06-03-2013 01:17 PM
trying to get a mac with OS X connected to VPN on an ASA, with the built in mac vpn client. The tunnel group (connection profile) is named MAC. Unfortunately I only have ASDM access to this box.
Here's the relevant config:
sh run cryp
crypto ipsec transform-set transformer esp-des esp-md5-hmac
crypto ipsec transform-set dessha esp-des esp-sha-hmac
crypto ipsec transform-set nmh esp-3des esp-md5-hmac
crypto ipsec transform-set chum esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dynmap 99 set transform-set transformer
crypto map netopia 99 ipsec-isakmp dynamic dynmap
crypto map netopia 100 set security-association lifetime seconds 28800
crypto map netopia interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 4
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 15
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 99
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
sh run tunn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group MAC type remote-access
tunnel-group MAC general-attributes
address-pool pptp
default-group-policy MAC
tunnel-group MAC ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication none
tunnel-group MAC ppp-attributes
authentication ms-chap-v2
Here's the debug logs:
RECV PACKET from 184.x.x.19
ISAKMP Header
Initiator COOKIE: f9 a3 b6 57 5b 02 b8 a6
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Aggressive Mode
Flags: (none)
MessageID: 00000000
Length: 735
Payload Security Association
Next Payload: Key Exchange
Reserved: 00
Payload Length: 292
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 280
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 8
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: AES-CBC
Key Length: 256
Authentication Method: XAUTH_INIT_PRESHRD
Hash Algorithm: SHA1
Group Description: Group 2
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 2
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: AES-CBC
Key Length: 128
Authentication Method: XAUTH_INIT_PRESHRD
Hash Algorithm: SHA1
Group Description: Group 2
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 3
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: AES-CBC
Key Length: 256
Authentication Method: XAUTH_INIT_PRESHRD
Hash Algorithm: MD5
Group Description: Group 2
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 36
Transform #: 4
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: AES-CBC
Key Length: 128
Authentication Method: XAUTH_INIT_PRESHRD
Hash Algorithm: MD5
Group Description: Group 2
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 32
Transform #: 5
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: 3DES-CBC
Authentication Method: XAUTH_INIT_PRESHRD
Hash Algorithm: SHA1
Group Description: Group 2
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 32
Transform #: 6
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: 3DES-CBC
Authentication Method: XAUTH_INIT_PRESHRD
Hash Algorithm: MD5
Group Description: Group 2
Payload Transform
Next Payload: Transform
Reserved: 00
Payload Length: 32
Transform #: 7
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: DES-CBC
Authentication Method: XAUTH_INIT_PRESHRD
Hash Algorithm: SHA1
Group Description: Group 2
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 32
Transform #: 8
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: DES-CBC
Authentication Method: XAUTH_INIT_PRESHRD
Hash Algorithm: MD5
Group Description: Group 2
Payload Key Exchange
Next Payload: Nonce
Reserved: 00
Payload Length: 132
Data:
14 96 b9 14 61 a7 89 10 7d 55 3a d3 dd a1 16 03
d7 6c d7 bb ed 72 5c 7f 53 e4 22 0c d3 f2 a2 60
06 b3 9a 1e 53 af eb e7 4d 41 78 43 bd 89 3f f7
df 54 37 ee f4 8d 7c 95 57 51 a8 c4 79 18 4e e8
b9 08 fc aa e6 d6 91 12 71 cf 25 cc a2 b0 d6 26
c8 b8 d1 79 8a b3 0b ba 8e 66 c9 3e 36 f5 19 4e
06 4b 52 b0 30 b5 a1 01 a0 6d 81 c7 99 ea 8c 7a
5d 07 e0 ba 7d 46 4c 20 6b 3c ef 25 67 23 43 3e
Payload Nonce
Next Payload: Identification
Reserved: 00
Payload Length: 20
Data:
99 dd f2 d9 f9 6c d9 ea 9e b6 14 2a ee 66 8d f4
Payload Identification
Next Payload: Vendor ID
Reserved: 00
Payload Length: 19
ID Type: ID_KEY_ID (11)
Protocol ID (UDP/TCP, etc...): 0
Port: 0
ID Data: MAC
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
80 00 00 00
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4d f3 79 28 e9 fc 4f d1 b3 26 21 70 d5 15 c6 62
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
8f 8d 83 82 6d 24 6b 6f c7 a8 a6 a4 28 c1 1d e8
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
43 9b 59 f8 ba 67 6c 4c 77 37 ae 22 ea b8 f5 82
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
4d 1e 0e 13 6d ea fa 34 c4 f3 ea 9f 02 ec 72 85
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
80 d0 bb 3d ef 54 56 5e e8 46 45 d4 c8 5c e3 ee
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
99 09 b6 4e ed 93 7c 65 73 de 52 ac e9 52 fa 6b
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 20
Data (In Hex):
af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
