Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1933
Views
0
Helpful
5
Replies

Problems getting MS VPN client to talk to ASA on IPSEC

RonaldNutter
Level 1
Level 1

‎12-23-2011 12:32 PM - edited ‎02-21-2020 05:47 PM

I am trying to setup a ASA to accept an IPSEC connection from a MS VPN client.  I followed the setup as outlined in Cisco DOC id #71028.  I am getting console output that sees the client trying to connect -

Dec 23 2011 14:23:22: %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Dec 23 2011 14:23:22: %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Dec 23 2011 14:23:22: %ASA-3-713048: IP = 165.221.79.105, Error processing payload: Payload ID: 1

I have verified I am using the right passphrase.  Since this is failing at phase 1, I would think I have a passphrase but have verified I am using the same passphrase on both ends.

Here is the ipsec config from the ASA -

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 165.221.64.58 165.221.66.146

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value mydomain

tunnel-group DefaultRAGroup general-attributes

address-pool clientVPNpool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key cisco

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

I am setting up the MS VPN client and have tried several different configurations with no luck.  If anyone knows of a document that shows how to setup the MS VPN client to work with the above mentioned Cisco config, I would appreciate a link to the doc.  I would prefer to be using Anyconnect but no money in the budget for the licensing.

Since first posting this message, I have also tried the Shrew IPSEC client,  I can get past the phase 1 failure which would indicate a problem with the MS VPN client (no surprise there).

Thanks,

Ron

Labels:
0 Helpful
5 Replies 5

RonaldNutter
Level 1
Level 1

‎12-23-2011 01:50 PM

Looks like I have found some explanation for the problem -

Dec 23 2011 15:46:28: %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

After doing some digging, I found this link - http://www.firewall.cx/forum/1-design-installation-a-troubleshooting/33635-asa-5505-vpn-problem.html

It appears that the error I am getting refers to a problem with the MS VPN client not support diffie-helman group 2.  I tried dh version numbers and ran into the same error but with different numbers.

Anybody gotten the MS VPN Client to work ?

0 Helpful

ajay chauhan
Level 7
Level 7
In response to RonaldNutter

‎12-23-2011 02:19 PM

Hi

can you try once - remove -vpn-tunnel-protocol IPSec l2tp-ipsec and use just vpn-tunnel-protocol  l2tp-ipsec ?

Thanks

Ajay

0 Helpful

RonaldNutter
Level 1
Level 1
In response to ajay chauhan

‎12-23-2011 02:28 PM

Didnt make any difference.  Still seeing the error -

Dec 23 2011 16:26:19: %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

I have been doing some digging and it looks like the MS VPN client doesnt use diffie-hellman.  I found this link - http://www.draytek.com/user/SupportAppnotesDetail.php?ID=144 that is supposed to be how to get MS to use DH on VPN connections.  Have been working with that for a while and no luck.  With my luck, Windows 7 64-bit needs something different to get it to play nice with DH.

0 Helpful

ajay chauhan
Level 7
Level 7
In response to ajay chauhan

‎12-23-2011 02:49 PM

One more try please change isakmp policy and use hash sha1.

I hope this will solve.

0 Helpful

RonaldNutter
Level 1
Level 1
In response to ajay chauhan

‎12-27-2011 04:58 AM

Ajay:

Just had a chance to try this.  We were close for Christmas and just got back in this morning.

Changing the ISAKMP policy made no difference.  Still seeing the following on the console screen -

Dec 27 2011 06:55:21: %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Dec 27 2011 06:55:21: %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Dec 27 2011 06:55:21: %ASA-3-713048: IP = 165.221.79.105, Error processing payload: Payload ID: 1

What I can find is still pointing me in the direction of the MS VPN client not being configured to use Diffie Hellman.  I have also been talking to TAC on this and have made zero progress there.  No one in TAC seems to know how to get the MS client to work.

Thanks for your help.  Still looking for a way to get this to work.  There must be others who have gotten this to work.

Ron

0 Helpful
Customers Also Viewed These Support Documents