Cisco ASA, DH Group 5 in isakmp policy and not working RA VPN

rga · ‎11-17-2010

Cisco ASA 5505, I have this ISAKMP policy:

crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 3600

If I change DH Group from 2 to 5, I cannot connect to RA VPN using Cisco VPN Client.

Why?

Federico Coto Fajardo · ‎11-17-2010

Hi,

The VPN client should be able to connect if using DH group 5 (as well as group 2).

Can you post the output of ''debug cry isa sa 127'' when attempting the connection with group 5 to check the error that indicate why the connection fails?

Federico.

rga · ‎11-17-2010

asa(config-isakmp-policy)# debug crypto isakmp 127
asa(config-isakmp-policy)# Nov 17 15:11:10 [IKEv1]: IP = 212.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing SA payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ke payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ISA_KE payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing nonce payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ID payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received xauth V6 VID
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received DPD VID
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received Fragmentation VID
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received NAT-Traversal ver 02 VID
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:10 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received Cisco Unity client VID
Nov 17 15:11:10 [IKEv1]: IP = 212.xxx.xxx.xxx, Connection landed on tunnel_group RA
Nov 17 15:11:10 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, processing IKE SA payload
Nov 17 15:11:10 [IKEv1]: IP = 212.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Nov 17 15:11:10 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, All SA proposals found unacceptable
Nov 17 15:11:10 [IKEv1]: IP = 212.xxx.xxx.xxx, All IKE SA proposals found unacceptable!
Nov 17 15:11:10 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, IKE AM Responder FSM error history (struct &0xd551f9c8) , : AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Nov 17 15:11:10 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, IKE SA AM:23577cf0 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Nov 17 15:11:10 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, sending delete/delete with reason message
Nov 17 15:11:10 [IKEv1]: Group = RA, IP = 212.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Nov 17 15:11:10 [IKEv1]: Group = RA, IP = 212.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
Nov 17 15:11:15 [IKEv1]: IP = 212.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing SA payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ke payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ISA_KE payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing nonce payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ID payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received xauth V6 VID
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received DPD VID
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received Fragmentation VID
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received NAT-Traversal ver 02 VID
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:15 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received Cisco Unity client VID
Nov 17 15:11:15 [IKEv1]: IP = 212.xxx.xxx.xxx, Connection landed on tunnel_group RA
Nov 17 15:11:15 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, processing IKE SA payload
Nov 17 15:11:15 [IKEv1]: IP = 212.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Nov 17 15:11:15 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, All SA proposals found unacceptable
Nov 17 15:11:15 [IKEv1]: IP = 212.xxx.xxx.xxx, All IKE SA proposals found unacceptable!
Nov 17 15:11:15 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, IKE AM Responder FSM error history (struct &0xd551f9c8) , : AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Nov 17 15:11:15 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, IKE SA AM:e4ed2818 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Nov 17 15:11:15 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, sending delete/delete with reason message
Nov 17 15:11:15 [IKEv1]: Group = RA, IP = 212.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Nov 17 15:11:15 [IKEv1]: Group = RA, IP = 212.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
Nov 17 15:11:20 [IKEv1]: IP = 212.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing SA payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ke payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ISA_KE payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing nonce payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ID payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received xauth V6 VID
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received DPD VID
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received Fragmentation VID
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received NAT-Traversal ver 02 VID
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:20 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received Cisco Unity client VID
Nov 17 15:11:20 [IKEv1]: IP = 212.xxx.xxx.xxx, Connection landed on tunnel_group RA
Nov 17 15:11:20 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, processing IKE SA payload
Nov 17 15:11:20 [IKEv1]: IP = 212.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Nov 17 15:11:20 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, All SA proposals found unacceptable
Nov 17 15:11:20 [IKEv1]: IP = 212.xxx.xxx.xxx, All IKE SA proposals found unacceptable!
Nov 17 15:11:20 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, IKE AM Responder FSM error history (struct &0xd551f9c8) , : AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Nov 17 15:11:20 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, IKE SA AM:12f608bf terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Nov 17 15:11:20 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, sending delete/delete with reason message
Nov 17 15:11:20 [IKEv1]: Group = RA, IP = 212.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Nov 17 15:11:20 [IKEv1]: Group = RA, IP = 212.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry
Nov 17 15:11:25 [IKEv1]: IP = 212.xxx.xxx.xxx, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing SA payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ke payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ISA_KE payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing nonce payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing ID payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received xauth V6 VID
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received DPD VID
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received Fragmentation VID
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, IKE Peer included IKE fragmentation capability flags: Main Mode:        True Aggressive Mode: False
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received NAT-Traversal ver 02 VID
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, processing VID payload
Nov 17 15:11:25 [IKEv1 DEBUG]: IP = 212.xxx.xxx.xxx, Received Cisco Unity client VID
Nov 17 15:11:25 [IKEv1]: IP = 212.xxx.xxx.xxx, Connection landed on tunnel_group RA
Nov 17 15:11:25 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, processing IKE SA payload
Nov 17 15:11:25 [IKEv1]: IP = 212.xxx.xxx.xxx, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 596
Nov 17 15:11:25 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, All SA proposals found unacceptable
Nov 17 15:11:25 [IKEv1]: IP = 212.xxx.xxx.xxx, All IKE SA proposals found unacceptable!
Nov 17 15:11:25 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, IKE AM Responder FSM error history (struct &0xd551f9c8) , : AM_DONE, EV_ERROR-->AM_BLD_MSG2, EV_PROCESS_SA-->AM_BLD_MSG2, EV_GROUP_LOOKUP-->AM_BLD_MSG2, EV_PROCESS_MSG-->AM_BLD_MSG2, EV_CREATE_TMR-->AM_START, EV_RCV_MSG-->AM_START, EV_START_AM-->AM_START, EV_START_AM
Nov 17 15:11:25 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, IKE SA AM:7bf43093 terminating: flags 0x0100c001, refcnt 0, tuncnt 0
Nov 17 15:11:25 [IKEv1 DEBUG]: Group = RA, IP = 212.xxx.xxx.xxx, sending delete/delete with reason message
Nov 17 15:11:25 [IKEv1]: Group = RA, IP = 212.xxx.xxx.xxx, Removing peer from peer table failed, no match!
Nov 17 15:11:25 [IKEv1]: Group = RA, IP = 212.xxx.xxx.xxx, Error: Unable to remove PeerTblEntry

Federico Coto Fajardo · ‎11-17-2010

What is the version of the VPN client that you're using?

Federico.

rga · ‎11-17-2010

On computer I test it now Cisco VPN Client 5.0.06.0160.

On second one I have latest, 5.0.07.0290.

Federico Coto Fajardo · ‎11-17-2010

Hmmmm...

This has to be a known issue I'm not aware of... same thing is happening to me.

I'm using ASA 8.3(1) and client 5.0.07.0290

As far as I'm concerned the VPN client should work with either version of DH (2 or 5)

I'm trying some things and will let you know shortly.

Federico.

Federico Coto Fajardo · ‎11-17-2010

Finally found it...

DH group 5 works only in conjunction with rsa authentication (certificates).

If using pre-shared keys it won't work (need to use Dh group 2)

Here's the link: (requires CCO)

http://www.cisco.com/en/US/partner/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch11.html

Federico.

rga · ‎11-17-2010

Great, thanks!

Is it this table?

IKE Proposals

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch11.html#wp1168133

There is one strange thing, Cisco ASDM (6.0.3) IPsec VPN Wizard

offeres--even more--suggests to use DH Group 5 in IKE in case of AES usage
even if pre-shared key is used!

Cisco ASA 8.2 Command Reference says:

Note: The Cisco VPN Client Version 3.x or higher requires isakmp policy to use DH group 2. (If you configure
DH group 1, the Cisco VPN Client cannot connect.)

AES support is available on security appliances licensed for VPN-3DES only. Due to the large key sizes
provided by AES, ISAKMP negotiation should use Diffie-Hellman (DH) group 5 instead of group 1 or
group 2. To configures group 5, use the crypto isakmp policy priority group 5 command.

Anyhow, thanks for the explanation!