/13/13  Sev=Info/4          IKE/0xE30000A6

Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)

16     18:37:40.237  02/13/13  Sev=Warning/3          IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

17     18:37:45.050  02/13/13  Sev=Info/4          IKE/0x63000021

Retransmitting last packet!

18     18:37:45.050  02/13/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2

19     18:37:50.119  02/13/13  Sev=Info/4          IKE/0x63000021

Retransmitting last packet!

20     18:37:50.119  02/13/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2

21     18:37:55.189  02/13/13  Sev=Info/4          IKE/0x63000021

Retransmitting last packet!

22     18:37:55.189  02/13/13  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2

23     18:38:00.260  02/13/13  Sev=Info/4          IKE/0x63000017

Marking IKE SA for deletion  (I_Cookie=BC4CAF815963A8E4 R_Cookie=FBAF8068234A4675) reason = DEL_REASON_PEER_NOT_RESPONDING

24     18:38:00.777  02/13/13  Sev=Info/4          IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=BC4CAF815963A8E4 R_Cookie=FBAF8068234A4675) reason = DEL_REASON_PEER_NOT_RESPONDING

25     18:38:00.778  02/13/13  Sev=Info/4          CM/0x63100014

Unable to establish Phase 1 SA with server "1xx.xxx.xx2" because of "DEL_REASON_PEER_NOT_RESPONDING"

26     18:38:00.778  02/13/13  Sev=Info/5          CM/0x63100025

Initializing CVPNDrv

27     18:38:00.779  02/13/13  Sev=Info/4          CM/0x6310002D

Resetting TCP connection on port 21000

28     18:38:00.779  02/13/13  Sev=Info/6          CM/0x63100030

Removed local TCP port 49661 for TCP connection.

29     18:38:00.782  02/13/13  Sev=Info/6          CM/0x63100046

Set tunnel established flag in registry to 0.

30     18:38:00.783  02/13/13  Sev=Info/4          IKE/0x63000001

IKE received signal to terminate VPN connection

ASA Runing Config

interface GigabitEthernet0/0

speed 1000

duplex full

nameif Inside

security-level 100

!

interface GigabitEthernet0/2

nameif Outside

security-level 0

!

object-group service VPN-Protocols

service-object esp

service-object tcp eq 21000

service-object udp eq 4500

service-object udp eq 62515

service-object udp eq isakmp

** outside Interface Access List for allowing the VPN Traffic**

access-list Ajira_all_traffic extended permit object-group VPN-Protocols any host 1xx.xxx.xxx

****************************************************************

access-list omsir_splitTunnelAcl standard permit Server-Segment 255.255.255.0

access-list Inside_nat0_outbound_1 extended permit ip Server-Segment 255.255.255.0 1xx.xxx.xxx 255.255.255.0

ip local pool ip-pool 1xx.xxx.xx1-1xx.xxx.254 mask 255.255.255.0

nat-control

nat (Inside) 0 access-list Inside_nat0_outbound_1

nat (DMZ) 0 access-list DMZ_nat0_outbound outside

access-group Inside_user_access_outside in interface Inside

access-group Ajira_all_traffic in interface Outside

route Outside 0.0.0.0 0.0.0.0 1xx.xxx.xx1

route Inside 10.xxx.xxx.0 255.255.255.0 1xx.xxx.xx1

no sysopt connection reclassify-vpn

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 21000

group-policy omsir internal

group-policy omsir attributes

dns-server value 1xx.xxx.xxx

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value omsir_splitTunnelAcl

default-domain value agilitylogistics.in

username omsir password DfOF7Lvb0gImB1nE encrypted

tunnel-group omsir type remote-access

tunnel-group omsir general-attributes

address-pool ip-pool

default-group-policy omsir

tunnel-group omsir ipsec-attributes

pre-shared-key omsir@123

!

class-map Application_Traffic

match access-list Application

class-map Application

class-map Application

match access-list Application

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect icmp

policy-map Allplication_all_traffic

class Ajira_traffic

  inspect http

policy-map type inspect http application_inspect

parameters

  spoof-server "private"

  protocol-violation action drop-connection

match req-resp content-type mismatch

  drop-connection log

!

service-policy global_policy global

service-policy Ajira_all_traffic interface Outside

prompt hostname context

Cryptochecksum:217e09da15ede39a7a759eca8c84268f

: end