ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
stumbl3r
New Member
Posts:
1
Joined:
Mon May 07, 2012 6:18 pm

Help with Cisco ASA 5505 VPN ipsec

Mon May 07, 2012 6:21 pm

I have setup a ASA and everything but ipsec seems to be working. I was able to use the clientless ssl but I need ipsec working. I'm at a loss. here are logs thanks for any help. config is a little sloppy and i will be cleaning it up but would like to get this working first.

Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\

1 16:20:19.503 05/07/12 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.

2 16:20:19.503 05/07/12 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.

3 16:20:21.563 05/07/12 Sev=Info/4 CM/0x63100002
Begin connection process

4 16:20:21.582 05/07/12 Sev=Info/4 CVPND/0xE3400001
Microsoft IPSec Policy Agent service stopped successfully

5 16:20:21.582 05/07/12 Sev=Info/4 CM/0x63100004
Establish secure connection

6 16:20:21.582 05/07/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"

7 16:20:21.587 05/07/12 Sev=Info/6 CM/0x6310002F
Allocated local TCP port 50657 for TCP connection.

8 16:20:21.899 05/07/12 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started

9 16:20:21.899 05/07/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

10 16:20:21.899 05/07/12 Sev=Info/6 IPSEC/0x63700020
TCP SYN sent to x.x.x.x src port 50657, dst port 10000

11 16:20:22.414 05/07/12 Sev=Info/6 IPSEC/0x6370001C
TCP SYN-ACK received from x.x.x.x, src port 10000, dst port 50657

12 16:20:22.414 05/07/12 Sev=Info/6 IPSEC/0x63700021
TCP ACK sent to x.x.x.x, src port 50657, dst port 10000

13 16:20:22.414 05/07/12 Sev=Info/4 CM/0x63100029
TCP connection established on port 10000 with server "x.x.x.x"

14 16:20:22.913 05/07/12 Sev=Info/4 CM/0x63100024
Attempt connection with server "x.x.x.x"

15 16:20:22.913 05/07/12 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with x.x.x.x

16 16:20:22.929 05/07/12 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation

17 16:20:22.944 05/07/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Unity)) to x.x.x.x

18 16:20:23.334 05/07/12 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer =x.x.x.x

19 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000014
RECEIVING >> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 38.126.163.131

28 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 38.126.163.131

29 16:20:23.334 05/07/12 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

30 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=E95184AFAA9A0764 R_Cookie=B6FE2B608767A7F1) reason = DEL_REASON_IKE_NEG_FAILED

31 16:20:23.334 05/07/12 Sev=Info/6 IPSEC/0x6370001D
TCP RST received from x.x.x.x, src port 10000, dst port 50657

32 16:20:23.934 05/07/12 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=E95184AFAA9A0764 R_Cookie=B6FE2B608767A7F1) reason = DEL_REASON_IKE_NEG_FAILED

33 16:20:23.934 05/07/12 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_IKE_NEG_FAILED"

34 16:20:23.934 05/07/12 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv

35 16:20:23.950 05/07/12 Sev=Info/4 CM/0x6310002D
Resetting TCP connection on port 10000

36 16:20:23.950 05/07/12 Sev=Info/6 CM/0x63100030
Removed local TCP port 50657 for TCP connection.

37 16:20:23.950 05/07/12 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.

38 16:20:23.950 05/07/12 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection

39 16:20:23.965 05/07/12 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

40 16:20:23.965 05/07/12 Sev=Info/6 IPSEC/0x63700023
TCP RST sent to x.x.x.x, src port 50657, dst port 10000

41 16:20:23.965 05/07/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

42 16:20:23.965 05/07/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

43 16:20:23.965 05/07/12 Sev=Info/4 IPSEC/0x63700014
Deleted all keys

44 16:20:23.965 05/07/12 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped

current running config.
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 10.30.41.4 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.248
!
ftp mode passive
access-list VPN_splitTunnelAcl standard permit 10.30.41.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.30.41.0 255.255.255
30.41.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.30.41.0 255.255

access-list VPN_splitTunnelAcl_1 standard permit 10.30.41.0 255.255.255.0
access-list VPN_splitTunnelAcl_2 standard permit 10.30.41.0 255.255.255.0
access-list SeletiveTV_splitTunnelAcl standard permit 10.30.41.0 255.255.2
access-list outside_access_in extended permit ip any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN 10.30.41.250-10.30.41.253 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:0
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.30.41.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-A
-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-A
-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
telnet 10.30.41.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 10.30.41.240-10.30.41.245 inside
dhcpd dns 8.8.4.4 4.4.4.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc enable
internal-password enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc webvpn
webvpn
svc ask enable
group-policy SelectiveTV internal
group-policy SelectiveTV attributes
dns-server value 8.8.4.4 4.4.4.2
vpn-tunnel-protocol IPSec webvpn
webvpn
svc ask enable default webvpn
username xxxxxx password xxxxxxxx encrypted privilege 15
username xxxxxx attributes
vpn-group-policy SelectiveTV
username test password Wan6jhc8ovZ1.beY encrypted privilege 0
username test attributes
vpn-group-policy SelectiveTV
username xxxx password xxxxxxxxxxxxxxxxxx encrypted privilege 15
username xxxxx attributes
vpn-group-policy SelectiveTV
webvpn
svc ask enable default webvpn timeout 90
tunnel-group SelectiveTV type remote-access
tunnel-group SelectiveTV general-attributes
address-pool (inside) VPN
address-pool VPN
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy SelectiveTV
dhcp-server 10.30.41.4
authorization-required
username-from-certificate use-entire-name
tunnel-group SelectiveTV ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp keepalive disable
isakmp ikev1-user-authentication none
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
address-pool VPN
tunnel-group SSL webvpn-attributes
group-alias uts enable
group-url »x.x.x.x/xxxx enable
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9ce31724c6f0874dea15deee4eed7ab2
: end

First time using a ASA. I set this up via GUI.

thanks for any help.

User avatar
ristau5741
Post Whore
Posts:
10491
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: Help with Cisco ASA 5505 VPN ipsec

Tue May 08, 2012 7:55 am

seems to start dying in phase 1

19 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000014
RECEIVING >> ISAKMP OAK INFO (NOTIFY:INVALID_HASH_INFO) to 38.126.163.131

28 16:20:23.334 05/07/12 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO (NOTIFY:AUTH_FAILED) to 38.126.163.131

29 16:20:23.334 05/07/12 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2263)

--
this does not appear to be a valid crypro map in your configuration

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MA
(missing the P)
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

'

Return to Cisco Security

Who is online

Users browsing this forum: No registered users and 33 guests