Jun 03 15:09:21 [IKEv1]: IP = 184.x.x.19, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 735
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing SA payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing ke payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing ISA_KE payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing nonce payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing ID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received Fragmentation VID
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received NAT-Traversal RFC VID
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received NAT-Traversal ver 03 VID
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received NAT-Traversal ver 02 VID
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, processing VID payload
Jun 03 15:09:21 [IKEv1 DEBUG]: IP = 184.x.x.19, Received DPD VID
Jun 03 15:09:21 [IKEv1]: IP = 184.x.x.19, Connection landed on tunnel_group MAC
Jun 03 15:09:21 [IKEv1]: Group = MAC, IP = 184.x.x.19, No valid authentication type found for the tunnel group
Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, processing IKE SA payload
Jun 03 15:09:21 [IKEv1]: IP = 184.x.x.19, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 332
ISAKMP Header
Initiator COOKIE: f9 a3 b6 57 5b 02 b8 a6
Responder COOKIE: 97 f5 29 90 eb 85 10 ae
Next Payload: Notification
Version: 1.0
Exchange Type: Informational
Flags: (none)
MessageID: 00000000
Length: 332
Payload Notification
Next Payload: None
Reserved: 00
Payload Length: 304
DOI: IPsec
Protocol-ID: Reserved
Spi Size: 0
Notify Type: NO_PROPOSAL_CHOSEN
Data:
04 00 24 01 01 00 00 00 01 00 00 00 00 00 18 01
01 01 00 08 28 00 00 00 02 00 00 00 00 00 00 00
90 f5 eb ca 60 5c 60 09 18 0f 4f c8 71 c1 3d 08
90 f5 eb ca 80 da 28 c9 00 00 00 00 00 00 00 00
01 10 04 00 00 00 00 00 dd 88 04 cb f8 f8 eb ca
f8 f8 eb ca 09 00 00 00 58 0f 4f c8 57 07 0b 09
90 f5 eb ca 00 00 00 00 84 0f 4f c8 00 00 00 00
f9 a3 b6 57 5b 02 b8 a6 8b 00 00 00 26 00 00 00
a0 9e 26 09 00 00 00 00 68 0f 4f c8 8c cf 4e c8
90 cf 4e c8 00 00 00 00 88 0f 4f c8 5b 6b 3e 08
60 5c 60 09 f8 f8 eb ca 0c 00 00 00 90 f5 eb ca
00 00 00 00 84 0f 4f c8 40 70 fc ca bc d2 4e c8
c0 d2 4e c8 90 91 3a cb 88 11 4f c8 92 60 3f 08
60 5c 60 09 f8 f8 eb ca 0c 00 00 00 90 f5 eb ca
00 00 00 00 90 91 3a cb 78 56 34 12 78 56 34 12
78 56 34 12 78 56 34 12 78 56 34 12 78 56 34 12
78 56 34 12 78 56 34 12 78 56 34 00 00 00 00 00
00 00 00 00 ff ff ff ff 1a 00 00 00 00 00 00 00
58 26 de c9
Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, All SA proposals found unacceptable
Jun 03 15:09:21 [IKEv1]: IP = 184.x.x.19, All IKE SA proposals found unacceptable!
Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, IKE AM Responder FSM error history (struct &0xcaebf590) <state>, <event>: AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, IKE SA AM:9029f597 terminating: flags 0x01000001, refcnt 0, tuncnt 0
Jun 03 15:09:21 [IKEv1 DEBUG]: Group = MAC, IP = 184.x.x.19, sending delete/delete with reason message
Jun 03 15:09:21 [IKEv1]: Group = MAC, IP = 184.x.x.19, Removing peer from peer table failed, no match!
Jun 03 15:09:21 [IKEv1]: Group = MAC, IP = 184.x.x.19, Error: Unable to remove PeerTblEntry
ISAKMP Header
Initiator COOKIE: b1 8c 61 aa 2d 6b 4f 9b
Responder COOKIE: 1d ae c6 38 2b 57 db 89
Next Payload: Hash
Version: 1.0
Exchange Type: Quick Mode
Flags: (Encryption)
MessageID: 70D7F9EA
Length: 164
PS:::::Anyone know where to find the meaning if the FSM history codes? (EV_START_AM-->AM_START, EV_START_AM and so on...)
06-04-2013 12:00 PM
Just an update since I have Windows clients connecting to this group and they have no issues. I captured packets on the outside interface and I see a huge difference between Windows Client version 5.0.07.0290 and the IKE proposals on the Mac.
Specifically none of my IKE policies match up for the Mac Book because authentication method is:
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : XAUTHInitPreShared
with a value of 65001
Where as on the Windows clients it's:
Transform IKE Attribute Type (t=3,l=2) Authentication-Method : PSK
with a value of 1
The only config on the built in Mac client is to set a shared secret and it matches with the preshared key set on the ASA. Also I've tried several combinations of settings for IKE authentication to no avail:
tunnel-group MAC ipsec-attributes
radius-sdi-xauth
isakmp ikev1-user-authentication xauth
Or setting it to disabled (which is how it's set for the Windows clients and is working)...
That's where I'm stuck so any thoughts would be helpful.
06-04-2013 01:39 PM
RESOLVED!
Here's the key:
tunnel-group MAC ipsec-attributes
isakmp ikev1-user-authentication xauth
Then in the Mac client you need the user name a pwd field PRE filled in, in the configuration of the connection. It will not prompt you, it just fails unless it sends that info in the initial connection. For now a username in the local aaa database works, but I'll point it to the Radius server in the final config.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide