Solved: Asa 5505 Ipsec/ipad configuration

Shane Riley · ‎01-28-2013

Hey Got some issues when setting up IPSEC/VPN on the asa 5505. I want to connect from the ipad with the built in IPSec client..

Get these errors when i run the debug crypto isakmp

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, QM FSM error (P2 struct &0xd5d5f3d8, mess id 0x295bc3a)!

Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, Removing peer from correlator table failed, no match!

There is a bunch of vpn site-to-site and ipsec vpn profiles setup and those works fine..?

Here is the running config sh run crypto:

crypto ipsec transform-set DES esp-des esp-md5-hmac

crypto ipsec transform-set 3DES-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES-TRANS mode transport

crypto ipsec transform-set AES esp-aes esp-sha-hmac

crypto ipsec transform-set 3des esp-3des esp-md5-hmac

crypto ipsec transform-set IPAD-IPSEC esp-3des esp-sha-hmac

crypto ipsec transform-set IPAD-IPSEC mode transport

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map Plandent 10 set transform-set ESP-AES-128-SHA ESP-AES-256-SHA ESP-AES-128-MD5 ESP-AES-256-MD5 DES 3des 3DES-TRANS

crypto dynamic-map Plandent 10 set security-association lifetime seconds 84600

crypto dynamic-map Plandent 10 set security-association lifetime kilobytes 300000

crypto dynamic-map IPAD-MAP 5 set transform-set IPAD-IPSEC

crypto dynamic-map IPAD-MAP 5 set security-association lifetime seconds 28800

crypto dynamic-map IPAD-MAP 5 set security-association lifetime kilobytes 4608000

crypto map PD_VPN 10 match address ToGoteborg

crypto map PD_VPN 10 set peer PixGoteborg

crypto map PD_VPN 10 set transform-set DES

crypto map PD_VPN 10 set security-association lifetime seconds 84600

crypto map PD_VPN 10 set security-association lifetime kilobytes 4608000

crypto map PD_VPN 20 match address ToMalmo

crypto map PD_VPN 20 set peer PixMalmo

crypto map PD_VPN 20 set transform-set DES

crypto map PD_VPN 20 set security-association lifetime seconds 84600

crypto map PD_VPN 20 set security-association lifetime kilobytes 4608000

crypto map PD_VPN 30 match address ToPlanmeca

crypto map PD_VPN 30 set peer ASA_HKI ASA_HKI_BACKUP

crypto map PD_VPN 30 set transform-set AES

crypto map PD_VPN 30 set security-association lifetime seconds 86400

crypto map PD_VPN 30 set security-association lifetime kilobytes 4608000

crypto map PD_VPN 100 ipsec-isakmp dynamic Plandent

crypto map PD_VPN interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

Anyone have any tips and tricks on what can be wrong here, will really be appreciated

Thanks

Shane

Marcin Latosiewicz · ‎01-29-2013

Karsten, Shane,

Honestly thos CAN come from miconfig in TG/GP, but I would check the entire debug of:

------

debug cry isakmp 127

debug aaa common 100

-------

The rationale being quite a few issues we saw some time back where users were pushing class or group-lock from AAA (which is overriding CLI).

M.

View solution in original post

Karsten Iwen · ‎01-28-2013

This is the relevant message:
Group = VPN_ipad, Username = Haq, IP = x.x.x.x, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

Look at the Tunnel-group VPN_ipad and the associated group-policy. There you have to specify that ipsec should be allowed. The exact command depends on your ASA-version.

On v9 it's
vpn-tunnel-protocol ikev1

Sent from Cisco Technical Support iPad App

Shane Riley · ‎01-29-2013

Well i created a new tunnel-group and a new group policy its still give me this error? that the tunnel is rejected:

Conflicting protocols specified by tunnel-group and group-policy

But as you can see the ipsec is allowed?

tunnel-group PLANDENT_IPAD type remote-access

tunnel-group PLANDENT_IPAD general-attributes

address-pool IPAD_VPN

default-group-policy PLANDENT_IPAD_Policy

tunnel-group PLANDENT_IPAD ipsec-attributes

pre-shared-key *

group-policy PLANDENT_IPAD_Policy internal

group-policy PLANDENT_IPAD_Policy attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN_ipad_splitTunnelAcl

/Shane

Karsten Iwen · ‎01-29-2013

PLANDENT_IPAD is the name of the group that you configured in your iPad?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Shane Riley · ‎01-29-2013

Yes thats correct

/shane

Marcin Latosiewicz · ‎01-29-2013

Karsten, Shane,

Honestly thos CAN come from miconfig in TG/GP, but I would check the entire debug of:

------

debug cry isakmp 127

debug aaa common 100

-------

The rationale being quite a few issues we saw some time back where users were pushing class or group-lock from AAA (which is overriding CLI).

M.

Shane Riley · ‎01-29-2013

Well i did the debug aaa common command, it seem that i was using a username that belonged to another VPN policy, so i created a new user and it worked fine

So thank you alot Marcin for pointing me in the right direction i owe you one..

/Shane