Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1627
Views
0
Helpful
5
Replies

VPN does not work on ASA5505

edwardre1
Level 1
Level 1

‎09-12-2011 04:17 PM

Hi All,

I hope someone can help me. My IPsec vpn between an asa5505 and iPad is not working. I am using a self enrolled identity certificate, exported from the asa and used in the client profile.

I get a "Error processing payload: Payload ID: 1" on the asa5505 when i try to establish the vpn session.

thank you

Ed

Labels:
0 Helpful
5 Replies 5

Parminder Sian
Level 1
Level 1

‎09-12-2011 09:53 PM

Hi ED,

Seems like you have incomplete configuration on ASA. Can we have a look at it?

Regards,

Sian

0 Helpful

edwardre1
Level 1
Level 1
In response to Parminder Sian

‎09-12-2011 09:59 PM

Hello Sian,

thank you heaps for taking the time to reply

I am happy to provide you with the information you require, what would you like me to do?

thanks

Ed

0 Helpful

Parminder Sian
Level 1
Level 1
In response to edwardre1

‎09-13-2011 12:41 AM

Hi ED,

Please provide us with running configuration of your firewall using command "sh run".

Thanks,

Sian

0 Helpful

edwardre1
Level 1
Level 1
In response to Parminder Sian

‎09-13-2011 01:03 AM

Result of the command: "sh run"

: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name cristinare

enable password fYGjIZ.r.8FYvTjF encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address dhcp setroute

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns server-group DefaultDNS

domain-name cristinare

access-list inside_nat0_outbound extended permit ip any 192.168.1.20 255.255.255.252

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool POOL1 192.168.1.20-192.168.1.22 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint2

crl configure

crypto ca trustpoint ASDM_TrustPoint3

crl configure

crypto ca trustpoint ASDM_TrustPoint4

crl configure

crypto ca trustpoint ASDM_TrustPoint5

crl configure

crypto ca trustpoint ASDM_TrustPoint6

crl configure

crypto ca trustpoint ASDM_TrustPoint7

crl configure

crypto ca trustpoint ASDM_TrustPoint0

crl configure

crypto ca trustpoint ASDM_TrustPoint8

crl configure

crypto ca trustpoint ASDM_TrustPoint9

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

subject-name CN=ciscoasa

keypair testkeypair

crl configure

crypto ca trustpoint ASDM_TrustPoint10

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint11

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint12

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint13

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint14

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint15

enrollment self

keypair testkeypair

id-usage code-signer

crl configure

crypto ca server

shutdown

crypto ca certificate map DefaultCertificateMap 10

crypto ca certificate chain ASDM_TrustPoint1

certificate 2a491d4e

308201e5 3082014e a0030201 0202042a 491d4e30 0d06092a 864886f7 0d010104

05003037 3111300f 06035504 03130863 6973636f 61736131 22302006 092a8648

86f70d01 09021613 63697363 6f617361 2e637269 7374696e 61726530 1e170d31

31303731 33303732 3834325a 170d3231 30373130 30373238 34325a30 37311130

0f060355 04031308 63697363 6f617361 31223020 06092a86 4886f70d 01090216

13636973 636f6173 612e6372 69737469 6e617265 30819f30 0d06092a 864886f7

0d010101 05000381 8d003081 89028181 0098dea2 5f19c295 70116f9d 39fc0206

e4fa57df 735fae36 3f7315c4 b222aa73 7d421b86 6a2ff72c 35753007 6cf73fd3

02b6b18a 2389a83c 5b4b7b11 d785e4a0 db67e0e1 3b1a087c 5855f22a e350efd1

4dbc7746 5c963c6b 19620ba1 8dac81c4 4922a326 ce63b1ab 7fff54e6 8f1912d3

21f1d69d ea95b4b2 cc95f21e f7c1a25e 19020301 0001300d 06092a86 4886f70d

01010405 00038181 0085bddf 64299adb e2a9534e dd17da47 0c3a68a1 f49e5af9

6a7ddf60 3b93f131 7ad0dbb4 f4f1e649 133f632a 3d24da2e 5760c934 750ff4f3

967ca73a 8dec8086 fc08973d b2c77765 07b694cb c8373aa1 8ac3169f 8214a582

c8290f53 d2d52646 aee73df3 1fac9c61 bed1e7a4 f5e833f9 7059b60d 05ee8b31

0d8a990c 7365186c 2d

quit

crypto ca certificate chain ASDM_TrustPoint15

certificate 2a491d4e

308201e5 3082014e a0030201 0202042a 491d4e30 0d06092a 864886f7 0d010104

05003037 3111300f 06035504 03130863 6973636f 61736131 22302006 092a8648

86f70d01 09021613 63697363 6f617361 2e637269 7374696e 61726530 1e170d31

31303731 33303732 3834325a 170d3231 30373130 30373238 34325a30 37311130

0f060355 04031308 63697363 6f617361 31223020 06092a86 4886f70d 01090216

13636973 636f6173 612e6372 69737469 6e617265 30819f30 0d06092a 864886f7

0d010101 05000381 8d003081 89028181 0098dea2 5f19c295 70116f9d 39fc0206

e4fa57df 735fae36 3f7315c4 b222aa73 7d421b86 6a2ff72c 35753007 6cf73fd3

02b6b18a 2389a83c 5b4b7b11 d785e4a0 db67e0e1 3b1a087c 5855f22a e350efd1

4dbc7746 5c963c6b 19620ba1 8dac81c4 4922a326 ce63b1ab 7fff54e6 8f1912d3

21f1d69d ea95b4b2 cc95f21e f7c1a25e 19020301 0001300d 06092a86 4886f70d

01010405 00038181 0085bddf 64299adb e2a9534e dd17da47 0c3a68a1 f49e5af9

6a7ddf60 3b93f131 7ad0dbb4 f4f1e649 133f632a 3d24da2e 5760c934 750ff4f3

967ca73a 8dec8086 fc08973d b2c77765 07b694cb c8373aa1 8ac3169f 8214a582

c8290f53 d2d52646 aee73df3 1fac9c61 bed1e7a4 f5e833f9 7059b60d 05ee8b31

0d8a990c 7365186c 2d

quit

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.1.200-192.168.1.210 inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1

webvpn

enable outside

svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 1

svc enable

tunnel-group-list enable

certificate-group-map DefaultCertificateMap 10 LOCAL

group-policy DfltGrpPolicy attributes

banner value hello

vpn-tunnel-protocol IPSec svc webvpn

group-policy LOCAL internal

group-policy LOCAL attributes

dns-server value 192.168.1.1

vpn-tunnel-protocol IPSec svc

default-domain value cristinare

username edward password DOoMDsleiZHD072q encrypted privilege 15

username damien password AHLgGD3Zfsu8vbpr encrypted privilege 15

username jason password ESyVxZrL/gh8.fr5 encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

authorization-server-group LOCAL

tunnel-group DefaultRAGroup webvpn-attributes

group-alias LOCAL2 enable

tunnel-group DefaultRAGroup ipsec-attributes

trust-point ASDM_TrustPoint1

tunnel-group DefaultWEBVPNGroup webvpn-attributes

group-alias LOCAL3 enable

tunnel-group LOCAL type remote-access

tunnel-group LOCAL general-attributes

address-pool POOL1

default-group-policy LOCAL

tunnel-group LOCAL webvpn-attributes

authentication aaa certificate

group-alias LOCAL enable

tunnel-group LOCAL ipsec-attributes

pre-shared-key *

tunnel-group LOCAL2 type remote-access

tunnel-group LOCAL2 ipsec-attributes

pre-shared-key *

!

!

prompt hostname context

Cryptochecksum:bea6fe58afdeedc1296469d3e061f7a0

: end

0 Helpful

edwardre1
Level 1
Level 1
In response to Parminder Sian

‎09-13-2011 01:13 AM

Hello,

Just so that there is no confusion, I can successfully obtain a simple IPSec VPN connection from both iPhone and Apple Mac Lion VPN clients using only a userid/password credentials.

The problem arises when I am trying to use a digital certificate which I have previously exported from the ASA / and loaded onto the iPhone/Mac Lion VPN client. I wonder if I failing at generating a self generated digital certificate.

thank you

Edward

0 Helpful
Customers Also Viewed These Support Documents