ASA 5505 Remote Access VPN problems

larlid001 · ‎04-13-2016

Hi!

I've been having trouble connecting to my ASA.

I tried: debug crypto isakmp 254

and received a lot of info, but I'm not sure what is wrong.

Any ideas?

Please se textfile

Philip D'Ath · ‎04-13-2016

It looks like you don't have crypto settings configured on the ASA that are compatible with the IPSec client.

Can you post your config?

larlid001 · ‎04-14-2016

Here is my config.

Please see attachment:

Aditya Ganjoo · ‎04-14-2016

Hi,

I see that you are using only 1 IKE policy:

crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 43200

Try adding these and test:

crypto isakmp policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 43200

crypto isakmp policy 3
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200

Regards,

Aditya

Please rate helpful posts and mark correct answers.

larlid001 · ‎04-14-2016

i tried to add the other two policies. No luck I'm afraid.

Philip D'Ath · ‎04-14-2016

Please please please, don't anyone deploy DES or 3DES in new deployments.

I think the Cisco IPSec VPN client only supports up to AES128, and not AES256.

Remove your ISAKMP policies, and put in just this one:

crypto isakmp policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2

And replace your transform set with:

crypto ipsec transform-set FirstSet esp-aes esp-sha-hma

larlid001 · ‎04-15-2016

I tried with aes and sha, as above, and the errors changed (I've also attached full debug)

Am I one step closer?

Apr 15 08:55:51 [IKEv1]: Group = testgroup, IP = 109.58.144.100, Duplicate Phase 1 packet detected. Retransmitting last packet.

Apr 15 08:55:51 [IKEv1]: Group = testgroup, IP = 109.58.144.100, P1 Retransmit msg dispatched to AM FSM

ISAKMP Header

Initiator COOKIE: 08 22 a8 3a 90 61 e6 2c

Responder COOKIE: 50 38 85 84 d3 a6 9e f1

Next Payload: Security Association

Version: 1.0

Exchange Type: Aggressive Mode

Flags: (none)

MessageID: 00000000

Length: 372

Payload Security Association

Next Payload: Key Exchange

Reserved: 00

Thanks, Lars.

Philip D'Ath · ‎04-17-2016

Can you post an updated config again please.

What software version are you running on your 5505?

larlid001 · ‎04-18-2016

I just made my first connection five minutes ago.

My disk0: contains two asa versions (803, 923), I've tried both, please see config.

The show version tells this:

Cisco Adaptive Security Appliance Software Version 7.2(3)

Device Manager Version 6.0(3)

Compiled on Wed 15-Aug-07 16:08 by builders

System image file is "disk0:/asa923-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 28 mins 27 secs

Hardware: ASA5505, 256 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

The connection is up, but no traffic seems to go through, but I'm one step further... Shouldn't be to hard to solve?

I made one change that might have solved the problem. I've setup the asa behind a cisco router, and made some forwarding statements for port 500 and 4500 to the asa. The cisco router is using nat, and I've setup the asa on an available new routing interface, and I've tried to set this interface both to nat inside and not nat inside, but I forgot to add the new network 192.168.20.0 to the nat source list...

Maybe ASA received traffic, tried to respond, but the response never reached the client?

Thanks, Lars.

Philip D'Ath · ‎04-18-2016

You should not make the pool part of the local LAN, so change:

ip local pool testpool 192.168.0.220-192.168.0.225

to:

ip local pool testpool 192.168.1.220-192.168.1.225

You need to add a NAT exemption rule for the VPN traffic. Something like:

nat (inside) 0 access-list nonat
access-list nonat extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

After this you should be able to ping 192.168.0.x hosts.

larlid001 · ‎04-18-2016

I've tried it. The vpn client gets a 192.168.1.? address but still I can't reach any address (inside or outside).

Is there some kind of "deny all traffic" default configuration?

Do I need an access-list to permit traffic?

I can successfully ping any address from within ASA.

There are no increase of packets on the ASA outside interface after the VPN-connection is up.

Thanks, Lars.

Philip D'Ath · ‎04-18-2016

Do the inside hosts have a default route pointing to the ASA's inside interface?

Aditya Ganjoo · ‎04-15-2016

Hi,

It seems we are getting a duplicate packet from the client.

Captures would make it clear what happens to the packet.

Could you try using the client from another location and then test ?

What is the ASA version you are using ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Aditya Ganjoo · ‎04-13-2016

Hi,

As per the debugs:

Apr 13 18:33:08 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 109.58.145.246, All SA proposals found unacceptable
Apr 13 18:33:08 [IKEv1]: IP = 109.58.145.246, All IKE SA proposals found unacceptable!

Please check the phase 1 settings (isakmp policies).

Regards,

Aditya

Please rate helpful posts.

larlid001 · ‎04-14-2016

Hi!

I've tried several different settings like md5 with 3des, but with the same result.

I've posted my config in this discussion.

Thanks, Lars.