ASA 5505 + EZVPN Client

MaDe · ‎11-13-2014

Hi Guys,

still struggling with the EZVPN setup.
This is instantaneous setup at the moment.

LAN ---- inside-(192.168.44.1) ASA outside-(DHCP private IP) ---- (private IP)-ISP Router-(public IP)

The ISP blocks UDP/500 and UDP/4500 so there is no way to setup a site-2-site VPN via IPsec.
So we tried to setup the ASA5505 as EZVPN client and configured to use TCP over IPsec. But without success. I think the problem is the private IP on our outside interface. Has someone face the same problem?

Thanks Markus

Karsten Iwen · ‎11-13-2014

You don't show your config, so it's not possible to see if something goes wrong there.

If the config is ok, use the capture command on the HQ-ASA to see if the EZVPN-packets reach the HQ.

MaDe · ‎11-17-2014

Good day Karsten,

next maintenance is scheduled on 2014/11/18. I'll post the necessary information after the maintenance.

Brgds,
Markus

MaDe · ‎11-19-2014

Good all,

got the configuration...

LAN ---- inside-(192.168.44.1) ASA outside-(10.103.14.217) ---- (10.6.0.6)-ISP Router-(217.174.237.139)

I update the IP address and attached the following log files
1. tmasb_log_file --> log file from the HQ
2. tmasb_ipsec -> is the packet capture from HQ

I found this msg in the log file:

715065|||||Group = TMASB_TEST2, IP = 217.174.237.139, IKE AM Responder FSM error history (struct &0xb40cbb00) <state>, <event>: AM_DONE, EV_ERROR-->AM_WAIT_MSG3, EV_PROB_AUTH_FAIL-->AM_WAIT_MSG3, EV_TIMEOUT-->AM_WAIT_MSG3, NullEvent-->AM_SND_MSG2, EV_CHECK_SPOOF-->AM_SND_MSG2, EV_CRYPTO_ACTIVE-->AM_SND_MSG2, EV_SND_MSG-->AM_SND_MSG2, EV_START_TMR

This assume that the preshared key is wrong but I double check this with my colleague and this could not be the issue.
I thinks the problem is before the ASA on the ISP modem.
Maybe someone had an idea?

Thanks,
Markus