08-07-2009 05:02 AM
i got the following error while running Remote Access VPN using CA:
i am configuring remote access vpn on cisco asa5500 and i have this error: Aug 06 12:18:59 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2
!
Attempt to get Phase 1 ID data failed while constructing ID
please what is the cause of this error?
who has noticed this and what is the solution?
I HAVE ATTACHED FOR CONFIG FOR REFFERENCE
thanks for your response in advance.
08-11-2009 06:56 PM
Do you have a full config? One thing, do you have a group-policy for 'wcsa_Remote'?
default-group-policy wcsa_Remote - where is this pointing?
08-12-2009 10:49 PM
i thought you were able to see the attachment.
The configuration is below:
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 1000
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 1100
authentication rsa-sig
encryption aes
hash md5
group 1
lifetime 86400
crypto isakmp policy 65530
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
group-policy defaultgroup internal
group-policy Defaultgroup internal
group-policy Defaultgroup attributes
default-domain value wcsa.com
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.13.200.113
address-pools value Certvpnip
tunnel-group DefaultRAGroup general-attributes
address-pool Certvpnip
address-pool certvpnip
authentication-server-group ACS LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
trust-point major
tunnel-group wcsa_Remote type remote-access
tunnel-group wcsa_Remote general-attributes
address-pool wcsaVPN
authentication-server-group ACS
accounting-server-group ACS
default-group-policy wcsa_Remote
tunnel-group wcsa_Remote ipsec-attributes
pre-shared-key *
tunnel-group defaultgroup type remote-access
tunnel-group defaultgroup general-attributes
address-pool Certvpnip
tunnel-group defaultgroup ipsec-attributes
trust-point major
08-13-2009 04:26 AM
You still don't have your full running-config, or at least I couldn't download it.
As far as your problem:
What is this line?
'crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn'
Doesn't that look confusing? You defined certvpn earlier in the config with this: 'crypto ipsec transform-set certvpn esp-aes esp-sha-hmac'
Also: you don't have a transform-set that will work with this:
crypto isakmp policy 1100
authentication rsa-sig
encryption aes
hash md5
group 1
From the fragment of the running-config you posted, you have a lot of items that appear could be cleaned up.
08-13-2009 09:00 AM
08-16-2009 03:55 PM
This config file is really confusing. It looks like someone was throwing commands at it to make something work.
What exactly are you trying to do? Are you trying to configure a VPN Client?
08-16-2009 06:59 PM
Here is a config that builds a dynamic vpn, using a vpn client. You need to fill your information in where needed.
!First, set an access-list for Split tunnels if you want to internet access while connected:
access-list Split_VPN_List permit ip 10.0.0.0 255.0.0.0 10.199.199.0 255.255.255.0
!Setup the encryption types
crypto ipsec transform-set certvpn esp-aes esp-sha-hmac
crypto dynamic-map Outside_dyn_map 50 set transform-set certvpn
crypto dynamic-map Outside_dyn_map 50 set reverse-route
crypto map crymap 90 ipsec-isakmp dynamic Outside_dyn_map
! SETUP THE 'NAME' FOR THE VPN CLIENT
group-policy vpnclient internal
group-policy vpnclient attributes
! ALLOWS FOR INTERNET ACCESS WHILE LOGGED ON
split-tunnel-policy tunnelspecified
! POINT TO THE ACCESS-LIST
split-tunnel-network-list value Split_VPN_List
! 'NAME'
tunnel-group vpnclient type ipsec-ra
tunnel-group vpnclient general-attributes
address-pool Certvpnip //// If this is the pool you want to use
// use these if you are not using another server for verification of user/password
default-group-policy vpnclient ///Group name in your client
tunnel-group vpnclient ipsec-attributes
pre-shared-key 'put_key_here' ///password in your client
See how this works for you.
08-26-2009 11:43 PM
thanks for the response.
the preshared key vpn is working , i only have issues with the CA one.
Your response will be appreciated.
08-17-2009 03:39 AM
Yes.
that is a Remote ACCESS VPN using CA authentication.
also note that there is an exist remote access vpn using preshared key and that one is working fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide