Re: Windows XP Remote Access IPSEC VPN client with ASA 5505 - Page 2

Samuel Saunders · ‎05-10-2010

HI,

I am using an ASA 5505 device that already contains one L2L IPSEC VPN to add another Remote ACCESS VPN Connection. I am able to add the IPSEC Remote Access VPN with the wizard. But whenever I try to connect with the WIndows XP IPSEC L2TP over PPP VPN Client I dont seem to get to the ASA at all . I am a little confussed is to what I need to do on the firewall/router that the XP machine uses to connect to the internet. I am also not sure about NAT-T and how to configure it on the DEVICE. IT is currently disabled for the outside interface for because of the existing L2L VPN. Depenind on the PPP options that I use I get either 789 or 792 errors on teh XP client. I would like to use a separate IP address on the Cisco ASA 5505 for this remote access VPN too so it has its own dedicated remote access line. I hope somebody can help me. I have been playing with 2 groups for this setting - deg and shanthi.

I have turned on debug on the XP machine.

And this is what OAKLEY.log shows.

5-10: 13:02:31:98:1a90 Starting Negotiation: src = 10.1.1.105.0500, dst = 64.223.187.116.0500, proto = 17, context = 00000000, ProxySrc = 10.1.1.105.1701, ProxyDst = 64.223.187.116.1701 SrcMask = 0.0.0.0 DstMask = 0.0.0.0
5-10: 13:02:31:98:1a90 constructing ISAKMP Header
5-10: 13:02:31:98:1a90 constructing SA (ISAKMP)
5-10: 13:02:31:98:1a90 Constructing Vendor MS NT5 ISAKMPOAKLEY
5-10: 13:02:31:98:1a90 Constructing Vendor FRAGMENTATION
5-10: 13:02:31:98:1a90 Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
5-10: 13:02:31:98:1a90 Constructing Vendor Vid-Initial-Contact
5-10: 13:02:31:98:1a90
5-10: 13:02:31:98:1a90 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:31:98:1a90 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:31:98:1a90   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:31:98:1a90   R-COOKIE 0000000000000000
5-10: 13:02:31:98:1a90   exchange: Oakley Main Mode
5-10: 13:02:31:98:1a90   flags: 0
5-10: 13:02:31:98:1a90   next payload: SA
5-10: 13:02:31:98:1a90   message ID: 00000000
5-10: 13:02:31:98:1a90 Ports S:f401 D:f401
5-10: 13:02:31:98:1a90 Activating InitiateEvent 00000790
5-10: 13:02:32:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 1
5-10: 13:02:32:114:d84
5-10: 13:02:32:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:32:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:32:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:32:114:d84   R-COOKIE 0000000000000000
5-10: 13:02:32:114:d84   exchange: Oakley Main Mode
5-10: 13:02:32:114:d84   flags: 0
5-10: 13:02:32:114:d84   next payload: SA
5-10: 13:02:32:114:d84   message ID: 00000000
5-10: 13:02:32:114:d84 Ports S:f401 D:f401
5-10: 13:02:34:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 2
5-10: 13:02:34:114:d84
5-10: 13:02:34:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:34:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:34:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:34:114:d84   R-COOKIE 0000000000000000
5-10: 13:02:34:114:d84   exchange: Oakley Main Mode
5-10: 13:02:34:114:d84   flags: 0
5-10: 13:02:34:114:d84   next payload: SA
5-10: 13:02:34:114:d84   message ID: 00000000
5-10: 13:02:34:114:d84 Ports S:f401 D:f401
5-10: 13:02:38:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 3
5-10: 13:02:38:114:d84
5-10: 13:02:38:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:38:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:38:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:38:114:d84   R-COOKIE 0000000000000000
5-10: 13:02:38:114:d84   exchange: Oakley Main Mode
5-10: 13:02:38:114:d84   flags: 0
5-10: 13:02:38:114:d84   next payload: SA
5-10: 13:02:38:114:d84   message ID: 00000000
5-10: 13:02:38:114:d84 Ports S:f401 D:f401
5-10: 13:02:46:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 4
5-10: 13:02:46:114:d84
5-10: 13:02:46:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:02:46:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:02:46:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:02:46:114:d84   R-COOKIE 0000000000000000
5-10: 13:02:46:114:d84   exchange: Oakley Main Mode
5-10: 13:02:46:114:d84   flags: 0
5-10: 13:02:46:114:d84   next payload: SA
5-10: 13:02:46:114:d84   message ID: 00000000
5-10: 13:02:46:114:d84 Ports S:f401 D:f401
5-10: 13:03:02:114:d84 retransmit: sa = 000DC510 centry 00000000 , count = 5
5-10: 13:03:02:114:d84
5-10: 13:03:02:114:d84 Sending: SA = 0x000DC510 to 64.223.187.116:Type 2.500
5-10: 13:03:02:114:d84 ISAKMP Header: (V1.0), len = 312
5-10: 13:03:02:114:d84   I-COOKIE 73e9a6aab49ffc62
5-10: 13:03:02:114:d84   R-COOKIE 0000000000000000
5-10: 13:03:02:114:d84   exchange: Oakley Main Mode
5-10: 13:03:02:114:d84   flags: 0
5-10: 13:03:02:114:d84   next payload: SA
5-10: 13:03:02:114:d84   message ID: 00000000
5-10: 13:03:02:114:d84 Ports S:f401 D:f401
5-10: 13:03:28:113:1a90 SA Dead. sa:000DC510 status:35f0
5-10: 13:03:28:113:1a90 isadb_set_status sa:000DC510 centry:00000000 status 35f0
5-10: 13:03:28:129:1a90 Key Exchange Mode (Main Mode)
5-10: 13:03:28:129:1a90 Source IP Address 10.1.1.105 Source IP Address Mask 255.255.255.255 Destination IP Address 64.223.187.116 Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr 10.1.1.105 IKE Peer Addr 64.223.187.116
5-10: 13:03:28:129:1a90
5-10: 13:03:28:129:1a90 Me
5-10: 13:03:28:129:1a90 IKE SA deleted before establishment completed
5-10: 13:03:28:129:1a90 0x0 0x0
5-10: 13:03:28:129:1a90 isadb_set_status InitiateEvent 00000790: Setting Status 35f0
5-10: 13:03:28:129:1a90 Clearing sa 000DC510 InitiateEvent 00000790
5-10: 13:03:28:129:1a90 constructing ISAKMP Header
5-10: 13:03:28:129:1a90 constructing DELETE. MM 000DC510
5-10: 13:03:28:129:1a90
5-10: 13:03:28:129:1a90 Sending: SA = 0x000DC510 to 64.223.187.116:Type 1.500
5-10: 13:03:28:129:1a90 ISAKMP Header: (V1.0), len = 56
5-10: 13:03:28:129:1a90   I-COOKIE 73e9a6aab49ffc62
5-10: 13:03:28:129:1a90   R-COOKIE 0000000000000000
5-10: 13:03:28:129:1a90   exchange: ISAKMP Informational Exchange
5-10: 13:03:28:129:64c CloseNegHandle 00000790
5-10: 13:03:28:129:1a90   flags: 0
5-10: 13:03:28:129:1a90   next payload: DELETE
5-10: 13:03:28:129:1a90   message ID: 2eb35a91
5-10: 13:03:28:129:1a90 Ports S:f401 D:f401
5-10: 13:03:28:129:1a90 ClearFragList
5-10: 13:03:28:129:64c SE cookie 73e9a6aab49ffc62
5-10: 13:03:28:129:64c isadb_schedule_kill_oldPolicy_sas: 89a76518-8a95-4639-9c5661534054ae45 4
5-10: 13:03:28:129:269c isadb_schedule_kill_oldPolicy_sas: ef9062e8-bcbe-4795-9667ae4dd227061b 3
5-10: 13:03:28:129:11c0 isadb_schedule_kill_oldPolicy_sas: 6bb966c8-2ac0-44b9-9732106ef3f6ab18 2
5-10: 13:03:28:129:64c isadb_schedule_kill_oldPolicy_sas: a5446db4-7e04-4f59-b306045e4b09ba35 1
5-10: 13:03:28:129:1a90 entered kill_old_policy_sas 4
5-10: 13:03:28:129:1a90 entered kill_old_policy_sas 3
5-10: 13:03:28:129:1a90 entered kill_old_policy_sas 2
5-10: 13:03:28:129:1a90 entered kill_old_policy_sas 1

The cisco configuration is as follows.

: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
domain-name DEGREEC
enable password E2RGHC5amLxsHJ0v encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 168.233.6.50 AdaptiveCool1
name 168.233.6.51 AdaptiveCool2
name 192.168.168.61 Ax-Supervisor
name 64.223.187.114 CiscoRouter
name 64.223.187.115 AXExternal
name 64.223.187.1 RangeSubnet
name 216.126.60.123 INTEQ
name 64.65.199.197 mail
name 64.223.187.116 GeneralVpn description Remote Access
name 192.168.168.250 One
name 192.168.168.252 three
name 192.168.168.251 two
name 64.65.199.194 DegreeC
!

!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.168.1 255.255.255.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address CiscoRouter 255.255.255.0
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4

interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner exec Welcome to $(hostname) at $(domain)
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server 192.168.168.1
name-server 71.243.0.12
name-server 68.237.161.12
domain-name DEGREEC
object-group service AdaptivePorts tcp
description All Ports used by AX-Supervisor
port-object eq 1911
port-object eq 3011
port-object eq www

object-group service pingport tcp
port-object eq 1911
object-group network VPNClients
network-object host One
network-object host two
network-object host three
object-group service VPNPorts udp
description VPN Ports
port-object eq 1701
port-object eq isakmp
object-group protocol VPNIP
description IP ports for WIndows
protocol-object esp
protocol-object ah
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any object-group AdaptivePorts
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any any object-group AdaptivePorts
access-list outside_cryptomap_2 extended permit ip host Ax-Supervisor host AdaptiveCool2
access-list outside_access_in_1 extended permit ip host INTEQ any

access-list outside_access_in_1 extended permit tcp host mail any eq smtp
access-list outside_access_in_1 extended permit icmp any any
access-list outside_access_in_1 extended permit ip 64.223.187.0 255.255.255.0 any
access-list outside_access_in_1 extended permit tcp any any
access-list outside_access_in_1 extended permit udp host DegreeC object-group VPNPorts host GeneralVpn object-group VPNPorts
access-list outside_access_in_1 extended permit object-group VPNIP host DegreeC host GeneralVpn
access-list inside_access_in_1 extended permit ip host INTEQ any
access-list inside_access_in_1 extended permit tcp host mail any eq smtp
access-list inside_access_in_1 extended permit icmp any any
access-list inside_access_in_1 extended permit ip 192.168.168.0 255.255.255.0 any
access-list inside_access_in_1 extended permit ip any any
access-list inside_access_in_1 extended permit tcp any any
access-list VPN_traffic extended permit ip host AXExternal host AdaptiveCool1
access-list VPN_traffic extended permit ip host AXExternal host AdaptiveCool2
access-list 121 extended permit ip host Ax-Supervisor host AdaptiveCool2
access-list 121 extended permit ip host AdaptiveCool2 host Ax-Supervisor
access-list 120 extended permit udp host 168.233.1.110 host CiscoRouter eq isakmp
access-list 120 extended permit udp host CiscoRouter eq isakmp host 168.233.1.110
access-list 101 extended permit ip host AXExternal host AdaptiveCool1
access-list 101 extended permit ip host AXExternal host AdaptiveCool2
access-list 141 extended permit ip host Ax-Supervisor host AdaptiveCool1

access-list 141 extended permit ip host Ax-Supervisor host AdaptiveCool2
access-list inside_nat_static extended permit ip host Ax-Supervisor host INTEQ
access-list outside_nat_static extended permit tcp host INTEQ eq www host Ax-Supervisor
access-list outside_nat_static_2 extended permit tcp host INTEQ eq 3011 host Ax-Supervisor
access-list outside_nat_static_1 extended permit tcp host INTEQ eq 1911 host Ax-Supervisor
access-list inside_nat_static_1 extended permit tcp host Ax-Supervisor eq www host INTEQ
access-list inside_nat_static_2 extended permit tcp host Ax-Supervisor eq 1911 host INTEQ
access-list inside_nat_static_3 extended permit tcp host Ax-Supervisor eq 3011 host INTEQ
access-list outside_nat_static_3 extended permit tcp host mail eq smtp host Ax-Supervisor
access-list inside_nat_static_4 extended permit tcp host Ax-Supervisor eq smtp host mail
access-list outside_nat_static_5 extended permit tcp host INTEQ eq 37 host Ax-Supervisor
access-list outside_nat_static_4 extended permit udp host INTEQ eq time host Ax-Supervisor
access-list inside_nat_static_5 extended permit udp host Ax-Supervisor eq time host INTEQ
access-list inside_nat_static_6 extended permit tcp host Ax-Supervisor eq 37 host INTEQ
access-list inside_nat0_outbound extended permit ip host Ax-Supervisor 192.168.168.248 255.255.255.248
access-list deg_splitTunnelAcl standard permit host Ax-Supervisor
access-list shanthi_splitTunnelAcl standard permit host Ax-Supervisor
pager lines 22
logging enable
logging buffered debugging
logging asdm debugging
mtu inside 1500

mtu outside 1500
ip local pool VPNClients One-192.168.168.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (inside) 1 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3011 access-list inside_nat_static_3
static (inside,outside) tcp interface 1911 access-list inside_nat_static_2
static (inside,outside) tcp interface www access-list inside_nat_static_1
static (outside,inside) tcp CiscoRouter www access-list outside_nat_static
static (outside,inside) tcp CiscoRouter 1911 access-list outside_nat_static_1
static (outside,inside) tcp CiscoRouter 3011 access-list outside_nat_static_2
static (inside,outside) udp interface time access-list inside_nat_static_5
static (outside,inside) udp CiscoRouter time access-list outside_nat_static_4
static (inside,outside) tcp interface 37 access-list inside_nat_static_6
static (inside,outside) tcp interface smtp access-list inside_nat_static_4
static (outside,inside) tcp CiscoRouter 37 access-list outside_nat_static_5

static (outside,inside) tcp CiscoRouter smtp access-list outside_nat_static_3
static (inside,outside) AXExternal access-list 141
access-group inside_access_in_1 in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 RangeSubnet 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.168.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set TRANS_ESP_3DES_MD5
crypto map inside_map 1 match address VPN_traffic
crypto map inside_map 1 set peer 168.233.1.110
crypto map inside_map 1 set transform-set ESP-3DES-SHA
crypto map inside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map inside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des

hash sha
group 2
lifetime 86400
crypto isakmp policy 4
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 5
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 6
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30

authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
no vpn-addr-assign dhcp
telnet 0.0.0.0 0.0.0.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value DEGREEC
group-policy deg internal
group-policy deg attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value deg_splitTunnelAcl
group-policy shanthi internal
group-policy shanthi attributes

vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value shanthi_splitTunnelAcl
username cisco password ffIRPGpDSOJh9YLq encrypted privilege 15
username shanthi password txofwH67fJtRlmBR encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool VPNClients
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group 168.233.1.110 type ipsec-l2l
tunnel-group 168.233.1.110 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group deg type ipsec-ra
tunnel-group deg general-attributes
address-pool VPNClients
default-group-policy deg
tunnel-group deg ipsec-attributes
pre-shared-key *
tunnel-group shanthi type ipsec-ra
tunnel-group shanthi general-attributes

unnel-group shanthi general-attributes
address-pool VPNClients
default-group-policy shanthi
tunnel-group shanthi ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp ikev1-user-authentication none
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp

inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:17cfa366e6127d0dccef895b75a7e3d4
: end

Samuel Saunders · ‎05-10-2010

HI Frederico,

You are right. I was thinking of it like I might use any ip. Thanks for that. I have changed it now.

Shanthi

Samuel Saunders · ‎05-10-2010

My windows client is behind a linux firewall with rules set up with iptables. Dont I have to change the firewall rules to allow the relevant ports.

Shanthi

Federico Coto Fajardo · ‎05-10-2010

Yes,

If it's behind any other kind of Firewall, you need to make sure that Firewall allows the IPsec and L2TP protocols.

Federico.

sivakumar_ks · ‎05-11-2010

If you want to make sure whether IPtable blocking l2l vpn. save and stop the iptable service and then try l2l vpn if it works then definity IPtable blocking the l2l vpn.

https://www.redhat.com/docs/manuals/enterprise/RHEL-3-Manual/ref-guide/s1-iptables-saving.html

Siva

Samuel Saunders · ‎05-11-2010

Hi,

I really want to thank all of you for your replies. I tried very hard last night to get the configuration to work. I changed the default RA Group but now my exisiting L2L connection is broken. Because both the L2L and RA tunnels terminate at the external IP of the device something has gotten changed on the L2L also. Sigh! I need to debug this. I am in teh process of signing up for Cisco support because I cant seem to get a handle on what is wrong. I did waht Mohit said but I was curious as to why you used the number 1 for the dynamic map. Cisco documentation says you should keep the higher numbers for the Dynamic maps. Also currently all ipsec connections are tyriung both the L2L and the RA. So I need to shutdown the RA so that the L2L client at least works. I did open up all the necessary ports on my firewall and I am able to connect with a Cisco client. The windows client is the problem.

But thank you all for your prompt and enthusiastic help. I hope I can solve my current problem quickly. If any of you have suggestions please let me know. It is going to be a while before Cisco contracts go through.

Thanks

Shanthi

mopaul · ‎05-11-2010

Hi Shanthi,

I agree as per Cisco documentation you need to assign a higher sequence id for dynamic map because when tunnel negotiates on ASA, dynamic takes precendence and maps are checked in sequence. What i suggested you was the creation of the dynamic map with an id of 1, what matter is on which sequence # you BIND the maps on the interface. If you check the configuration again, dynamic map should still be bound with static map with 65535 i.e higher than static

HTH...

Regards,
Mohit

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries