Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1237
Views
15
Helpful
5
Replies

ASA5505 - VPNclient > All IPSEC SA proposals found unacceptible

jlaay-diode
Level 1
Level 1

‎06-08-2009 12:50 AM - edited ‎02-21-2020 04:15 PM

Hi all,

Trying to get CiscoVPN client (5.0.02.0090) on Vista Home Premium connect to ASA5505.

As the title says the SA proposals are found unacceptible.

And although I've been searching for solutions all over the place I 've not found a working solution yet.

Could anyone help me please?

Thanx

Jaap

1. The config and debug are attached

2. Tested with both users > same result

3. Authentication MS-Chap V2 used > Vista

Labels:
Preview file
4 KB
Preview file
5 KB
0 Helpful
5 Replies 5

Ivan Martinon
Level 7
Level 7

‎06-10-2009 07:21 AM

This most likely is due to trasnport mode being chosen as the ipsec transformset, go ahead and change it or remove it, unless you have l2tp over ipsec you don't need that setup.

jlaay-diode
Level 1
Level 1
In response to Ivan Martinon

‎06-10-2009 11:00 PM

Hi,

Thanks for your answer.

I think you are referring to the group-policy DefaultRAGroup?

The group-policy used for testing the Cisco VPN-client (with user Graham) is 'cisco_client_vpn' with one of the attributes being 'vpn-tunnel-protocol IPSec'.

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol l2tp-ipsec

group-policy cisco_client_vpn internal

group-policy cisco_client_vpn attributes

dns-server value 10.16.0.20

vpn-tunnel-protocol IPSec

default-domain value diode-networks.local

username graham password DLaUiAX3l78qgoB5c7iVNw== nt-encrypted privilege 0

username graham attributes

vpn-group-policy cisco_client_vpn

username jaap password cCiE5PO1AMnFfx.p encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

address-pool VPNtest

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group cisco_client_vpn type ipsec-ra

tunnel-group cisco_client_vpn general-attributes

address-pool VPNtest

default-group-policy cisco_client_vpn

tunnel-group cisco_client_vpn ipsec-attributes

pre-shared-key *

tunnel-group cisco_client_vpn ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

Could it be that my problem has to do with with:

- the crypto (dynamic-)map. Numbers 20, 40?

- no routes defined by the VPN-client wizard?

- no reverse route injection configured?

And what IPSec transformsets are offred by the VPN-clients?

Thanx,

Jaap

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to jlaay-diode

‎06-11-2009 06:46 AM

Jaap, I actually meant the transform set take off the transport mode for testing, that is typically used for L2TP over IPSec Clients not IPSec.

routes should not be required as it should use the ASA default gateway.

0 Helpful

jlaay-diode
Level 1
Level 1
In response to Ivan Martinon

‎06-11-2009 06:00 AM

Hi Ivan,

It must have been to early for me this morning :).

Followed your advice and deleted:

- crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

Added:

- TRANS_ESP_3DES_SHA (as first option) to crypto dynamic-map outside_dyn_map 40 set transform-set vpnclient ESP-DES-MD5 ESP-3DES-MD5 ESP-3DES-SHA

and it works !!! :)

The L2TP is also still working.

It seems that my 5505 (and the other AS-models?) does/do not like two lines with 'crypto dynamic-map', i.c. 20 & 40.

Is this a flaw in the handling?

Anyway, thanks a lot for your help.

Greetz

Jaap

Ivan Martinon
Level 7
Level 7
In response to jlaay-diode

‎06-11-2009 07:28 AM

Great news!

0 Helpful
Customers Also Viewed These Support Documents