09-02-2011 05:45 AM - edited 02-21-2020 05:33 PM
Hi, I'm opening a new topic related to my problem with the VPN connection, to avoid confusion, since there are many, in the old information, no longer required.
I would like to configure my ASA5510 L2PT/IpSec to accept connections from Windows clients.
I happen to authenticate via AD credentials.
When I try to connect is because the error 691.
I enabled debugging on the machine the following:
debug crypto isakmp 3
debug crypto ipsec 3
debug ldap 255
I tried it with different operating systems (XP and seven), but I always get the same error.
I set the client in this way:
Security -> VPN type -> L2TP/IPSec
Encryption -> require encryption (disconnect in case of refusal)
protocols -> microsoft CHAO ver 2 (only)
Advanced Settings -> pre-shared key
the domain user that is used is able to receive incoming calls.
testing ldap authentication is successful. With the same credentials i can connect to the SSL portal without any problems and I see all shared resources
as seen, from the debug, the call to authenticate ldap user is never made.
I hope I can help solve this problem, thanks
CONFIGURATION:
FIREWALLP01# show running-config
: Saved
:
ASA Version 8.2(5)
!
hostname FIREWALLP01
domain-name MAIOR.local
enable password xx encrypted
passwd xx encrypted
names
name 79.yy.yy.73 ROUTERP01
name 79.yy.yy.75 Pubblica_HTTP
name 79.yy.yy.76 Pubblica_VOIP
name 192.168.90.2 SERVERP02
name 192.168.90.3 SERVERP03
name 192.168.92.4 SERVERP04
!
interface Ethernet0/0
nameif Pubblica_SIADSL
security-level 0
ip address 79.yy.yy.74 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.90.254 255.255.255.0
!
interface Ethernet0/2
nameif DMZ
security-level 98
ip address 192.168.92.254 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup Pubblica_SIADSL
dns domain-lookup LAN
dns domain-lookup DMZ
dns domain-lookup management
dns server-group DefaultDNS
name-server SERVERP02
domain-name MAIOR.local
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service rtp udp
port-object range 9000 9049
access-list Pubblica_SIADSL_access_in extended permit udp any host Pubblica_VOIP object-group rtp
access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_VOIP eq sip
access-list Pubblica_SIADSL_access_in extended permit object-group TCPUDP any host Pubblica_HTTP eq sip
access-list LAN_nat0_outbound extended permit ip any 192.168.90.0 255.255.255.0
pager lines 24
logging asdm informational
mtu Pubblica_SIADSL 1500
mtu LAN 1500
mtu DMZ 1500
mtu management 1500
ip local pool VPN_pool 192.168.90.120-192.168.90.129 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625-53.bin
no asdm history enable
arp timeout 14400
global (Pubblica_SIADSL) 1 interface
global (DMZ) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 0.0.0.0 0.0.0.0
static (DMZ,Pubblica_SIADSL) Pubblica_HTTP SERVERP04 netmask 255.255.255.255
static (LAN,Pubblica_SIADSL) Pubblica_VOIP SERVERP03 netmask 255.255.255.255
access-group Pubblica_SIADSL_access_in in interface Pubblica_SIADSL
route Pubblica_SIADSL 0.0.0.0 0.0.0.0 ROUTERP01 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
webvpn
url-list value Link
aaa-server SERVERP02 protocol ldap
aaa-server SERVERP02 (LAN) host SERVERP02
ldap-base-dn DC=MAIOR,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Administrator,CN=Users,DC=MAIOR,DC=local
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 management
http authentication-certificate management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA
crypto map Pubblica_SIADSL_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Pubblica_SIADSL_map interface Pubblica_SIADSL
crypto isakmp enable Pubblica_SIADSL
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
management-access management
dhcpd address 192.168.1.2-192.168.1.254 management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Pubblica_SIADSL
enable LAN
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.90.2
vpn-tunnel-protocol IPSec l2tp-ipsec
default-domain value MAIOR.local
username test password xx== nt-encrypted
username test attributes
