Here are some of the configs.

osayek001 · ‎04-12-2016

Hello,

I hope i can get some help here. I'm trying to create remote vpn on asa 5505. I'm trying to do L2TP/IPSEC with mac or windows client. I'm getting the following the errors on the logs after Phase 1 completes.

Group = DefaultRAGroup, IP =xxxxx, PHASE 1 COMPLETED

Group = DefaultRAGroup, IP = xxxx, All IPSec SA proposals found unacceptable!

Group = DefaultRAGroup, IP = xxxxxxx QM FSM error (P2 struct &0xd8301f18, mess id 0xe044dd36)!

Group = DefaultRAGroup, IP = xxxxxx, Removing peer from correlator table failed, no match

Group = DefaultRAGroup, IP = xxx Session is being torn down. Reason: Phase 2 Mismatch

Any ideas? I will post my config...

osayek001 · ‎04-12-2016

Here are some of the configs.

webvpn
anyconnect-essentials
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-tunnel-protocol l2tp-ipsec
pfs disable
default-domain value
address-pools value vpnpool
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8 4.2.2.2
vpn-simultaneous-logins 25
vpn-tunnel-protocol l2tp-ipsec ssl-client
address-pools value vpnpool

tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group xx.xx.xxx.xx type ipsec-l2l
tunnel-group xxx.xx.xxx ipsec-attributes
ikev1 pre-shared-key *****

crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 4443
crypto ikev1 policy 2
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

rypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto dynamic-map vpnaccess 1 set ikev1 transform-set ESP-DES-SHA
crypto dynamic-map vpnaccess 10 set pfs group1
crypto dynamic-map vpnaccess 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-SHA-TRANS ESP-AES-128-MD5-TRANS ESP-AES-192-SHA-TRANS ESP-AES-192-MD5-TRANS ESP-AES-256-SHA-TRANS ESP-AES-256-MD5-TRANS ESP-3DES-SHA-TRANS ESP-3DES-MD5-TRANS ESP-DES-SHA-TRANS ESP-DES-MD5-TRANS
crypto dynamic-map vpnaccess 10 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 100 match address xxxx
crypto map outside_map 100 set peer xxxxx
crypto map outside_map 100 set ikev1 transform-set ESP-AES-128-SHA
crypto map outside_map 100 set security-association lifetime seconds 86400
crypto map outside_map 65535 ipsec-isakmp dynamic vpnaccess
crypto map outside_map interface outside

I would appreciate any help. I'm doing some of the stuff from ASDM but not everything is visible there. I would like to remove dynamic-map vpnaccess, but can't find the name vpnaccess on ASDM. Would i be ok to remove it from CLI? I don't want to remove any of the certificates. I feel like there are quite a bit of inconsistent configuration done from previous engagement.

L2TP / IPSEC errors