Hello,
i am having trouble getting a chromebook to establish a Remote Access VPN connection using L2TP/IPsec to a Cisco ASA 5510 running 7.2(5)12.
Running a debug crypto isakmp 5 i am seeing the following logs (ip's changed...)
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, Oakley proposal is acceptable
Jan 06 09:58:06 [IKEv1 DEBUG]: IP = 1.1.1.1, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 4
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Connection landed on tunnel_group DefaultRAGroup
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Freeing previously allocated memory for authorization-dn-attributes
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, Starting P1 rekey timer: 8100 seconds.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, PHASE 1 COMPLETED
Jan 06 09:58:06 [IKEv1]: IP = 1.1.1.1, Keep-alive type for this connection: DPD
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, Starting P1 rekey timer: 8100 seconds.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Received remote Proxy Host data in ID Payload: Address 3.3.3.3, Protocol 17, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Received local Proxy Host data in ID Payload: Address 2.2.2.2, Protocol 17, Port 1701
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, L2TP/IPSec session detected.
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM IsRekeyed old sa not found by addr
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Static Crypto Map check, checking map = outside_map, seq = 1...
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:1.1.1.1 dst:2.2.2.2
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, IKE Remote Peer configured for crypto map: outside_dyn_map0
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, processing IPSec SA payload
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, All IPSec SA proposals found unacceptable!
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, QM FSM error (P2 struct &0x3d48800, mess id 0xce12c3dc)!
Jan 06 09:58:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 1.1.1.1, IKE QM Responder FSM error history (struct &0x3d48800) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 06 09:58:06 [IKEv1]: Group = DefaultRAGroup, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
1.1.1.1 = Remote NAT address for chromebook
2.2.2.2 = ASA 5510 acting as Remote Access termintaion point
3.3.3.3 = Chromebook private address
i noticed that the Chromebook is appearing as the remote proxy ID but later on it is looking for the NAT address applied to the Chromebook. Not sure if this is the cause or how to fix it if it is.
Can someone advise please
Thanks
Ryan
