cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3519
Views
0
Helpful
6
Replies

ASA 5510 & Windows XP VPN Client

kevinstauffer
Level 1
Level 1

I want to use the Windows XP VPN client to connect to the ASA

for VPN access
.  I have read document after document and I just can not get it to work.  It seems that it passes Phase 1 but I can't get Phase 2.  In the ASDM logs it shows that I get some QM FSM Errorsand on the Windows XP machine I get an error 789.  I have set the preshared key on the XP machine accordingly, and other seurity measures.

I'm quite new to the L2TP method of VPN, I have always used Windows Server for VPN and now I'm finding out why.  Anyway, I'm sure I'm missing some info that is needed to diagnose, but here is a copy of my config.

I hope someone can point me in the right direction to figure this out as I'm pulling my hair out!

Many thanks in advance!

1 Accepted Solution

Accepted Solutions

padatta
Level 1
Level 1

This transform set is set for mode transport but not used.

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport

First we need to ensure that this is being used in list of transform sets in 'crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ..........'. L2TP/IPSec requires this mode.


If it still fails, try to obtain the following debugs while connecting your client.

debug crypto isa 127

debug crypto ipsec

debug aaa common 127

Paps

View solution in original post

6 Replies 6

padatta
Level 1
Level 1

This transform set is set for mode transport but not used.

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport

First we need to ensure that this is being used in list of transform sets in 'crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ..........'. L2TP/IPSec requires this mode.


If it still fails, try to obtain the following debugs while connecting your client.

debug crypto isa 127

debug crypto ipsec

debug aaa common 127

Paps

Paps,

Thank you so much for your reply.  I think we are making some progess!

I added the transports for all the tunnels and now the Windows client has passed Phase 2!  According to the ASDM logs anyway.

Now I have a new problem, that I'm starting to research.

I get an error 649 (account doesn't have permission to dial in).  I use a RADIUS server with W2K3.  The account I am using does have VPN access and when I test the RADIUS connection in the ASA, that same user passes authentication.

I'm going to keep researching, but in the mean time do you have an insight?

Thank you so much for your response so far!

Hi,

We might require pap for this. Lets try the following.

tunnel-group DefaultRAGroup ppp-attributes
authentication pap

Paps

Paps,

Yeah I tried that command and that didn't get me anywhere unfortunetly.  I tried on my Win 7 box, and it gave me an error 812, and my XP box still says doesn't have permission to dial in.

Anything else to try?

I really appreciate your help this far!

Ok here is the latest.

I found an article on some policy configuration on my RADIUS server, I edited the profile to remove a couple things and added Class and set the attribute to "OU=;" and then moved it down a bit on my priority list and I was FINALLY able to connect all the way through!

I did get an internal IP address of my network, but the only problem I have not is I can not ping anything on the remote network.  So that's my current hurddle.  I'm going to try a couple things I have found, but again any insight is much appreciated!

I think we are getting there!

OK

I think I got it.  It appears there was a nat problem.  Once I added the command:

nat (inside,any) source static inside-network inside-network destination static obj_VPNPool obj_VPNPool

I was able to access my internal network!

Paps, thank you for your help, it was certainly much appreciated!