service-type remote-access
tunnel-group DefaultRAGroup general-attributes
address-pool VPN_pool
authentication-server-group SERVERP02
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group SERVERP02
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:ffe1f28f423d367f684be645cffe220b
: end
FIREWALLP01#
DEBUG:
Sep 02 12:30:37 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Sep 02 12:30:37 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Sep 02 12:30:37 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Sep 02 12:30:37 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
Sep 02 12:30:38 [IKEv1]: IP = 82.xx.xx.84, Connection landed on tunnel_group DefaultRAGroup
Sep 02 12:30:38 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Sep 02 12:30:38 [IKEv1]: IP = 82.xx.xx.84, Connection landed on tunnel_group DefaultRAGroup
Sep 02 12:30:38 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, PHASE 1 COMPLETED
Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Received remote Proxy Host data in ID Payload: Address 192.168.1.2, Protocol 17, Port 1701
Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Received local Proxy Host data in ID Payload: Address 79.yy.yy.74, Protocol 17, Port 1701
Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0xDA884448,
SCB: 0xD9211698,
Direction: inbound
SPI : 0x17C543BD
Session ID: 0x0004D000
VPIF num : 0x00000001
Tunnel type: ra
Protocol : esp
Lifetime : 240 seconds
IPSEC: New embryonic SA created @ 0xDA376928,
SCB: 0xD9177400,
Direction: outbound
SPI : 0xE0C5442F
Session ID: 0x0004D000
VPIF num : 0x00000001
Tunnel type: ra
Protocol : esp
Lifetime : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xE0C5442F
IPSEC: Creating outbound VPN context, SPI 0xE0C5442F
Flags: 0x00000225
SA : 0xDA376928
SPI : 0xE0C5442F
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x0723D533
Channel: 0xD5E98360
IPSEC: Completed outbound VPN context, SPI 0xE0C5442F
VPN handle: 0x00093414
IPSEC: New outbound encrypt rule, SPI 0xE0C5442F
Src addr: 79.yy.yy.74
Src mask: 255.255.255.255
Dst addr: 82.xx.xx.84
Dst mask: 255.255.255.255
Src ports
Upper: 1701
Lower: 1701
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xE0C5442F
Rule ID: 0xD9177580
IPSEC: New outbound permit rule, SPI 0xE0C5442F
Src addr: 79.yy.yy.74
Src mask: 255.255.255.255
Dst addr: 82.xx.xx.84
Dst mask: 255.255.255.255
Src ports
Upper: 4500
Lower: 4500
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed outbound permit rule, SPI 0xE0C5442F
Rule ID: 0xDA156058
Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Security negotiation complete for User () Responder, Inbound SPI = 0x17c543bd, Outbound SPI = 0xe0c5442f
IPSEC: Completed host IBSA update, SPI 0x17C543BD
IPSEC: Creating inbound VPN context, SPI 0x17C543BD
Flags: 0x00000226
SA : 0xDA884448
SPI : 0x17C543BD
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x00093414
SCB : 0x0723293D
Channel: 0xD5E98360
IPSEC: Completed inbound VPN context, SPI 0x17C543BD
VPN handle: 0x00094BB4
IPSEC: Updating outbound VPN context 0x00093414, SPI 0xE0C5442F
Flags: 0x00000225
SA : 0xDA376928
SPI : 0xE0C5442F
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00094BB4
SCB : 0x0723D533
Channel: 0xD5E98360
IPSEC: Completed outbound VPN context, SPI 0xE0C5442F
VPN handle: 0x00093414
IPSEC: Completed outbound inner rule, SPI 0xE0C5442F
Rule ID: 0xD9177580
IPSEC: Completed outbound outer SPD rule, SPI 0xE0C5442F
Rule ID: 0xDA156058
IPSEC: New inbound tunnel flow rule, SPI 0x17C543BD
Src addr: 82.xx.xx.84
Src mask: 255.255.255.255
Dst addr: 79.yy.yy.74
Dst mask: 255.255.255.255
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 1701
Lower: 1701
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x17C543BD
Rule ID: 0xDA1563E0
IPSEC: New inbound decrypt rule, SPI 0x17C543BD
Src addr: 82.xx.xx.84
Src mask: 255.255.255.255
Dst addr: 79.yy.yy.74
Dst mask: 255.255.255.255
Src ports
Upper: 4500
Lower: 4500
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound decrypt rule, SPI 0x17C543BD
Rule ID: 0xDA13F1F0
IPSEC: New inbound permit rule, SPI 0x17C543BD
Src addr: 82.xx.xx.84
Src mask: 255.255.255.255
Dst addr: 79.yy.yy.74
Dst mask: 255.255.255.255
Src ports
Upper: 4500
Lower: 4500
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Completed inbound permit rule, SPI 0x17C543BD
Rule ID: 0xD9177340
Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, PHASE 2 COMPLETED (msgid=00000001)
Sep 02 12:30:39 [IKEv1]: IKEQM_Active() Add L2TP classification rules: ip <82.xx.xx.84> mask <0xFFFFFFFF> port <4500>
[112] Session Start
[112] New request Session, context 0xd7b19410, reqType = Authentication
[112] Fiber started
[112] Failed: The username or password is blank
[112] Fiber exit Tx=0 bytes Rx=0 bytes, status=-3
[112] Session End
IPSEC: Deleted outbound encrypt rule, SPI 0xE0C5442F
Rule ID: 0xD9177580
IPSEC: Deleted outbound permit rule, SPI 0xE0C5442F
Rule ID: 0xDA156058
IPSEC: Deleted outbound VPN context, SPI 0xE0C5442F
VPN handle: 0x00093414
IPSEC: Deleted inbound decrypt rule, SPI 0x17C543BD
Rule ID: 0xDA13F1F0
IPSEC: Deleted inbound permit rule, SPI 0x17C543BD
Rule ID: 0xD9177340
IPSEC: Deleted inbound tunnel flow rule, SPI 0x17C543BD
Rule ID: 0xDA1563E0
IPSEC: Deleted inbound VPN context, SPI 0x17C543BD
VPN handle: 0x00094BB4
Sep 02 12:30:39 [IKEv1]: Group = DefaultRAGroup, IP = 82.xx.xx.84, Session is being torn down. Reason: L2TP initiated
LICENSING:
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Solved! Go to Solution.
09-07-2011 08:02 PM
Hello Raffaele,
First of all I'd configure your dynamic crypto map as follows:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
The above is just in case you want to have IPsec clients connecting to your ASA, they would use tunnel-mode instead of transport, notice that the transport-mode has to be first on the line for the l2tp clients to work.
Now let's get into your real problem, I read on your post that you are trying to connect with ms-chap-v2...well that is a problem, LDAP authentication for PPP connections does not support ms-chap-v2, only pap!
Set up pap on both the client and the ASA and try it one more time, if that still does not work collect the debugs and attach them here, hopefully I can take a look at them and give you my thoughts.
--Tavo
09-07-2011 08:02 PM
Hello Raffaele,
First of all I'd configure your dynamic crypto map as follows:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
The above is just in case you want to have IPsec clients connecting to your ASA, they would use tunnel-mode instead of transport, notice that the transport-mode has to be first on the line for the l2tp clients to work.
Now let's get into your real problem, I read on your post that you are trying to connect with ms-chap-v2...well that is a problem, LDAP authentication for PPP connections does not support ms-chap-v2, only pap!
Set up pap on both the client and the ASA and try it one more time, if that still does not work collect the debugs and attach them here, hopefully I can take a look at them and give you my thoughts.
--Tavo
09-08-2011 03:13 AM
great! the connection and authentication works! also is assigned a fixed IP in the correct Pool_vpn.
The problem now is to access remote resources. not "ping" the firewall or the servers and I can not access any shared resource.
need to create some specific nat or pat?
09-08-2011 06:19 PM
Good Raffaele,
Issue this command:
management-access LAN
Now from the connected client, are you able to ping 192.168.90.254?
What are the servers you are trying to reach?
Is this ASA the default gateway for those servers?
Get the following too:
access-list cap permit ip host 192.168.90.X host Y.Y.Y.Y
access-list cap permit ip host Y.Y.Y.Y host 192.168.90.X
where 192.168.90.X is the IP address the client received from the ASA and Y.Y.Y.Y is the server you are trying to ping from the onnected client.
cap cap access-list cap interface LAN
now after doing some pings from the client to Y.Y.Y.Y do a:
show cap cap
and let us know what you see.
--Tavo
09-21-2011 03:12 AM
PROBLEM SOLVED WITH PAP!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide