03-18-2011 09:44 PM
I want to use the Windows XP VPN client to connect to the ASA
for VPN access
. I have read document after document and I just can not get it to work. It seems that it passes Phase 1 but I can't get Phase 2. In the ASDM logs it shows that I get some QM FSM Errorsand on the Windows XP machine I get an error 789. I have set the preshared key on the XP machine accordingly, and other seurity measures.
I'm quite new to the L2TP method of VPN, I have always used Windows Server for VPN and now I'm finding out why. Anyway, I'm sure I'm missing some info that is needed to diagnose, but here is a copy of my config.
I hope someone can point me in the right direction to figure this out as I'm pulling my hair out!
Many thanks in advance!
Solved! Go to Solution.
03-19-2011 03:46 AM
This transform set is set for mode transport but not used.
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
First we need to ensure that this is being used in list of transform sets in 'crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ..........'. L2TP/IPSec requires this mode.
If it still fails, try to obtain the following debugs while connecting your client.
debug crypto isa 127
debug crypto ipsec
debug aaa common 127
Paps
03-19-2011 03:46 AM
This transform set is set for mode transport but not used.
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
First we need to ensure that this is being used in list of transform sets in 'crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ..........'. L2TP/IPSec requires this mode.
If it still fails, try to obtain the following debugs while connecting your client.
debug crypto isa 127
debug crypto ipsec
debug aaa common 127
Paps
03-19-2011 10:58 AM
Paps,
Thank you so much for your reply. I think we are making some progess!
I added the transports for all the tunnels and now the Windows client has passed Phase 2! According to the ASDM logs anyway.
Now I have a new problem, that I'm starting to research.
I get an error 649 (account doesn't have permission to dial in). I use a RADIUS server with W2K3. The account I am using does have VPN access and when I test the RADIUS connection in the ASA, that same user passes authentication.
I'm going to keep researching, but in the mean time do you have an insight?
Thank you so much for your response so far!
03-19-2011 09:16 PM
Hi,
We might require pap for this. Lets try the following.
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
Paps
03-20-2011 01:16 PM
Paps,
Yeah I tried that command and that didn't get me anywhere unfortunetly. I tried on my Win 7 box, and it gave me an error 812, and my XP box still says doesn't have permission to dial in.
Anything else to try?
I really appreciate your help this far!
03-20-2011 03:02 PM
Ok here is the latest.
I found an article on some policy configuration on my RADIUS server, I edited the profile to remove a couple things and added Class and set the attribute to "OU=
I did get an internal IP address of my network, but the only problem I have not is I can not ping anything on the remote network. So that's my current hurddle. I'm going to try a couple things I have found, but again any insight is much appreciated!
I think we are getting there!
03-20-2011 08:28 PM
OK
I think I got it. It appears there was a nat problem. Once I added the command:
nat (inside,any) source static inside-network inside-network destination static obj_VPNPool obj_VPNPool
I was able to access my internal network!
Paps, thank you for your help, it was certainly much appreciated!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide