12-30-2008 01:41 AM - edited 03-04-2019 03:16 AM
Hi All,
Can anyone check out my config and advise where my VPN Config is going wrong. There are two configs required. A Site to Site and a PC to Site.
I am testing the PC to site using VPN Client. If I have no username and password configured in the client I get the challenge for username and password but using my local log-in or the specified username and password does not work.
Essentially, as well as the site to site VPN I need two seperate logins under different username/passwords - listed here as Norsonic and Campbell Associates.
Config attached.
Thanks
Adrian
Solved! Go to Solution.
01-05-2009 08:26 AM
Here is the URL for the site-to-site VPN configuration guide follow the guide it may help you in troubleshooting
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/sitvpn.html
01-08-2009 10:45 AM
*Mar 23 23:09:17.231: ISAKMP:(2005):No IP address pool defined for ISAKMP!
I think this is your problem. :-)
Try this:
ip pool VPN 192.168.1.100 192.168.1.200
crypto isakmp client configuration group Norsonic
pool VPN
See if that helps :-)
John
01-05-2009 08:26 AM
Here is the URL for the site-to-site VPN configuration guide follow the guide it may help you in troubleshooting
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/sitvpn.html
01-05-2009 10:02 AM
According to your config, you should be putting a group name and password in. (I may not be understanding the issue.) :-)
The group name would be:
user: Campbell_Associates
pass: qq-campbell
Your normal username prompt should be your local account on the router.
HTH,
John
01-08-2009 06:46 AM
Hi John,
Okay I do have 2 groups in (I think) as:
crypto isakmp client configuration group Norsonic
key qq-norsonic
max-users 3
!
crypto isakmp client configuration group Campbell_Associates
key qq-campbell
If I try to connect with the campbell Associates I get the following in the log:
*Mar 23 19:30:00.286: %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 85.159.168.249 was not encrypted and it should've been.
*Mar 23 19:30:38.754: ISAKMP:(0): Support for IKE Fragmentation not enabled
If I try fron Norsonic (same system just different credentials).
*Mar 23 18:49:24.167: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 85.159.168.249
*Mar 23 19:25:45.950: ISAKMP:(0): Support for IKE Fragmentation not enabled
So with two similar configs two different results. I used the SDM to configure for both L2L and Client 2 Lan VPN so unsure where this has gone wrong.
01-08-2009 06:54 AM
Well, you could try to enable fragmentation support:
crypto isakmp fragmentation
We really need to try to figure this out one connection at a time though (L2L vs Software-based). In your software, do you have your group information configured? Do you have logging on in the software client? I would enable it to high for ike and see what happens. After doing that, can you post the results here?
Click Log/Log Settings and pull the IKE drop down to HIGH. Then click Log/Enable. Make your connection attempt. You can also click Log/Log Window and it will show you the connection errors/successes as they happen.
HTH,
John
01-08-2009 07:11 AM
I am now remote from the unit and have ssh login. Is there a command line for this logging that wouldn't shut me out - No real traffic going thru at moment and I can issue a reload in 30 mins command beforehand if need be. These units are remote sites that are unmanned.
To give an idea of what is needed in the config is attached on a drawing:
2 Remote VPN Clients to connect to 6 remote sites and a VPN Terminator.
Six Remote Clients to connect to VPN Terminator.
Client to terminator works. Site to site works in test rig but after I have a successful client to remote site I can test the site to site.
01-08-2009 07:16 AM
"Client to terminator works. Site to site works in test rig but after I have a successful client to remote site I can test the site to site."
So is the original problem fixed? The one where you were not able to log in with the software client?
01-08-2009 07:24 AM
Sorry probably confused you there.
No.
The VPN client to Cisco 857 does not work and is the one I am having issues with (Cisco 857 config posted earlier).
The VPN Cient to VPN Terminator (An ASA 5505) does work.
The client needs option to connect to two paths as shown in JPG.
01-08-2009 07:30 AM
Ah, okay. The logging is done in the software and not on the router. You CAN log in the router with:
debug crypto isakmp
debug crypto ipsec
term mon
That will show you the logs as you're trying to connect.
John
01-08-2009 08:47 AM
01-08-2009 09:15 AM
In your config on the router try putting:
crypto isakmp policy 1
hash md5
See if that helps. The connection is failing because it can't find the correct encryption policy that matches to what it's connecting to.
HTH,
John
01-08-2009 09:42 AM
Hi John,
Okay that seems to get further. The Norsonic account remains the same, tries logging in and times out. The Campbell account initiates a Username and Password request. When I had this on the ASA I had to assign the group policy for attributes of VPN-Group-Policy and Group-Lock value. Setting group lock value removes the password initiation. Where do I set the group and password as they are set in. The only thing I can see that may be pointing this request to somewhere is the lines:
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
in the Crypto Ipsec Profile.
Latest log attached.
01-08-2009 09:53 AM
I guess I'm lost. How are you trying to connect to this device: software or another router/asa?
In your software client, you'll change the group name and password for the group. (It's the Norsonic / qq-norsonic user and pass from "crypto isakmp client configuration group Norsonic key qq-norsonic".)
That sets the group that you want to be in. Then you should be asked for the username and pass, which your aaa authentication login sdm_vpn_xauth_ml_1 local is asking for. (It's set under your isakmp profile.) I would remove all authorization commands to see if you can even log in.
If you're doing this with hardware, I need to see what the logs are doing from the other end. You haven't given me logs from the software client yet, which is why I think we're working with a L2L tunnel. If that's the case, can you post the configuration for the other end that's connecting?
John
01-08-2009 10:21 AM
Hi John,
I think I may be confusing things.
This is a Client VPN Software attempting to connect to a hardware Cisco 857 ADSL Router.
Latest status: When I attempt a connection from the client software, configured with the Campbell_Associates group and Key, I get a pop-up asking for username and password. I can see from the Crypto Isakmp Profile that it refers to the aaa authentication login sdm_vpn_xauth_ml_2 local which I understand is the username and password I have entered in the main config. I enter this and the attached output of the logs is the result.
I have the client log and the router log attached.
Regards
Adrian
01-08-2009 10:45 AM
*Mar 23 23:09:17.231: ISAKMP:(2005):No IP address pool defined for ISAKMP!
I think this is your problem. :-)
Try this:
ip pool VPN 192.168.1.100 192.168.1.200
crypto isakmp client configuration group Norsonic
pool VPN
See if that helps :-)
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide