cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9207
Views
0
Helpful
5
Replies

IPsec VPN unable to remove peer

ovidio.catrina
Beginner
Beginner

hy there

I configured an IPsec tunnel but I have an error to connect.

this is my configuration and the error i got is this

4Jan 09 201300:53:00713903



Group = CON_trabajadores, IP = 81.43.96.53, Error: Unable to remove PeerTblEntry

4Jan 09 201300:53:06713902



Group = CON_trabajadores, IP = 81.43.96.53, Removing peer from peer table failed, no match!

access-list split_tunel_CON_trabajadores remark conexionIPsec

access-list split_tunel_CON_trabajadores standard permit 192.168.54.0 255.255.255.0

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 201.238.197.253

crypto map outside_map 1 set transform-set ESP-DES-MD5

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set peer 190.41.143.165

crypto map outside_map 2 set transform-set ESP-DES-MD5

crypto map outside_map 2 set nat-t-disable

crypto map outside_map 3 match address outside_3_cryptomap

crypto map outside_map 3 set peer 200.59.12.152

crypto map outside_map 3 set transform-set ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

ip local pool AccesoRemoto

group-policy CON_trabajadores internal

group-policy CON_trabajadores attributes

     dns-server value DNS-SERVER

     vpn-tunnel-protocol IPSec

     split-tunnel -policy tunnelspecified

split-tunnel-network-list value split_tunnel_CON_trabajadores

split-dns value DNS-SERVER

adress-pools value AccesoRemoto

tunnel-group CON_trabajadores type remote-access

tunnel-group CON_trabajadores general-attributes

address-pool AccesoRemoto

authentication-server-group NPS (with radius pointing to an AD)

default-group-policy CON_trabajadores

tunnel-group CON_trabajadores ipsec-attributes

pre-shared-key *******

isakmp keepalive disable

group-policy CON_trabajadores attributes

group-lock value CON_trabajadores

2 Accepted Solutions

Accepted Solutions

Rudy Sanjoko
Enthusiast
Enthusiast

If the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.

If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.

This message usually appears due to mismatched ISAKMP policies or a missing NAT 0 statement.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

View solution in original post

Your ASA configuration for IKE must match with one of the IKE Proposals of the Cisco VPN Client. Based on your config above, you are using DES and MD5 then to match the IKE proposal from the VPN Client you need to use DH group 2. (check the link for valid VPN Client IKE proposals combination)

View solution in original post

5 Replies 5

Rudy Sanjoko
Enthusiast
Enthusiast

If the IPsec tunnel is not UP, check that the ISAKMP policies match with the remote peers. This ISAKMP policy is applicable to both the Site-to-Site (L2L) and Remote Access IPsec VPN.

If the Cisco VPN Clients or the Site-to-Site VPN are not able establish the tunnel with the remote-end device, check that the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values and when the remote peer policy specifies a lifetime less than or equal to the lifetime in the policy that the initiator sent. If the lifetimes are not identical, the security appliance uses the shorter lifetime. If no acceptable match exists, ISAKMP refuses negotiation, and the SA is not established.

This message usually appears due to mismatched ISAKMP policies or a missing NAT 0 statement.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

yes that I understand it.

but the problem is this.

In the client you can not configure more than the name of the group the IP of the FW and the preshared.

it is like the the firewall doesnt send the SAs

in the log of the client it appears this.

27     12:53:29.113  01/09/13  Sev=Info/4    IKE/0x63000013

SENDING >>> ISAKMP OAK AG (Retransmission) to 187.72.39.6

28     12:53:29.440  01/09/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = 187.72.39.6

29     12:53:29.440  01/09/13  Sev=Warning/2    IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

30     12:53:29.440  01/09/13  Sev=Info/5    IKE/0x6300002F

Received ISAKMP packet: peer = 187.72.39.6

31     12:53:29.440  01/09/13  Sev=Warning/2    IKE/0xE300009B

Fragmented msg rcvd with no associated SA (PacketReceiver:133)

Your ASA configuration for IKE must match with one of the IKE Proposals of the Cisco VPN Client. Based on your config above, you are using DES and MD5 then to match the IKE proposal from the VPN Client you need to use DH group 2. (check the link for valid VPN Client IKE proposals combination)

it worked

thkx for the hint

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers