02-13-2013 06:01 AM - edited 02-21-2020 06:41 PM
Hi all
i am bad at configuring the Remote Access VPN --- please help me on this . i use 3des & AES we dont have the license
i have tried using "sysopt connection permit-vpn"
I have tried using both "same-security-traffic permit inter-interface" && "same-security-traffic permit intra-interface" no luck , please help me on this
VPN configuration - configured using IPsec-Wizard
access-list omsir_splitTunnelAcl standard permit 10.xxx.xxx.0 255.255.255.0
access-list Inside_nat0_outbound_1 line 1 extended permit ip 10.xxx.xxx.0 255.255.255.0 10.xxx.xxx.0 255.255.255.0
sysopt connection permit-vpn
ip local pool ip-pool 10.xxx.xxx.1-10.xxx.xxx.1 mask 255.255.255.0
group-policy omsir internal
group-policy omsir attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value omsir_splitTunnelAcl
dns-server value 10.xxx.xxx.x
default-domain value domain.in
tunnel-group omsir type remote-access
tunnel-group omsir general-attributes
default-group-policy omsir
address-pool ip-pool
tunnel-group omsir ipsec-attributes
pre-shared-key **********
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
nat (Inside) 0 access-list Inside_nat0_outbound_1 tcp 0 0 udp 0
ASA logs - i have attached
Cisco VPN client - log
Cisco Systems VPN Client Version 5.0.03.0530
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 18:37:37.296 02/13/13 Sev=Info/4 CM/0x63100002
Begin connection process
2 18:37:37.301 02/13/13 Sev=Info/4 CM/0x63100004
Establish secure connection
3 18:37:37.302 02/13/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "1xx.xxx.xx2"
4 18:37:37.307 02/13/13 Sev=Info/6 CM/0x6310002F
Allocated local TCP port 49661 for TCP connection.
5 18:37:39.465 02/13/13 Sev=Info/4 CM/0x63100029
TCP connection established on port 21000 with server "1xx.xxx.xx2"
6 18:37:39.979 02/13/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "1xxx.xxx..2"
7 18:37:39.985 02/13/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 1.xxx.xxx.2.
8 18:37:40.000 02/13/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to 1xx.xxx.xx2
9 18:37:40.234 02/13/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1xx.xxx.xx2
10 18:37:40.234 02/13/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 1xx.xxx.xx2
11 18:37:40.237 02/13/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1xx.xxx.xx2
12 18:37:40.237 02/13/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO (FRAG) from 1xx.xxx.xx2
13 18:37:40.237 02/13/13 Sev=Info/5 IKE/0x63000073
All fragments received.
14 18:37:40.237 02/13/13 Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)
15 18:37:40.237 02/13/13 Sev=Info/4 IKE/0xE30000A6
Invalid payload: Stated payload length, 568, is not sufficient for Notification:(PayloadList:149)
16 18:37:40.237 02/13/13 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)
17 18:37:45.050 02/13/13 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
18 18:37:45.050 02/13/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2
19 18:37:50.119 02/13/13 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
20 18:37:50.119 02/13/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2
21 18:37:55.189 02/13/13 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
22 18:37:55.189 02/13/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 1xx.xxx.xx2
23 18:38:00.260 02/13/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=BC4CAF815963A8E4 R_Cookie=FBAF8068234A4675) reason = DEL_REASON_PEER_NOT_RESPONDING
24 18:38:00.777 02/13/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=BC4CAF815963A8E4 R_Cookie=FBAF8068234A4675) reason = DEL_REASON_PEER_NOT_RESPONDING
25 18:38:00.778 02/13/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "1xx.xxx.xx2" because of "DEL_REASON_PEER_NOT_RESPONDING"
26 18:38:00.778 02/13/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
27 18:38:00.779 02/13/13 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 21000
28 18:38:00.779 02/13/13 Sev=Info/6 CM/0x63100030
Removed local TCP port 49661 for TCP connection.
29 18:38:00.782 02/13/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
30 18:38:00.783 02/13/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
ASA Runing Config
interface GigabitEthernet0/0
speed 1000
duplex full
nameif Inside
security-level 100
!
interface GigabitEthernet0/2
nameif Outside
security-level 0
!
object-group service VPN-Protocols
service-object esp
service-object tcp eq 21000
service-object udp eq 4500
service-object udp eq 62515
service-object udp eq isakmp
** outside Interface Access List for allowing the VPN Traffic**
access-list Ajira_all_traffic extended permit object-group VPN-Protocols any host 1xx.xxx.xxx
****************************************************************
access-list omsir_splitTunnelAcl standard permit Server-Segment 255.255.255.0
access-list Inside_nat0_outbound_1 extended permit ip Server-Segment 255.255.255.0 1xx.xxx.xxx 255.255.255.0
ip local pool ip-pool 1xx.xxx.xx1-1xx.xxx.254 mask 255.255.255.0
nat-control
nat (Inside) 0 access-list Inside_nat0_outbound_1
nat (DMZ) 0 access-list DMZ_nat0_outbound outside
access-group Inside_user_access_outside in interface Inside
access-group Ajira_all_traffic in interface Outside
route Outside 0.0.0.0 0.0.0.0 1xx.xxx.xx1
route Inside 10.xxx.xxx.0 255.255.255.0 1xx.xxx.xx1
no sysopt connection reclassify-vpn
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 21000
group-policy omsir internal
group-policy omsir attributes
dns-server value 1xx.xxx.xxx
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value omsir_splitTunnelAcl
default-domain value agilitylogistics.in
username omsir password DfOF7Lvb0gImB1nE encrypted
tunnel-group omsir type remote-access
tunnel-group omsir general-attributes
address-pool ip-pool
default-group-policy omsir
tunnel-group omsir ipsec-attributes
pre-shared-key omsir@123
!
class-map Application_Traffic
match access-list Application
class-map Application
class-map Application
match access-list Application
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map Allplication_all_traffic
class Ajira_traffic
inspect http
policy-map type inspect http application_inspect
parameters
spoof-server "private"
protocol-violation action drop-connection
match req-resp content-type mismatch
drop-connection log
!
service-policy global_policy global
service-policy Ajira_all_traffic interface Outside
prompt hostname context
Cryptochecksum:217e09da15ede39a7a759eca8c84268f
: end
02-14-2013 02:34 AM
Hi have solved the issue . enabling the demo 3DES & AES now my VPN is connecting
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=139
thx to friend "Jennifer Halim"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide