01-28-2013 01:16 PM - edited 02-21-2020 06:40 PM
Hey Got some issues when setting up IPSEC/VPN on the asa 5505. I want to connect from the ipad with the built in IPSec client..
Get these errors when i run the debug crypto isakmp
Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, QM FSM error (P2 struct &0xd5d5f3d8, mess id 0x295bc3a)!
Jan 28 22:03:26 [IKEv1]: Group = VPN_ipad, Username = Haq, IP = x.x.x.x, Removing peer from correlator table failed, no match!
There is a bunch of vpn site-to-site and ipsec vpn profiles setup and those works fine..?
Here is the running config sh run crypto:
crypto ipsec transform-set DES esp-des esp-md5-hmac
crypto ipsec transform-set 3DES-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-TRANS mode transport
crypto ipsec transform-set AES esp-aes esp-sha-hmac
crypto ipsec transform-set 3des esp-3des esp-md5-hmac
crypto ipsec transform-set IPAD-IPSEC esp-3des esp-sha-hmac
crypto ipsec transform-set IPAD-IPSEC mode transport
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Plandent 10 set transform-set ESP-AES-128-SHA ESP-AES-256-SHA ESP-AES-128-MD5 ESP-AES-256-MD5 DES 3des 3DES-TRANS
crypto dynamic-map Plandent 10 set security-association lifetime seconds 84600
crypto dynamic-map Plandent 10 set security-association lifetime kilobytes 300000
crypto dynamic-map IPAD-MAP 5 set transform-set IPAD-IPSEC
crypto dynamic-map IPAD-MAP 5 set security-association lifetime seconds 28800
crypto dynamic-map IPAD-MAP 5 set security-association lifetime kilobytes 4608000
crypto map PD_VPN 10 match address ToGoteborg
crypto map PD_VPN 10 set peer PixGoteborg
crypto map PD_VPN 10 set transform-set DES
crypto map PD_VPN 10 set security-association lifetime seconds 84600
crypto map PD_VPN 10 set security-association lifetime kilobytes 4608000
crypto map PD_VPN 20 match address ToMalmo
crypto map PD_VPN 20 set peer PixMalmo
crypto map PD_VPN 20 set transform-set DES
crypto map PD_VPN 20 set security-association lifetime seconds 84600
crypto map PD_VPN 20 set security-association lifetime kilobytes 4608000
crypto map PD_VPN 30 match address ToPlanmeca
crypto map PD_VPN 30 set peer ASA_HKI ASA_HKI_BACKUP
crypto map PD_VPN 30 set transform-set AES
crypto map PD_VPN 30 set security-association lifetime seconds 86400
crypto map PD_VPN 30 set security-association lifetime kilobytes 4608000
crypto map PD_VPN 100 ipsec-isakmp dynamic Plandent
crypto map PD_VPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
Anyone have any tips and tricks on what can be wrong here, will really be appreciated
Thanks
Shane
Solved! Go to Solution.
01-29-2013 02:18 AM
Karsten, Shane,
Honestly thos CAN come from miconfig in TG/GP, but I would check the entire debug of:
------
debug cry isakmp 127
debug aaa common 100
-------
The rationale being quite a few issues we saw some time back where users were pushing class or group-lock from AAA (which is overriding CLI).
M.
01-28-2013 10:50 PM
This is the relevant message:
Group = VPN_ipad, Username = Haq, IP = x.x.x.x, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy
Look at the Tunnel-group VPN_ipad and the associated group-policy. There you have to specify that ipsec should be allowed. The exact command depends on your ASA-version.
On v9 it's
vpn-tunnel-protocol ikev1
Sent from Cisco Technical Support iPad App
01-29-2013 02:06 AM
Well i created a new tunnel-group and a new group policy its still give me this error? that the tunnel is rejected:
Conflicting protocols specified by tunnel-group and group-policy
But as you can see the ipsec is allowed?
tunnel-group PLANDENT_IPAD type remote-access
tunnel-group PLANDENT_IPAD general-attributes
address-pool IPAD_VPN
default-group-policy PLANDENT_IPAD_Policy
tunnel-group PLANDENT_IPAD ipsec-attributes
pre-shared-key *
group-policy PLANDENT_IPAD_Policy internal
group-policy PLANDENT_IPAD_Policy attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_ipad_splitTunnelAcl
/Shane
01-29-2013 02:13 AM
PLANDENT_IPAD is the name of the group that you configured in your iPad?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
01-29-2013 02:16 AM
Yes thats correct
/shane
01-29-2013 02:18 AM
Karsten, Shane,
Honestly thos CAN come from miconfig in TG/GP, but I would check the entire debug of:
------
debug cry isakmp 127
debug aaa common 100
-------
The rationale being quite a few issues we saw some time back where users were pushing class or group-lock from AAA (which is overriding CLI).
M.
01-29-2013 02:33 AM
Well i did the debug aaa common command, it seem that i was using a username that belonged to another VPN policy, so i created a new user and it worked fine
So thank you alot Marcin for pointing me in the right direction i owe you one..
/Shane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide