lejm @cust.telenor.se |
lejm
Anon
2010-Feb-11 1:54 pm
ASA VPN problemHi!
Im trying to setup a remote VPN connection and follow a guide i found to get it going.
But i get error 789 on the windows client.
And this error on the asa: 7|Feb 11 2010|16:46:37|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124 7|Feb 11 2010|16:46:37|715046|||||IP = 84.55.98.85, constructing Fragmentation VID + extended capabilities payload 7|Feb 11 2010|16:46:37|715046|||||IP = 84.55.98.85, constructing NAT-Traversal VID ver 02 payload 7|Feb 11 2010|16:46:37|715046|||||IP = 84.55.98.85, constructing ISAKMP SA payload 7|Feb 11 2010|16:46:37|715028|||||IP = 84.55.98.85, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 4 5|Feb 11 2010|16:46:37|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 5|Feb 11 2010|16:46:37|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 5|Feb 11 2010|16:46:37|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 5|Feb 11 2010|16:46:37|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing IKE SA payload 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing VID payload 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing VID payload 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing VID payload 7|Feb 11 2010|16:46:37|715049|||||IP = 84.55.98.85, Received Fragmentation VID 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing VID payload 7|Feb 11 2010|16:46:37|715049|||||IP = 84.55.98.85, Received NAT-Traversal ver 02 VID 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing VID payload 7|Feb 11 2010|16:46:37|715049|||||IP = 84.55.98.85, Received NAT-Traversal RFC VID 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing VID payload 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing VID payload 7|Feb 11 2010|16:46:37|713906|||||IP = 84.55.98.85, Oakley proposal is acceptable 5|Feb 11 2010|16:46:37|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 5|Feb 11 2010|16:46:37|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 5|Feb 11 2010|16:46:37|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 5|Feb 11 2010|16:46:37|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2 7|Feb 11 2010|16:46:37|715047|||||IP = 84.55.98.85, processing SA payload 7|Feb 11 2010|16:46:37|713236|||||IP = 84.55.98.85, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384 7|Feb 11 2010|16:46:37|713906|||||Ignoring msg to mark SA with dsID 180224 dead because SA deleted 4|Feb 11 2010|16:46:37|113019|||||Group = DefaultRAGroup, Username = , IP = 84.55.98.85, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch 5|Feb 11 2010|16:46:37|713259|||||Group = DefaultRAGroup, IP = 84.55.98.85, Session is being torn down. Reason: Phase 2 Mismatch 7|Feb 11 2010|16:46:37|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=508af929) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 7|Feb 11 2010|16:46:37|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing qm hash payload 7|Feb 11 2010|16:46:37|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing IKE delete payload 7|Feb 11 2010|16:46:37|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing blank hash payload 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, sending delete/delete with reason message 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, IKE SA MM:a7d204b3 terminating: flags 0x01000002, refcnt 0, tuncnt 0 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, IKE SA MM:a7d204b3 rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0 3|Feb 11 2010|16:46:37|713902|||||Group = DefaultRAGroup, IP = 84.55.98.85, Removing peer from correlator table failed, no match! 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, sending delete/delete with reason message 7|Feb 11 2010|16:46:37|715065|||||Group = DefaultRAGroup, IP = 84.55.98.85, IKE QM Responder FSM error history (struct &0xd876ea38) , : QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH 3|Feb 11 2010|16:46:37|713902|||||Group = DefaultRAGroup, IP = 84.55.98.85, QM FSM error (P2 struct &0xd876ea38, mess id 0x1)! 7|Feb 11 2010|16:46:37|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=ada65ae8) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 7|Feb 11 2010|16:46:37|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing qm hash payload 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing ipsec notify payload for msg id 1 7|Feb 11 2010|16:46:37|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing blank hash payload 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, sending notify message 5|Feb 11 2010|16:46:37|713904|||||Group = DefaultRAGroup, IP = 84.55.98.85, All IPSec SA proposals found unacceptable! 5|Feb 11 2010|16:46:37|713257|||||Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Transport Cfg'd: UDP Tunnel(NAT-T) 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing IPSec SA payload 7|Feb 11 2010|16:46:37|713066|||||Group = DefaultRAGroup, IP = 84.55.98.85, IKE Remote Peer configured for crypto map: dyno 7|Feb 11 2010|16:46:37|715059|||||Group = DefaultRAGroup, IP = 84.55.98.85, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, QM IsRekeyed old sa not found by addr 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing NAT-Original-Address payload 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, L2TP/IPSec session detected. 7|Feb 11 2010|16:46:37|713024|||||Group = DefaultRAGroup, IP = 84.55.98.85, Received local Proxy Host data in ID Payload: Address 195.7.78.182, Protocol 17, Port 1701 7|Feb 11 2010|16:46:37|714011|||||Group = DefaultRAGroup, IP = 84.55.98.85, ID_IPV4_ADDR ID received 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing ID payload 7|Feb 11 2010|16:46:37|713025|||||Group = DefaultRAGroup, IP = 84.55.98.85, Received remote Proxy Host data in ID Payload: Address 192.168.0.199, Protocol 17, Port 1701 7|Feb 11 2010|16:46:37|714011|||||Group = DefaultRAGroup, IP = 84.55.98.85, ID_IPV4_ADDR ID received 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing ID payload 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing nonce payload 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing SA payload 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing hash payload 7|Feb 11 2010|16:46:37|713236|||||IP = 84.55.98.85, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 312 7|Feb 11 2010|16:46:37|714003|||||IP = 84.55.98.85, IKE Responder starting QM: msg id = 00000001 7|Feb 11 2010|16:46:37|715080|||||Group = DefaultRAGroup, IP = 84.55.98.85, Starting P1 rekey timer: 21600 seconds. 3|Feb 11 2010|16:46:37|713122|||||IP = 84.55.98.85, Keep-alives configured on but peer does not support keep-alives (type = None) 7|Feb 11 2010|16:46:37|713121|||||IP = 84.55.98.85, Keep-alive type for this connection: None 5|Feb 11 2010|16:46:37|713119|||||Group = DefaultRAGroup, IP = 84.55.98.85, PHASE 1 COMPLETED 6|Feb 11 2010|16:46:37|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup 7|Feb 11 2010|16:46:37|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84 7|Feb 11 2010|16:46:37|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing dpd vid payload 7|Feb 11 2010|16:46:37|715076|||||Group = DefaultRAGroup, IP = 84.55.98.85, Computing hash for ISAKMP 7|Feb 11 2010|16:46:37|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing hash payload 7|Feb 11 2010|16:46:37|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing ID payload 7|Feb 11 2010|16:46:37|713906|||||IP = 84.55.98.85, Connection landed on tunnel_group DefaultRAGroup 6|Feb 11 2010|16:46:37|713172|||||Group = DefaultRAGroup, IP = 84.55.98.85, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device 7|Feb 11 2010|16:46:37|715076|||||Group = DefaultRAGroup, IP = 84.55.98.85, Computing hash for ISAKMP 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing hash payload 7|Feb 11 2010|16:46:37|714011|||||Group = DefaultRAGroup, IP = 84.55.98.85, ID_IPV4_ADDR ID received 7|Feb 11 2010|16:46:37|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing ID payload 7|Feb 11 2010|16:46:37|713236|||||IP = 84.55.98.85, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64 6|Feb 11 2010|16:46:37|302015|84.55.98.85|4500|195.7.78.182|4500|Built inbound UDP connection 7324022 for outside:84.55.98.85/4500 (84.55.98.85/4500) to identity:195.7.78.182/4500 (195.7.78.182/4500) 7|Feb 11 2010|16:46:37|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304 7|Feb 11 2010|16:46:37|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, Generating keys for Responder...
The ASA config looks like this: : Saved : ASA Version 8.2(1)11 ! hostname ciscoasa enable password iExlrVGCYde6N5s4 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 192.168.0.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 195.7.78.* 255.255.255.0 ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! boot system disk0:/asa821-11-k8.bin ftp mode passive dns domain-lookup outside dns server-group DefaultDNS name-server 195.7.64.3 name-server 195.7.64.131 same-security-traffic permit intra-interface object-group protocol TCPUDP protocol-object udp protocol-object tcp object-group service visualSVN tcp-udp description SVN port-object eq 8443 access-list inside_acl extended permit ip any any access-list outside-acl extended permit tcp any host 195.7.78.* eq 8443 access-list outside-acl extended permit tcp any host 195.7.78.* eq https access-list 110 extended permit tcp any host 195.7.78.192 eq 8443 access-list outside_access_in extended permit tcp any eq https interface outside eq https access-list VPN_SplitTunnel_ACL standard permit 10.0.0.0 255.255.255.0 access-list NoNAT_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.253.0 255.255.255.0 pager lines 24 logging enable logging list test level debugging logging asdm-buffer-size 512 logging asdm test logging debug-trace mtu inside 1500 mtu outside 1500 ip local pool cisco 10.10.10.1-10.10.10.100 mask 255.255.255.0 ip local pool VPNpool 192.168.253.1-192.168.253.250 mask 255.255.255.255 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-623.bin no asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface 8443 192.168.0.200 8443 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.0.200 https netmask 255.255.255.255 access-group outside-acl in interface outside route outside 0.0.0.0 0.0.0.0 195.7.78.2 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http 192.168.0.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set IPsec-Windows esp-3des esp-sha-hmac crypto ipsec transform-set IPsec_iPhone esp-3des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map dyno 20 set transform-set IPsec_iPhone crypto map IPsec_map 20 ipsec-isakmp dynamic dyno crypto map IPsec_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp nat-traversal 300 telnet timeout 5 ssh 192.168.0.0 255.255.255.0 inside ssh timeout 20 console timeout 0 l2tp tunnel hello 100 dhcpd auto_config outside ! dhcpd address 192.168.0.5-192.168.0.132 inside dhcpd dns 195.7.*.* 195.7.*.* interface inside dhcpd enable inside !
no threat-detection basic-threat no threat-detection statistics access-list no threat-detection statistics tcp-intercept webvpn group-policy DfltGrpPolicy attributes dns-server value 10.0.0.2 vpn-tunnel-protocol IPSec l2tp-ipsec ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value VPN_SplitTunnel_ACL default-domain value dev.ss.local split-dns value dev.ss.local intercept-dhcp enable tunnel-group DefaultRAGroup general-attributes address-pool VPNpool tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key * tunnel-group DefaultRAGroup ppp-attributes no authentication chap authentication ms-chap-v2 ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum:76c9082e9d4734ce61fb7bd465227624 : end asdm image disk0:/asdm-623.bin no asdm history enable
Someone have any ideas?
Regards Oscar |