01-13-2011 03:06 PM - edited 02-21-2020 05:05 PM
Hi all,
My question is if it is possible to have at the same time, both L2TP/IPSEC and Cisco VPN client? I´ve tried that configuration but if the L2TP/IPSEC works the other one (Cisco VPN Client) doesn’t!
Thx in advance,
Mário
Solved! Go to Solution.
01-13-2011 08:30 PM
Yes, you are right in regards to nt-encrypted. When L2TP/IPSec is configured to use MS-CHAP authentication, you would need to use "nt-encrypted" in the username.
Good to hear that it's now working correctly for both.
Pls kindly rate useful posts and also mark the post as answered if you have no further question. Thank you.
01-13-2011 03:11 PM
Sorry, just confirming that you would like to have both L2TP/IPsec as well as the Cisco VPN IPsec configuration on PIX525 at the same time, however, you will be connecting separately from 2 different PCs, right?
If the above is correct, then yes.
Can you advise which phase is the VPN Client failing at? If you can share the configuration, output of "show cry isa sa" and "show cry ipsec sa" as well as the output of "debug cry isa" and "debug cry ipsec" when you are connecting via the Cisco IPSec VPN Client, that would help.
01-13-2011 03:48 PM
Hi,
Yes only one method at the same time....
Here is my configuration (only the important part...)
---
access-list vpn-acl extended permit ip 172.30.0.0 255.255.0.0 192.168.69.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.30.0.0 255.255.0.0
ip local pool vpn-pool 192.168.69.1-192.168.69.10
aaa authentication ssh console LOCAL
crypto ipsec transform-set vpn-tset esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map dyn1 10 set transform-set vpn-tset
crypto dynamic-map dyn1 10 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 ipsec-isakmp dynamic dyn1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy policy_xxx internal
group-policy policy_xxx attributes
vpn-idle-timeout 1800
vpn-session-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-acl
secure-unit-authentication enable
user-authentication enable
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group xxx type remote-access
tunnel-group xxx general-attributes
address-pool vpn-pool
authorization-server-group LOCAL
default-group-policy policy_xxx
tunnel-group xxx ipsec-attributes
pre-shared-key *
----
The ERROR (when testing the L2TP/IPSEC) via winxp,is:
Group = DefaultRAGroup, IP = 83.132.30.97, Removing peer from correlator table failed, no match!
Group = DefaultRAGroup, IP = 83.132.30.97, QM FSM error (P2 struct &0x4007b78, mess id 0x214da63)!
Thx in advance,
Mario
01-13-2011 04:55 PM
L2TP uses transport mode, while IPSec typically uses tunnel mode.
Try to add the following:
crypto dynamic-map dyn1 5 set transform-set TRANS_ESP_3DES_SHA
Also the split tunnel ACL for the VPN Client is incorrect. Configured extended ACL and the direction of the ACL is the other way round. But you must configure standard ACL anyway for split tunnel ACL, same as the one you configured for L2TP/IPSec split tunnel.
You currently have the following:
access-list vpn-acl extended permit ip 172.30.0.0 255.255.0.0 192.168.69.0 255.255.255.0
Please change it to the following:
access-list vpn-acl standard permit 172.30.0.0 255.255.0.0
01-13-2011 05:27 PM
Hi J,
Thx for the help, I did the conf suggest but now the L2TP/IPSEC works, but the cisco VPN (tunnel mode) no!
The error is:
Group = xxx, IP = 83.132.30.97, Removing peer from correlator table failed, no match!
Group = xxx, IP = 83.132.30.97, QM FSM error (P2 struct &0x5465070, mess id 0xfac083ea)!
Thx in advance,
Mario
01-13-2011 05:58 PM
Can you please share the full config as well as "debug cry isa" and "debug cry ipsec" when you are trying to connect with IPSec VPN Client.
01-13-2011 06:10 PM
CONF
-------
access-list vpn-acl extended permit ip 172.30.0.0 255.255.0.0 192.168.69.0 255.255.255.0
access-list vpn-acl extended permit ip object-group equipamento-pcivil 192.168.69.0 255.255.255.0
access-list vpn-acl extended permit ip object-group equipamento-wifi 192.168.69.0 255.255.255.0
access-list vpn-acl extended permit ip object-group equipamento-wifi-gestao 192.168.69.0 255.255.255.0
access-list vpn-acl extended permit ip host 172.31.1.1 192.168.69.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.30.0.0 255.255.0.0
ip local pool vpn-pool 192.168.69.1-192.168.69.10
ip local pool teste-pool 192.168.73.1-192.168.73.10 mask 255.255.255.0
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
crypto ipsec transform-set vpn-tset esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 5 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map dyn1 5 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 10 set transform-set vpn-tset
crypto dynamic-map dyn1 10 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 ipsec-isakmp dynamic dyn1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy policy_PD-Gestao internal
group-policy policy_PD-Gestao attributes
vpn-idle-timeout 1800
vpn-session-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-acl
secure-unit-authentication enable
user-authentication enable
tunnel-group DefaultRAGroup general-attributes
address-pool teste-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group PD-Gestao type remote-access
tunnel-group PD-Gestao general-attributes
address-pool vpn-pool
authorization-server-group LOCAL
default-group-policy policy_PD-Gestao
tunnel-group PD-Gestao ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect pptp
!
DEBUG
-----
Jan 14 2011 02:01:40: %PIX-3-713902: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, QM FSM error (P2 struct &0x5425ca8, mess id 0xad3871b5)!
Jan 14 2011 02:01:40: %PIX-3-713902: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Removing peer from correlator table failed, no match!
: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, QM FSM error (P2 struct &0x5425ca8, mess id 0xad3871b5)!
Jan 14 02:01:40 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Removing peer from correlator table failed, no match!
PD-Gestao-FW# Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing SA payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing ke payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing ISA_KE payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing nonce payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing ID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, Received xauth V6 VID
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, Received DPD VID
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, Received Fragmentation VID
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, Received NAT-Traversal ver 02 VID
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: IP = 83.132.30.97, Received Cisco Unity client VID
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, Connection landed on tunnel_group PD-Gestao
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing IKE SA payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, IKE SA Proposal # 1, Transform # 10 acceptable Matches global IKE entry # 1
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing ISAKMP SA payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing ke payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing nonce payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Generating keys for Responder...
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing ID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Computing hash for ISAKMP
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing Cisco Unity VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing xauth V6 VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing dpd vid payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing NAT-Traversal VID ver 02 payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing NAT-Discovery payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, computing NAT Discovery hash
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing NAT-Discovery payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, computing NAT Discovery hash
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing Fragmentation VID + extended capabilities payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 156
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Computing hash for ISAKMP
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing notify payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing NAT-Discovery payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, computing NAT Discovery hash
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing NAT-Discovery payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, computing NAT Discovery hash
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing VID payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Received Cisco Unity client VID
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, IP = 83.132.30.97, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=e525b058) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=e525b058) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 83
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, process_attr(): Enter!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Processing MODE_CFG Reply attributes.
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: primary DNS = cleared
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: secondary DNS = cleared
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: primary WINS = cleared
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: secondary WINS = cleared
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: split tunneling list = vpn-acl
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Auto-detected a NAT device with NAT-Traversal. Ignoring IPSec-over-UDP configuration.
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: IP Compression = disabled
Jan 14 2011 02:03:18: %PIX-3-713902: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, QM FSM error (P2 struct &0x5481f38, mess id 0xd64a41a3)!
Jan 14 2011 02:03:18: %PIX-3-713902: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Removing peer from correlator table failed, no match!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: Split Tunneling Policy = Split Network
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, User (mserrao) authenticated.
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=115381d2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=115381d2) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 56
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, process_attr(): Enter!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Processing cfg ACK attributes
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=d0175d0c) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 185
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, process_attr(): Enter!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Processing cfg Request attributes
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for IPV4 address!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for IPV4 net mask!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for DNS server address!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for WINS server address!
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Received unsupported transaction mode attribute: 5
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Banner!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Save PW setting!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Default Domain Name!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Split Tunnel List!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Split DNS!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for PFS setting!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for backup ip-sec peer list!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Application Version!
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Client Type: WinNT Client Application Version: 5.0.05.0290
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for FWTYPE!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for DHCP hostname for DDNS is: mserrao!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Obtained IP addr (192.168.69.1) prior to initiating Mode Cfg (XAuth enabled)
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Assigned private IP address 192.168.69.1 to remote user
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Send Client Browser Proxy Attributes!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Send Cisco Smartcard Removal Disconnect enable!!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=d0175d0c) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 236
Jan 14 02:03:18 [IKEv1 DECODE]: IP = 83.132.30.97, IKE Responder starting QM: msg id = d64a41a3
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, PHASE 1 COMPLETED
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, Keep-alive type for this connection: DPD
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Starting P1 rekey timer: 82080 seconds.
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, sending notify message
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=9a813444) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=d64a41a3) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1022
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing SA payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing nonce payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing ID payload
Jan 14 02:03:18 [IKEv1 DECODE]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, ID_IPV4_ADDR ID received
192.168.69.1
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Received remote Proxy Host data in ID Payload: Address 192.168.69.1, Protocol 0, Port 0
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing ID payload
Jan 14 02:03:18 [IKEv1 DECODE]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, QM IsRekeyed old sa not found by addr
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKE Remote Peer configured for crypto map: dyn1
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing IPSec SA payload
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, All IPSec SA proposals found unacceptable!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, sending notify message
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing ipsec notify payload for msg id d64a41a3
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=2c480a83) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, QM FSM error (P2 struct &0x5481f38, mess id 0xd64a41a3)!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKE QM Responder FSM error history (struct &0x5481f38)
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, sending delete/delete with reason message
Jan 14 02:03:18 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Removing peer from correlator table failed, no match!
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKE SA AM:cfd0b285 rcv'd Terminate: state AM_ACTIVE flags 0x0841c041, refcnt 1, tuncnt 0
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKE SA AM:cfd0b285 terminating: flags 0x0941c001, refcnt 0, tuncnt 0
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, sending delete/delete with reason message
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing IKE delete payload
Jan 14 02:03:18 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:03:18 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=1995c58c) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jan 14 02:03:18 [IKEv1]: Ignoring msg to mark SA with dsID 430080 dead because SA deleted
01-13-2011 06:24 PM
Please modify the split tunnel acl "vpn-acl" to standard ACL instead of extended ACL as advised earlier.
Further to that, please also remove a few configuration lines as follows:
group-policy policy_PD-Gestao attributes
no secure-unit-authentication enable
no user-authentication enable
Those 2 lines are not required as they are for hardware vpn client, not software ipsec vpn client.
Pls kindly provide the latest configuration after the above changes, and the debug output if it still doesn't work after the changes. Thanks.
01-13-2011 06:56 PM
Hi J,
I've done your suggestions but still only the L2TP/IPSEC only works!
Thx for your time!
Here is the conf:
access-list vpn-acl standard permit 172.30.0.0 255.255.0.0
access-list vpn-acl standard permit 192.168.1.0 255.255.255.0
access-list vpn-acl standard permit 10.10.10.0 255.255.255.0
access-list vpn-acl standard permit 172.31.2.0 255.255.255.0
access-list vpn-acl standard permit host 172.31.1.1
access-list DefaultRAGroup_splitTunnelAcl standard permit 172.30.0.0 255.255.0.0
ip local pool vpn-pool 192.168.69.1-192.168.69.10
ip local pool teste-pool 192.168.73.1-192.168.73.10 mask 255.255.255.0
nat-control
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
crypto ipsec transform-set vpn-tset esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 5 set transform-set TRANS_ESP_3DES_SHA
crypto dynamic-map dyn1 5 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map dyn1 10 set transform-set vpn-tset
crypto dynamic-map dyn1 10 set security-association lifetime seconds 28800
crypto dynamic-map dyn1 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 20 ipsec-isakmp dynamic dyn1
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy policy_PD-Gestao internal
group-policy policy_PD-Gestao attributes
vpn-idle-timeout 1800
vpn-session-timeout none
vpn-tunnel-protocol IPSec
password-storage enable
ipsec-udp enable
ipsec-udp-port 10000
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-acl
tunnel-group DefaultRAGroup general-attributes
address-pool teste-pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
tunnel-group PD-Gestao type remote-access
tunnel-group PD-Gestao general-attributes
address-pool vpn-pool
authorization-server-group LOCAL
default-group-policy policy_PD-Gestao
tunnel-group PD-Gestao ipsec-attributes
pre-shared-key *
Here is the debug:
Jan 14 02:46:50 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 853
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing SA payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing ke payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing ISA_KE payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing nonce payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing ID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, Received xauth V6 VID
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, Received DPD VID
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, Received Fragmentation VID
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, Received NAT-Traversal ver 02 VID
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, processing VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: IP = 83.132.30.97, Received Cisco Unity client VID
Jan 14 02:46:50 [IKEv1]: IP = 83.132.30.97, Connection landed on tunnel_group PD-Gestao
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing IKE SA payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, IKE SA Proposal # 1, Transform # 10 acceptable Matches global IKE entry # 1
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing ISAKMP SA payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing ke payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing nonce payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Generating keys for Responder...
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing ID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing hash payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Computing hash for ISAKMP
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing Cisco Unity VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing xauth V6 VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing dpd vid payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing NAT-Traversal VID ver 02 payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing NAT-Discovery payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, computing NAT Discovery hash
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing NAT-Discovery payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, computing NAT Discovery hash
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing Fragmentation VID + extended capabilities payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Jan 14 02:46:50 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + HASH (8) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 428
Jan 14 02:46:50 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + HASH (8) + NOTIFY (11) + NAT-D (130) + NAT-D (130) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 156
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing hash payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Computing hash for ISAKMP
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing notify payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing NAT-Discovery payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, computing NAT Discovery hash
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing NAT-Discovery payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, computing NAT Discovery hash
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 00000408)
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, processing VID payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Received Cisco Unity client VID
Jan 14 02:46:50 [IKEv1]: Group = PD-Gestao, IP = 83.132.30.97, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:46:50 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=1ac689cf) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68
Jan 14 02:46:50 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=1ac689cf) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 83
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, process_attr(): Enter!
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, IP = 83.132.30.97, Processing MODE_CFG Reply attributes.
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: primary DNS = cleared
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: secondary DNS = cleared
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: primary WINS = cleared
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: secondary WINS = cleared
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: split tunneling list = vpn-acl
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Auto-detected a NAT device with NAT-Traversal. Ignoring IPSec-over-UDP configuration.
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: IP Compression = disabled
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: Split Tunneling Policy = Split Network
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: Browser Proxy Setting = no-modify
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKEGetUserAttributes: Browser Proxy Bypass Local = disable
Jan 14 02:46:50 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, User (mserrao) authenticated.
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:46:50 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=f872b9c) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 60
Jan 14 02:46:50 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=f872b9c) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 56
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, process_attr(): Enter!
Jan 14 02:46:50 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Processing cfg ACK attributes
Jan 14 02:46:51 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=7adddecb) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 185
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, process_attr(): Enter!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Processing cfg Request attributes
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for IPV4 address!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for IPV4 net mask!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for DNS server address!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for WINS server address!
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Received unsupported transaction mode attribute: 5
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Banner!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Save PW setting!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Default Domain Name!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Split Tunnel List!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Split DNS!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for PFS setting!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Client Browser Proxy Setting!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for backup ip-sec peer list!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Client Smartcard Removal Disconnect Setting!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for Application Version!
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Client Type: WinNT Client Application Version: 5.0.05.0290
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for FWTYPE!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, MODE_CFG: Received request for DHCP hostname for DDNS is: mserrao!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Obtained IP addr (192.168.69.1) prior to initiating Mode Cfg (XAuth enabled)
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Assigned private IP address 192.168.69.1 to remote user
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 2011 02:46:51: %PIX-3-713902: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, QM FSM error (P2 struct &0x5481ba0, mess id 0xe953f62d)!
Jan 14 2011 02:46:51: %PIX-3-713902: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Removing peer from correlator table failed, no match!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Send Client Browser Proxy Attributes!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Browser Proxy set to No-Modify. Browser Proxy data will NOT be included in the mode-cfg reply
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Send Cisco Smartcard Removal Disconnect enable!!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:46:51 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=7adddecb) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 236
Jan 14 02:46:51 [IKEv1 DECODE]: IP = 83.132.30.97, IKE Responder starting QM: msg id = e953f62d
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Delay Quick Mode processing, Cert/Trans Exch/RM DSID in progress
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Resume Quick Mode processing, Cert/Trans Exch/RM DSID completed
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, PHASE 1 COMPLETED
Jan 14 02:46:51 [IKEv1]: IP = 83.132.30.97, Keep-alive type for this connection: DPD
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Starting P1 rekey timer: 82080 seconds.
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, sending notify message
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:46:51 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=e92e4a63) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88
Jan 14 02:46:51 [IKEv1]: IP = 83.132.30.97, IKE_DECODE RECEIVED Message (msgid=e953f62d) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 1022
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing hash payload
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing SA payload
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing nonce payload
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing ID payload
Jan 14 02:46:51 [IKEv1 DECODE]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, ID_IPV4_ADDR ID received
192.168.69.1
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Received remote Proxy Host data in ID Payload: Address 192.168.69.1, Protocol 0, Port 0
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing ID payload
Jan 14 02:46:51 [IKEv1 DECODE]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, ID_IPV4_ADDR_SUBNET ID received--0.0.0.0--0.0.0.0
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Received local IP Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, QM IsRekeyed old sa not found by addr
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKE Remote Peer configured for crypto map: dyn1
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, processing IPSec SA payload
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, All IPSec SA proposals found unacceptable!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, sending notify message
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing ipsec notify payload for msg id e953f62d
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:46:51 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=b08074c1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, QM FSM error (P2 struct &0x5481ba0, mess id 0xe953f62d)!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKE QM Responder FSM error history (struct &0x5481ba0)
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, sending delete/delete with reason message
Jan 14 02:46:51 [IKEv1]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, Removing peer from correlator table failed, no match!
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKE SA AM:25c47c23 rcv'd Terminate: state AM_ACTIVE flags 0x0841c041, refcnt 1, tuncnt 0
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, IKE SA AM:25c47c23 terminating: flags 0x0941c001, refcnt 0, tuncnt 0
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, sending delete/delete with reason message
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing blank hash payload
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing IKE delete payload
Jan 14 02:46:51 [IKEv1 DEBUG]: Group = PD-Gestao, Username = mserrao, IP = 83.132.30.97, constructing qm hash payload
Jan 14 02:46:51 [IKEv1]: IP = 83.132.30.97, IKE_DECODE SENDING Message (msgid=a43496b9) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Jan 14 02:46:51 [IKEv1]: Ignoring msg to mark SA with dsID 462848 dead because SA deleted
Jan 14 02:46:51 [IKEv1]: IP = 83.132.30.97, Received encrypted packet with no matching SA, dropping
01-13-2011 07:09 PM
Can you please also share the following:
show run username
Also, are you connected with the same username via L2TP/IPSec, when you try to connect with VPN Client? From the debugs, it is showing that you are being prompted for your username and password, and phase 1 seems to be OK, however, it's failing upon checking the user attributes, so if you can share the user attribute that you have configured, that would be great.
Also, you can test just creating a new username and password with no attribute assigned at all to the username and test if it's working.
01-13-2011 07:30 PM
Hi J,
The usernames are different. Here they are:
I also create a new user/pass with no special attributes and with these pair I can't use both VPNs (to use L2TP the password must be nt-encry, I think!)
Thx
Mario
01-13-2011 07:32 PM
No, you don't need nt-encrypted password.
Can you please try just adding the username and password in cleartext without the nt-encrypted keyword:
username test password test123
01-13-2011 07:37 PM
I allready test it ...
username teste password bFmi7L56IAbygEqs encrypted
no L2TP/IPSEC or Tunnel IPSEC
01-13-2011 07:44 PM
Can you also remove the authorization server group:
tunnel-group PD-Gestao general-attributes
no authorization-server-group LOCAL
01-13-2011 07:48 PM
Still not...!
Just a note, when I remove the configuration line,
crypto dynamic-map dyn1 5 set transform-set TRANS_ESP_3DES_SHA
the Tunnel VPN works, and the other no!
Thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide