Setup Microsoft VPN client to Cisco ASA 5505

I am attempting to setup a vpn on a cisco asa 5505. I utilized the wizard, and attempt to connect with MS vpn client and I get " Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during inital negotiations with the remote computer "  I checked the log on the asa and get these lines when trying to connect

4      Mar 30 2010      06:56:00      713903                   Group = DefaultRAGroup, IP = x.x.x.x, Freeing previously allocated memory for authorization-dn-attributes

6      Mar 30 2010      06:56:00      113009                   AAA retrieved default group policy (DefaultRAGroup) for user = DefaultRAGroup

3      Mar 30 2010      06:56:00      713206                   Group = DefaultRAGroup, IP = x.x.x.x, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

3      Mar 30 2010      06:56:00      713902                   Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from peer table failed, no match!

4      Mar 30 2010      06:56:00      713903                   Group = DefaultRAGroup, IP = x.x.x.x, Error: Unable to remove PeerTblEntry

5      Mar 30 2010      06:56:00      713904                   IP = x.x.x.x, Received encrypted packet with no matching SA, dropping




here is my config:



ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password xxxxxxxxxx encrypted
names
!
interface Vlan1
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 10.20.18.1 255.255.0.0
!
interface Vlan3
 no forward interface Vlan2
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd xxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
dns server-group defaultDNS
 domain-name cic.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.20.0.0 255.255.0.0 192.168.55.0 255.255.255.128
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool1 192.168.55.10-192.168.55.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group from-out in interface outside
route outside 0.0.0.0 0.0.0.0 68.191.229.161 1
route inside 10.23.1.0 255.255.255.0 10.20.40.2 1
route inside 10.23.3.0 255.255.255.0 10.20.40.2 1
route inside 10.40.255.0 255.255.255.0 10.20.40.2 1
route inside 10.23.5.0 255.255.255.0 10.20.40.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.20.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.20.10.2 10.20.10.86
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value cic.com
username vpnuser password eiGZD809dZlB5FxJDxQ9Xw== nt-encrypted privilege 0
username vpnuser attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
prompt hostname context
Cryptochecksum:500baefdd3bc564753c2743a4bd1cc5f
: end
ptuttle1319Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
ptuttle1319Connect With a Mentor Author Commented:
I got it working with the cisco vpn client here are my config lines, in case anyone is interested. This is setting the vpn ip addresses to a range of 192.168.90.1-192.168.90.254 with access to internal network of 10.20.0.0/16. As an aside...When you setup the cisco vpn client, where it asks for name, use the tunnel-group name of cisco that is entered, or whatever you change the tunnel group name to, and  the password will be the pre-shared key that is set

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-25
isakmp policy 10 hash  sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 3
 ip-comp enable
exi

group-policy MyCompany internal
group-policy MyCompany attributes
 default-domain value MyCompany.com
exi

username vpnuser password 12345
username vpnuser attributes
 vpn-group-policy MyCompany
exi

tunnel-group cisco type ipsec-ra
tunnel-group cisco ipsec-attributes
 pre-shared-key ciscovpn123
exi

tunnel-group cisco general-attributes
 authentication-server-group LOCAL
exi

vpn-addr-assig local
ip local pool vpnremotepool  192.168.90.1-192.168.90.254 mask 255.255.255.0
tunnel-group cisco general-attributes
 address-pool vpnremotepool
exi

crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map IPSec_map_dyn 10 set transform-set myset
crypto dynamic-map IPSec_map_dyn 10 set reverse-route
crypto map IPSec_map 10 ipsec-isakmp dynamic IPSec_map_dyn
crypto map IPSec_map interface outside
crypto isakmp enable outside
sysopt connection permit-ipsec

access-list nonat extended permit ip 10.20.0.0 255.255.0.0 192.168.90.0 255.255.255.0
nat (inside) 0 access-list nonat
0
 
qbakiesCommented:
0
 
ptuttle1319Author Commented:
Even if I'm only using l2tp from the outside to the inside?
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

 
ptuttle1319Author Commented:
I entered in the inspect pptp in, no change. Is that command not for outgoing pptp connections?
0
 
ptuttle1319Author Commented:
And the ASA is the VPN server in this case
0
 
qbakiesCommented:
This is in the error log you posted and seems to be the root of the issue:

Group = DefaultRAGroup, IP = x.x.x.x, Tunnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

Look at this solution:  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution20
0
 
ptuttle1319Author Commented:
Still no luck:
3      Mar 30 2010      12:15:04      713122                   IP = x.x.x.x, Keep-alives configured on but peer does not support keep-alives (type = None)
3      Mar 30 2010      12:15:04      713902                   Group = DefaultRAGroup, IP = x.x.x.x, QM FSM error (P2 struct &0x3a68cc0, mess id 0xab1bebd7)!
3      Mar 30 2010      12:15:04      713902                   Group = DefaultRAGroup, IP = x.x.x.x, Removing peer from correlator table failed, no match!
4      Mar 30 2010      12:15:04      113019                   Group = DefaultRAGroup, Username = , IP = x.x.x.x, Session disconnected. Session Type: IPSec, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown


group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.20.10.2 10.20.10.86
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value cic.com
username vpnuser password eiGZD809dZlB5FxJDxQ9Xw== nt-encrypted privilege 0
username vpnuser attributes
 vpn-group-policy DefaultRAGroup
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
prompt hostname context
Cryptochecksum:500baefdd3bc564753c2743a4bd1cc5f
0
 
qbakiesCommented:
Can you post your whole config or at least include all the crypto statements and ACLs?
0
 
ptuttle1319Author Commented:
ASA Version 7.2(3)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password cyn.hMqrS2DbEnLH encrypted
names
!
interface Vlan1
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.252
!
interface Vlan2
 nameif inside
 security-level 100
 ip address 10.20.18.1 255.255.0.0
!
interface Vlan3
 no forward interface Vlan2
 nameif dmz
 security-level 50
 no ip address
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
 shutdown
!
interface Ethernet0/7
 shutdown
!
passwd xxxxxxxxx encrypted
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
dns server-group defaultDNS
 domain-name cic.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any
access-list DefaultRAGroup_splitTunnelAcl standard permit 10.20.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.20.0.0 255.255.0.0 192.16
8.55.0 255.255.255.128
access-list from-out extended permit tcp any interface outside eq aaa
access-list from-out extended permit tcp any interface outside eq bbb
access-list from-out extended permit tcp any interface outside eq ccc
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip local pool vpnpool1 192.168.55.10-192.168.55.100 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group from-out in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route inside 10.23.1.0 255.255.255.0 10.20.40.2 1
route inside 10.23.3.0 255.255.255.0 10.20.40.2 1
route inside 10.40.255.0 255.255.255.0 10.20.40.2 1
route inside 10.23.5.0 255.255.255.0 10.20.40.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 10.20.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 10.20.0.0 255.255.0.0 inside
telnet timeout 5
ssh 10.20.0.0 255.255.0.0 inside
ssh timeout 5
console timeout 0

!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect pptp
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 10.20.10.2 10.20.10.86
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value cic.com
username vpnuser password eiGZD809dZlB5FxJDxQ9Xw== nt-encrypted privilege 0
username vpnuser attributes
 vpn-group-policy DefaultRAGroup
 vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
 address-pool vpnpool1
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
prompt hostname context
Cryptochecksum:500baefdd3bc564753c2743a4bd1cc5f
: end
0
 
qbakiesCommented:
Try disabling PFS
0
 
ptuttle1319Author Commented:
I can't find the command for that, how do you do that?
0
 
ptuttle1319Author Commented:
Here's what I entered, still no change:


ciscoasa(config)# group-policy DefaultRAGroup attributes
ciscoasa(config-group-policy)# no pfs
0
 
ptuttle1319Author Commented:
I'm receiving the same errors as before, in the log
0
 
ptuttle1319Author Commented:
I ran debug crypto isakmp 5 and received this when attempting to connect:


Mar 31 04:40:06 [IKEv1 DEBUG]: IP = a.a.a.a, Oakley proposal is acceptable
Mar 31 04:40:06 [IKEv1 DEBUG]: IP = a.a.a.a, IKE SA Proposal # 1, Transform # 2 acceptable  Matches global IKE entry # 2
Mar 31 04:40:06 [IKEv1]: IP = a.a.a.a, Connection landed on tunnel_group DefaultRAGroup
Mar 31 04:40:06 [IKEv1]: IP = a.a.a.a, Connection landed on tunnel_group DefaultRAGroup
Mar 31 04:40:06 [IKEv1]: Group = DefaultRAGroup, IP = a.a.a.a, Freeing previously allocated memory for authorization-dn-attributes
Mar 31 04:40:06 [IKEv1]: Group = DefaultRAGroup, IP = a.a.a.a, PHASE 1 COMPLETED
Mar 31 04:40:06 [IKEv1]: IP = a.a.a.a, Keep-alive type for this connection: None
Mar 31 04:40:06 [IKEv1]: IP = a.a.a.a, Keep-alives configured on but peer does not support keep-alives (type = None)
Mar 31 04:40:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = a.a.a.a, Starting P1 rekey timer: 21600 seconds.
Mar 31 04:40:06 [IKEv1]: Group = DefaultRAGroup, IP = a.a.a.a, Received remote Proxy Host data in ID Payload:  Address b.b.b.b, Protocol 17, Port 1701
Mar 31 04:40:06 [IKEv1]: Group = DefaultRAGroup, IP = a.a.a.a, Received local Proxy Host data in ID Payload:  Address c.c.c.c, Protocol 17, Port 1701
Mar 31 04:40:06 [IKEv1]: Group = DefaultRAGroup, IP = a.a.a.a, peer is notauthenticated by xauth - drop connection.
Mar 31 04:40:06 [IKEv1]: Group = DefaultRAGroup, IP = a.a.a.a, QM FSM error (P2 struct &0x3a68db0, mess id 0xedad8a64)!
Mar 31 04:40:06 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = a.a.a.a, IKE QM Responder FSM error history (struct &0x3a68db0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH-->QM_BLD_MSG2, EV_VALIDATE_MSG-->QM_BLD_MSG2, EV_DECRYPT_OK-->QM_BLD_MSG2, NullEvent
Mar 31 04:40:06 [IKEv1]: Group = DefaultRAGroup, IP = a.a.a.a, Removing peer from correlator table failed, no match!
Mar 31 04:40:06 [IKEv1 DEBUG]: IP = a.a.a.a, Oakley proposal is acceptable
Mar 31 04:40:06 [IKEv1 DEBUG]: IP = a.a.a.a, IKE SA Proposal # 1, Transform # 2 acceptable  Matches global IKE entry # 2
Mar 31 04:40:38 [IKEv1 DEBUG]: IP = a.a.a.a, IKE MM Responder FSM error history (struct &0x3a18d68)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent-->MM_SND_MSG2, EV_SND_MSG-->MM_SND_MSG2, EV_START_TMR-->MM_SND_MSG2, EV_RESEND_MSG-->MM_WAIT_MSG3, EV_TIMEOUT-->MM_WAIT_MSG3, NullEvent
Mar 31 04:40:38 [IKEv1]: IP = a.a.a.a, Removing peer from peer table failed, no match!
Mar 31 04:40:38 [IKEv1]: IP = a.a.a.a, Error: Unable to remove PeerTblEntry
0
 
ptuttle1319Author Commented:
here are the config lines for a Microsoft VPN l2tp client, using mschap v2 and a pre shared key of ciscovpn123....10.20.0.0 is the test internal network, 192.168.90.0 is the range for vpn users


access-list nonat extended permit ip 10.20.0.0 255.255.0.0 192.168.90.0 255.255.255.0
nat (inside) 0 access-list nonat
ip local pool clientVPNpool 192.168.90.1-192.168.90.254 mask 255.255.255.0

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes
 dns-server value 10.20.10.1
 vpn-tunnel-protocol IPSec l2tp-ipsec
 default-domain value cisco.com
username vpnuser password 12345 mschap

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

crypto isakmp enable outside
crypto isakmp nat-traversal 20
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 exi
tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group LOCAL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key ciscovpn123
 exi
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
 exi
0
All Courses

From novice to tech pro — start learning today.