cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

748
Views
0
Helpful
4
Replies
Highlighted
Beginner

Cisco ASA 8.2(2) Lt2p windows client and OSX remote VPN

Having trouble getting windows 7 and OSX to authenticate via VPN to the  ASA.

Something is missing or not configured correctly.

In the ASA logs I get this error

ipaa error freeing address

On the client side I get invalid username/password. I am trying to authenticate using our LDAP map to our Active Directory box. (it works with other the cisco VPN just fine)

-------------------------------------------------------------------------------------

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server none

dns-server value 10.10.0.99 10.10.0.100

vpn-tunnel-protocol IPSec l2tp-ipsec

ipsec-udp enable

default-domain none

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group DefaultRAGroup general-attributes

address-pool IPpool

default-group-policy DefaultRAGroup

strip-group

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key Ourprivatekey

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set samplevpn esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set Set_1 esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map samplevpn_map 1 set transform-set samplevpn

crypto  dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5 TRANS_ESP_3DES_SHA

crypto map workmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map workmap interface outside

crypto map workmap interface backup

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

Everyone's tags (3)
4 REPLIES 4

Re: Cisco ASA 8.2(2) Lt2p windows client and OSX remote VPN

Hi,

Please include:

"show run aaa-server"

Reasons:

The AAA server is not applied to the tunnel-group.

tunnel-group DefaultRAGroup general-attributes

     authentication-server-group YOUR_LDAP_SERVER

Test it out with this command and let me know.

Thanks.

Portu.

Please rate any post you find useful.

Beginner

Re: Cisco ASA 8.2(2) Lt2p windows client and OSX remote VPN

Thanks for the response Javier, but I'm still getting the same error.

FRWALL# show run aaa-server

aaa-server ADLDAP protocol ldap

max-failed-attempts 5

aaa-server ADLDAP (inside) host 10.10.0.91

ldap-base-dn dc=*******, dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn login@*********

server-type microsoft

aaa-server ADLDAP (inside) host 10.10.0.91

ldap-base-dn dc=n********, dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn asaldap@*******.com

server-type microsoft

FRWALL# show running-config tunnel-group DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

address-pool VPNpool

authentication-server-group ADLDAP

default-group-policy DefaultRAGroup

strip-group

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

Beginner

Re: Cisco ASA 8.2(2) Lt2p windows client and OSX remote VPN

Bump

Re: Cisco ASA 8.2(2) Lt2p windows client and OSX remote VPN

Dear Danielson,

What error are you seeing?

Could you please include the following debugs?

debug crypto isakmp 190

debug crypto ipsec 190

debug aaa common 255

Run all these commands at the same time, try to establish a VPN connection and attach the outputs.

Thanks in advance.

Portu.