- Posts: 3
- Thank you received: 0
ASA 5505 VPN problem
Im trying to setup a remote VPN connection and follow a guide i found to get it going.
But i get error 789 on the windows client.
And this error on the asa:
7|Feb 11 2010|17:32:04|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
7|Feb 11 2010|17:32:04|715046|||||IP = 84.55.98.85, constructing Fragmentation VID + extended capabilities payload
7|Feb 11 2010|17:32:04|715046|||||IP = 84.55.98.85, constructing NAT-Traversal VID ver 02 payload
7|Feb 11 2010|17:32:04|715046|||||IP = 84.55.98.85, constructing ISAKMP SA payload
7|Feb 11 2010|17:32:04|715028|||||IP = 84.55.98.85, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 4
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing IKE SA payload
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing VID payload
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing VID payload
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing VID payload
7|Feb 11 2010|17:32:04|715049|||||IP = 84.55.98.85, Received Fragmentation VID
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing VID payload
7|Feb 11 2010|17:32:04|715049|||||IP = 84.55.98.85, Received NAT-Traversal ver 02 VID
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing VID payload
7|Feb 11 2010|17:32:04|715049|||||IP = 84.55.98.85, Received NAT-Traversal RFC VID
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing VID payload
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing VID payload
7|Feb 11 2010|17:32:04|713906|||||IP = 84.55.98.85, Oakley proposal is acceptable
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
7|Feb 11 2010|17:32:04|715047|||||IP = 84.55.98.85, processing SA payload
7|Feb 11 2010|17:32:04|713236|||||IP = 84.55.98.85, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
7|Feb 11 2010|17:32:04|713906|||||Ignoring msg to mark SA with dsID 208896 dead because SA deleted
4|Feb 11 2010|17:32:04|113019|||||Group = DefaultRAGroup, Username = , IP = 84.55.98.85, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Feb 11 2010|17:32:04|713259|||||Group = DefaultRAGroup, IP = 84.55.98.85, Session is being torn down. Reason: Phase 2 Mismatch
7|Feb 11 2010|17:32:04|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=80c163c7) with payloads : HDR + HASH ( + DELETE (12) + NONE (0) total length : 80
7|Feb 11 2010|17:32:04|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing qm hash payload
7|Feb 11 2010|17:32:04|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing IKE delete payload
7|Feb 11 2010|17:32:04|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing blank hash payload
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, sending delete/delete with reason message
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, IKE SA MM:f6af908e terminating: flags 0x01000002, refcnt 0, tuncnt 0
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, IKE SA MM:f6af908e rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0
3|Feb 11 2010|17:32:04|713902|||||Group = DefaultRAGroup, IP = 84.55.98.85, Removing peer from correlator table failed, no match!
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, sending delete/delete with reason message
7|Feb 11 2010|17:32:04|715065|||||Group = DefaultRAGroup, IP = 84.55.98.85, IKE QM Responder FSM error history (struct &0xd8818690) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
3|Feb 11 2010|17:32:04|713902|||||Group = DefaultRAGroup, IP = 84.55.98.85, QM FSM error (P2 struct &0xd8818690, mess id 0x1)!
7|Feb 11 2010|17:32:04|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=4b3f2583) with payloads : HDR + HASH ( + NOTIFY (11) + NONE (0) total length : 84
7|Feb 11 2010|17:32:04|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing qm hash payload
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing ipsec notify payload for msg id 1
7|Feb 11 2010|17:32:04|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing blank hash payload
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, sending notify message
5|Feb 11 2010|17:32:04|713904|||||Group = DefaultRAGroup, IP = 84.55.98.85, All IPSec SA proposals found unacceptable!
5|Feb 11 2010|17:32:04|713257|||||Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Transport Cfg'd: UDP Tunnel(NAT-T)
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing IPSec SA payload
7|Feb 11 2010|17:32:04|713066|||||Group = DefaultRAGroup, IP = 84.55.98.85, IKE Remote Peer configured for crypto map: dyno
7|Feb 11 2010|17:32:04|715059|||||Group = DefaultRAGroup, IP = 84.55.98.85, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, QM IsRekeyed old sa not found by addr
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing NAT-Original-Address payload
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, L2TP/IPSec session detected.
7|Feb 11 2010|17:32:04|713024|||||Group = DefaultRAGroup, IP = 84.55.98.85, Received local Proxy Host data in ID Payload: Address 195.7.78.182, Protocol 17, Port 1701
7|Feb 11 2010|17:32:04|714011|||||Group = DefaultRAGroup, IP = 84.55.98.85, ID_IPV4_ADDR ID received
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing ID payload
7|Feb 11 2010|17:32:04|713025|||||Group = DefaultRAGroup, IP = 84.55.98.85, Received remote Proxy Host data in ID Payload: Address 192.168.0.199, Protocol 17, Port 1701
7|Feb 11 2010|17:32:04|714011|||||Group = DefaultRAGroup, IP = 84.55.98.85, ID_IPV4_ADDR ID received
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing ID payload
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing nonce payload
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing SA payload
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing hash payload
7|Feb 11 2010|17:32:04|713236|||||IP = 84.55.98.85, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH ( + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NONE (0) total length : 312
7|Feb 11 2010|17:32:04|714003|||||IP = 84.55.98.85, IKE Responder starting QM: msg id = 00000001
7|Feb 11 2010|17:32:04|715080|||||Group = DefaultRAGroup, IP = 84.55.98.85, Starting P1 rekey timer: 21600 seconds.
3|Feb 11 2010|17:32:04|713122|||||IP = 84.55.98.85, Keep-alives configured on but peer does not support keep-alives (type = None)
7|Feb 11 2010|17:32:04|713121|||||IP = 84.55.98.85, Keep-alive type for this connection: None
5|Feb 11 2010|17:32:04|713119|||||Group = DefaultRAGroup, IP = 84.55.98.85, PHASE 1 COMPLETED
6|Feb 11 2010|17:32:04|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup
7|Feb 11 2010|17:32:04|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH ( + VENDOR (13) + NONE (0) total length : 84
7|Feb 11 2010|17:32:04|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing dpd vid payload
7|Feb 11 2010|17:32:04|715076|||||Group = DefaultRAGroup, IP = 84.55.98.85, Computing hash for ISAKMP
7|Feb 11 2010|17:32:04|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing hash payload
7|Feb 11 2010|17:32:04|715046|||||Group = DefaultRAGroup, IP = 84.55.98.85, constructing ID payload
7|Feb 11 2010|17:32:04|713906|||||IP = 84.55.98.85, Connection landed on tunnel_group DefaultRAGroup
6|Feb 11 2010|17:32:04|713172|||||Group = DefaultRAGroup, IP = 84.55.98.85, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
7|Feb 11 2010|17:32:04|715076|||||Group = DefaultRAGroup, IP = 84.55.98.85, Computing hash for ISAKMP
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing hash payload
7|Feb 11 2010|17:32:04|714011|||||Group = DefaultRAGroup, IP = 84.55.98.85, ID_IPV4_ADDR ID received
7|Feb 11 2010|17:32:04|715047|||||Group = DefaultRAGroup, IP = 84.55.98.85, processing ID payload
7|Feb 11 2010|17:32:04|713236|||||IP = 84.55.98.85, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH ( + NONE (0) total length : 64
6|Feb 11 2010|17:32:04|302015|84.55.98.85|4500|195.7.78.182|4500|Built inbound UDP connection 7325340 for outside:84.55.98.85/4500 (84.55.98.85/4500) to identity:195.7.78.182/4500 (195.7.78.182/4500)
7|Feb 11 2010|17:32:04|713236|||||IP = 84.55.98.85, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
7|Feb 11 2010|17:32:04|713906|||||Group = DefaultRAGroup, IP = 84.55.98.85, Generating keys for Responder...
7|Feb 11 2010|17:32:04|713906|||||IP = 84.55.98.85, Connection landed on tunnel_group DefaultRAGroup
7|Feb 11 2010|17:32:04|713906|||||IP = 84.55.98.85, computing NAT Discovery hash
7|Feb 11 2010|17:32:04|715046|||||IP = 84.55.98.85, constructing NAT-Discovery payload
7|Feb 11 2010|17:32:04|713906|||||IP = 84.55.98.85, computing NAT Discovery hash
7|Feb 11 2010|17:32:04|715046|||||IP = 84.55.98.85, constructing NAT-Discovery payload
7|Feb 11 2010|17:32:04|715048|||||IP = 84.55.98.85, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Feb 11 2010|17:32:04|715046|||||IP = 84.55.98.85, constructing VID payload
7|Feb 11 2010|17:32:04|715038|||||IP = 84.55.98.85, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Feb 11 2010|17:32:04|715048|||||IP = 84.55.98.85, Send IOS VID
7|Feb 11 2010|17:32:04|715046|||||IP = 84.55.98.85, constructing xauth V6 VID payload
The ASA config looks like this:
: Saved
:
ASA Version 8.2(1)11
!
hostname ciscoasa
enable password iExlrVGCYde6N5s4 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 195.7.78.* 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-11-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 195.7.64.3
name-server 195.7.64.131
same-security-traffic permit intra-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service visualSVN tcp-udp
description SVN
port-object eq 8443
access-list inside_acl extended permit ip any any
access-list outside-acl extended permit tcp any host 195.7.78.* eq 8443
access-list outside-acl extended permit tcp any host 195.7.78.* eq https
access-list 110 extended permit tcp any host 195.7.78.192 eq 8443
access-list outside_access_in extended permit tcp any eq https interface outside eq https
access-list VPN_SplitTunnel_ACL standard permit 10.0.0.0 255.255.255.0
access-list NoNAT_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.253.0 255.255.255.0
pager lines 24
logging enable
logging list test level debugging
logging asdm-buffer-size 512
logging asdm test
logging debug-trace
mtu inside 1500
mtu outside 1500
ip local pool cisco 10.10.10.1-10.10.10.100 mask 255.255.255.0
ip local pool VPNpool 192.168.253.1-192.168.253.250 mask 255.255.255.255
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-623.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 8443 192.168.0.200 8443 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.0.200 https netmask 255.255.255.255
access-group outside-acl in interface outside
route outside 0.0.0.0 0.0.0.0 195.7.78.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set IPsec-Windows esp-3des esp-sha-hmac
crypto ipsec transform-set IPsec_iPhone esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 20 set transform-set IPsec_iPhone
crypto map IPsec_map 20 ipsec-isakmp dynamic dyno
crypto map IPsec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 300
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh timeout 20
console timeout 0
l2tp tunnel hello 100
dhcpd auto_config outside
!
dhcpd address 192.168.0.5-192.168.0.132 inside
dhcpd dns 195.7.*.* 195.7.*.* interface inside
dhcpd enable inside
!
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
dns-server value 10.0.0.2
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_SplitTunnel_ACL
default-domain value dev.ss.local
split-dns value dev.ss.local
intercept-dhcp enable
tunnel-group DefaultRAGroup general-attributes
address-pool VPNpool
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:76c9082e9d4734ce61fb7bd465227624
: end
asdm image disk0:/asdm-623.bin
no asdm history enable
Someone have any ideas?
Regards
Oscar
5|Feb 11 2010|17:32:04|713257|||||Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2
crypto ipsec transform-set IPsec-Windows esp-3des esp-sha-hmac
crypto ipsec transform-set IPsec_iPhone esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 20 set transform-set IPsec_iPhone
crypto map IPsec_map 20 ipsec-isakmp dynamic dyno
crypto map IPsec_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
It seems your windows device is not configured to use DH group 2 in phase 1 while the ASA is for all its isakmp policies. You should try to activate it under windows or create a new policy without group 2 on the ASA (less secured)
Christophe Lemaire
www.exp-networks.be/blog/