cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4430
Views
0
Helpful
12
Replies

IKEV2 VPN Erro"Login Denied , unauthorized connection mechanism , contact your administrator"

Hamid Amir
Level 1
Level 1

 Dear All,
I´m trying to configure an IKEV2 VPN anyconnect on my ASA 5505 and when I try to connect in the anyconnect client, I receive the msg: "Login Denied , unauthorized connection mechanism , contact your administrator".
 
Can you help please
 
Kind Regards

12 Replies 12

At first glance it doesnt look like you have only assigned the ASDM_Launcher_Access_TrustPoint_0 to the inside interface while you have enabled IKEv2 only on the outside interface.  Try assigning the trustpoint to the outside interface and test.  Or if you are testing on the inside interface, enable ikev2 on the inside interface.

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside

 

crypto ikev2 enable outside client-services port 443

--
Please remember to select a correct answer and rate helpful posts

Hi marius,

Thanks for your reply.

I have tried your config, but still does not work.

best Regards

Hamid

 

 

Hi all

 

Just I found, I can establish connection using my iPhone, but I can not connect to internet.

Still no connection in windows 10 using anyconnect.

 

can you help ?

Without seeing your configuration it is difficult to tell what the issue is.  Most likely you either do not have a nat statment for outside to outside ex. nat (outside,outside)... and maybe missing same-security-traffic permit intra-interface command.

--
Please remember to select a correct answer and rate helpful posts

Hi

Please see the attachments file and below.

ftp mode passive

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network NETWORK_OBJ_192.168.100.0_28

subnet 192.168.100.0 255.255.255.240

object network obi-inside

subnet 192.168.1.0 255.255.255.0

object network obj-AnyconnectPool

subnet 192.168.100.0 255.255.255.0

object network obj-inside

subnet 192.168.1.0 255.255.255.0

object network NETWORK_OBJ_192.168.10.0_24

subnet 192.168.10.0 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (inside,outside) source static any any destination static NETWORK_OBJ_192.168.100.0_28 NETWORK_OBJ_192.168.100.0_28 no-proxy-arp route-lookup

!

object network obj_any

nat (inside,outside) dynamic interface

object network obj-AnyconnectPool

nat (outside,outside) dynamic interface

object network obj-inside

nat (inside,outside) dynamic interface

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0

enrollment self

fqdn none

subject-name CN=192.168.1.1,CN=ciscoasa

keypair ASDM_LAUNCHER

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0

certificate 86a7b55d

308201c9 30820132 a0030201 02020486 a7b55d30 0d06092a 864886f7 0d010105

05003029 3111300f 06035504 03130863 6973636f 61736131 14301206 03550403

130b3139 322e3136 382e312e 31301e17 0d313931 30323731 34323731 325a170d

32393130 32343134 32373132 5a302931 11300f06 03550403 13086369 73636f61

73613114 30120603 55040313 0b313932 2e313638 2e312e31 30819f30 0d06092a

864886f7 0d010101 05000381 8d003081 89028181 00addaf3 40bc330e d092fc56

a567244f 54e3da66 f76b000e d2d2f83b d16560dc cb502059 3a7dba5d 6fa0a9bb

29031474 34cb1530 de34f217 b79d8266 8e85e5d8 2b742852 18456764 d7c0d0e2

6b7ab10a 279e6718 db3fbdce 263fd703 d3bd95bb 46021ab5 4057f9cf f51fa2aa

7a6b7297 1c6232b9 11db1ed4 3f42b6a6 410ee3e6 83020301 0001300d 06092a86

4886f70d 01010505 00038181 002148a3 7857c07e 6aaf8b72 4848ace9 8db83e38

67e4c3fa 50aa3900 55620070 5a24a4fa 7e56ba2c 47183e5c 69946cec 2b15ac2b

141d355e 5afb0146 6d365a7e 6922a7fd df54bc19 cb1062b6 511eca18 72c60cda

0a7907be b57c32bf c22fe17e 3097b92d a6f25f41 d17b7bef 7c7288ab 5abe2ad7

dc5f3c3f 58bcfc2a 60b9b158 0f

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

 

dhcpd auto_config outside

!

dhcpd address 192.168.1.5-192.168.1.254 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip

ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside

webvpn

enable outside

anyconnect-essentials

anyconnect image disk0:/anyconnect-win-4.7.04056-webdeploy-k9.pkg 1

anyconnect profiles remote_client_profile disk0:/remote_client_profile.xml

anyconnect enable

tunnel-group-list enable

tunnel-group-preference group-url

group-policy GroupPolicy_remote internal

group-policy GroupPolicy_remote attributes

wins-server none

dns-server value 8.8.8.8

vpn-tunnel-protocol ikev2

default-domain none

webvpn

anyconnect profiles value remote_client_profile type user

username hamid password L0w/6yVKbR5Zm91N encrypted

tunnel-group remote type remote-access

tunnel-group remote general-attributes

address-pool vpnpool

default-group-policy GroupPolicy_remote

tunnel-group remote webvpn-attributes

group-alias remote enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

 

 

 

Hi Hamid,

I do not see the “same-security-traffic permit intra-interface” command on the config, as Marius stated on his previous reply.

Go ahead, add the command and test again the access to the internet.

Let us know about the results.

 

Rate if it helps.

Regards,

Josue Brenes

TAC - VPN Engineer.

Hi 

The  “same-security-traffic permit intra-interface” on second line of my configuration.

I did applied again, still no internet connection.

 

Best Regards

 

Hamid

Hi

I  added  the command below, I got internet connection, but as ssl vpn connection.

I need  IKEv2 IPsec connection.

 

 group-policy GroupPolicy_remote attributes
vpn-tunnel-protocol ikev2 ssl-client

 

Can you help ?

Have you enable "ipsec" instead of SSL i the AnyConnect profile remote_client_profile?

In the profile go to Server List and edit the server entry and under the Server tab (which should be the first tab) change Connection Information > Primary Protocol to IPsec

Screenshot 2019-10-31 at 10.07.22.png

--
Please remember to select a correct answer and rate helpful posts

Hi Marius

It is enabled.

please see the attachment file.

 

Kind Regards

 

Hamid

 

 

It has been resolved by change the ip address in anyconnect profile
to the internet provider address and use down load automatic for anyconncet from the web as manually did not work.

Also, I do not see any routing statements.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: