09-24-2010 06:15 AM
Hi,
First of all I have to admit that I'm not very well versed in Cisco gear or IPSEC connections in general so apologies if I'm doing something really obviously stupid, but I have checked through any stuff I could find on the internet about setting up IPSEC VPN.
The setup I have is an asa 5520 firewall (o/s 8.2) which for the moment is connected to a temporary home broadband style internet connection for testing purposes. The netopia router is configured to allow ipsec passthrough and to forward ports UDP 62515, TCP 10000, UDP 4500, UDP 500 to the asa 5520.
I am trying to connein from a laptop with windows firewall turned off and cisco vpn client version 5.0.02.0090.
I have run through the ipsec setup wizard several times trying different options. most of the time nothing comes up in the log to show that a connection has been attempted but there is one way i can set up the options that produces the following on the firewall log:
4|Sep 24 2010|13:54:29|713903|||||Group = VPNtest9, IP = 86.44.x.x, Error: Unable to remove PeerTblEntry
3|Sep 24 2010|13:54:29|713902|||||Group = VPNtest9, IP = 86.44.x.x, Removing peer from peer table failed, no match!
6|Sep 24 2010|13:54:21|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 24 2010|13:54:21|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Sep 24 2010|13:54:16|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 24 2010|13:54:16|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Sep 24 2010|13:54:11|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 24 2010|13:54:11|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1
6|Sep 24 2010|13:54:06|302015|86.44.x.x|51905|192.168.0.27|500|Built inbound UDP connection 7487 for Internet:86.44.x.x/51905 (86.44.x.x/51905) to identity:192.168.0.27/500 (192.168.0.27/500)
and this in the client log:
Cisco Systems VPN Client Version 5.0.02.0090
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
24 13:54:08.250 09/24/10 Sev=Info/4 CM/0x63100002
Begin connection process
25 13:54:08.265 09/24/10 Sev=Info/4 CM/0x63100004
Establish secure connection
26 13:54:08.265 09/24/10 Sev=Info/4 CM/0x63100024
Attempt connection with server "213.94.x.x"
27 13:54:08.437 09/24/10 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 213.94.x.x.
28 13:54:08.437 09/24/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 213.94.x.x
29 13:54:08.484 09/24/10 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
30 13:54:08.484 09/24/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
31 13:54:13.484 09/24/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
32 13:54:13.484 09/24/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x
33 13:54:18.484 09/24/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
34 13:54:18.484 09/24/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x
35 13:54:23.484 09/24/10 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
36 13:54:23.484 09/24/10 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 213.94.x.x
37 13:54:28.484 09/24/10 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=36C50ACCE984B0B0 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
38 13:54:28.984 09/24/10 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=36C50ACCE984B0B0 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
39 13:54:28.984 09/24/10 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "213.94.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING"
40 13:54:28.984 09/24/10 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
41 13:54:28.984 09/24/10 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
42 13:54:28.984 09/24/10 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
43 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
44 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
45 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
46 13:54:29.187 09/24/10 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I have full http connectivity from the internet to a machine on the inside of the asa 5520 so i think the static routing and NAT'ing should be ok, but i'm happy to provide any details.
Can anyone see what i'm doing wrong?
Thanks,
Sam
Solved! Go to Solution.
09-24-2010 07:31 AM
Pls add the following policy:
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
Can you also run debug on the ASA:
debug cry isa
debug cry ipsec
and collect the debug output after trying to connect.
09-24-2010 06:27 AM
Please change or add phase 1 policy (isakmp policy) with group 2.
Can you share the ASA configuration, in particular: "show run crypto isakmp" output, pls.
09-24-2010 07:27 AM
Hi Halijenn,
Heres the output from that command:
Result of the command: "show run crypto isakmp"
crypto isakmp enable Internet
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 60
crypto isakmp ipsec-over-tcp port 10000
"Please change or add phase 1 policy (isakmp policy) with group 2."
I'm going to try to do that now but i'm not sure how...
Is it some thing to do with "Perfect Forwarding Security" and "Diffie Helman Group2" (I knew I shouldn't have messed with that setting)
09-24-2010 07:31 AM
Pls add the following policy:
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
Can you also run debug on the ASA:
debug cry isa
debug cry ipsec
and collect the debug output after trying to connect.
09-24-2010 07:38 AM
ok, at this point i will have to admit i really am very new to this stuff, i was using the asdm gui for all the configuration, when i copy and paste
" crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2"
into the cli that you can get into from the asdm i get "error invalid input detected"
thanks so much for for helping me with this but could you give me instructions aimed at closer to my level of stupidity?
Thanks again,
Sam
09-24-2010 07:41 AM
ok sorry found it in the gui added it, testing now
Thanks,
09-24-2010 07:51 AM
Cool! thats got rid of the :
"5|Sep 24 2010|13:54:06|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 1"
messages, but were still getting the other ones.
(all this stuff:
4|Sep 24 2010|13:54:29|713903|||||Group = VPNtest9, IP = 86.44.x.x, Error: Unable to remove PeerTblEntry
3|Sep 24 2010|13:54:29|713902|||||Group = VPNtest9, IP = 86.44.x.x, Removing peer from peer table failed, no match!
6|Sep 24 2010|13:54:21|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 24 2010|13:54:21|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Sep 24 2010|13:54:16|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 24 2010|13:54:16|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Sep 24 2010|13:54:11|713905|||||Group = VPNtest9, IP = 86.44.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 24 2010|13:54:11|713201|||||Group = VPNtest9, IP = 86.44.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.)
09-24-2010 07:55 AM
"Can you also run debug on the ASA:
debug cry isa
debug cry ipsec"
I'm getting "debug comands are not supported in CLI window"
09-24-2010 08:47 AM
ok, i've connected in through hyperterminal and run
debug cry isa
debug cry ipsec
but it just goes straight back to command prompt, do these commands generate log files somewhere?
Thanks,
Sam
09-24-2010 09:19 AM
ah, got it:
OutsideFW1/pri/act# show run crypto isakmp
crypto isakmp enable Internet
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 60
crypto isakmp ipsec-over-tcp port 10000
OutsideFW1/pri/act# show run crypto ipsec
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
OutsideFW1/pri/act#
09-24-2010 09:38 AM
09-27-2010 01:57 AM
I've tried messing around with a few more settings on the vpn connection but i'm still getting:
4|Sep 27 2010|09:41:20|713903|||||Group = VPNtest9, IP = 86.x.x.x, Error: Unable to remove PeerTblEntry
3|Sep 27 2010|09:41:20|713902|||||Group = VPNtest9, IP = 86.x.x.x, Removing peer from peer table failed, no match!
6|Sep 27 2010|09:41:12|713905|||||Group = VPNtest9, IP = 86.x.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 27 2010|09:41:12|713201|||||Group = VPNtest9, IP = 86.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Sep 27 2010|09:41:07|713905|||||Group = VPNtest9, IP = 86.x.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 27 2010|09:41:07|713201|||||Group = VPNtest9, IP = 86.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Sep 27 2010|09:41:02|713905|||||Group = VPNtest9, IP = 86.x.x.x, P1 Retransmit msg dispatched to AM FSM
5|Sep 27 2010|09:41:02|713201|||||Group = VPNtest9, IP = 86.x.x.x, Duplicate Phase 1 packet detected. Retransmitting last packet.
6|Sep 27 2010|09:40:57|302015|86.x.x.x|59742|192.168.0.27|500|Built inbound UDP connection 11206 for Internet:86.x.x.x/59742 (86.x.x.x/59742) to identity:192.168.0.27/500 (192.168.0.27/500)
as best as i can understand this it means that the client is getting through ok to the ASA but is not receiving the messages back from the ASA to confirm the connection.
I dont think this should be a problem with the default route as i can browse the internet ok from a laptop on the inside of the firewall.
could it be to do with my NAT settings or access rules?
Thanks,
Sam
09-27-2010 02:14 AM
Thanks for the config. That helps.
It seems that you have not configured any group-policy specifically for the tunnel-group, hence it defaults to use the default group-policy (DfltGrpPolicy).
Please add the following vpn protocol to the default group-policy:
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ipsec
Try to connect again, and let us know how it goes.
09-27-2010 03:34 AM
Hi Jennifer,
we got it working i disconnected the laptop i was using to test the client from the connection it was connected to and connected it to the same network as the broadband router & the outside ip of the firewall. i immediately got a different bunch of errors on trying to connect but they were easily sorted.
this means that there was something wrong with the way the broadband router was passing the traffic. the broadband router is only there for test purposes anyway and once the firewall gets moved to our live network it will have a public ip so this is not a problem.
Thanks again for all your help
09-27-2010 03:54 AM
Great to hear it's working now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide