• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2362
  • Last Modified:

Cisco VPN client

I've got an Cisco ASA as gateway and a MS server 2008 R2 environment. I want to access server from outside with Cisco VPN client version 5.
I have made the radius server on 2008 and the AAA on the asa.
Testing from the asa shows OK. When try to access by client from outside, I got the following message :

1      08:15:46.383  09/06/12  Sev=Warning/3      IKE/0xE3000057
The received HASH payload cannot be verified

2      08:15:46.383  09/06/12  Sev=Warning/2      IKE/0xE300007E
Hash verification failed... may be configured with invalid group password.

3      08:15:46.383  09/06/12  Sev=Warning/2      IKE/0xE300009B
Failed to authenticate peer (Navigator:904)

4      08:15:46.383  09/06/12  Sev=Warning/2      IKE/0xE30000A7
Unexpected SW error occurred while processing Aggressive Mode negotiator:(Navigator:2238)


I have checked the groupname and the password several times.
Any solution ?

regards
asa---Kopi.txt
0
ok-fonden
Asked:
ok-fonden
  • 18
  • 15
  • 8
1 Solution
 
fgasimzadeCommented:
Can you post your config please?
0
 
ok-fondenAuthor Commented:
It's attached in my question !
'ASA-kopi.txt'

Any other config ?

thanks
0
 
fgasimzadeCommented:
Sorry, did not notice it

You miss a tunnel group for remote access and an address pool

ip local pool rapool 192.168.2.10-192.168.2.30

tunnel-group DefaultRAGroup type ipsec-ra

tunnel-group DefaultRAGroup general-attributes

address-pool rapool

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key <your preshared key>
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
Ernie BeekCommented:
I took the liberty of adding the topics:Cisco PIX Firewall ,Windows Server 2008 to your question to draw some extra attention.
0
 
ok-fondenAuthor Commented:
Erniebeek - thanks a lot :-)
0
 
ok-fondenAuthor Commented:
fgasimzade :

The IP : 192.168.2.10-192.168.2.30
Are those the inside IP range for inside units I can access ?

regards
0
 
fgasimzadeCommented:
No, you need to create a new DHCP pool for vpn clients, I suggested using 192.168.2.0 but you can use any other you want except 192.168.1.0 (already used for inside)
0
 
Ernie BeekCommented:
You're welcome :)

As long as I'm here, you did check the group name/password on the ASA and client?
0
 
Ernie BeekCommented:
Never mind, you did that (reading questions is a skill on itself ;)

But then I would like to know (perhaps asking the obvious): you do use the groupname/password in the client that you configured on the ASA and not the AD groupname/username?
0
 
ok-fondenAuthor Commented:
Hi again

Yes to the question :-)

the line : tunnel-group DefaultRAGroup type ipsec-ra

it wont take that.

regards
0
 
fgasimzadeCommented:
Oops, it is deprecated, try  

tunnel-group DefaultRAGroup type remote-access
0
 
ok-fondenAuthor Commented:
It says :

tunnel-group DefaultRAGroup type remote-access
                                              ^
ERROR: % Invalid input detected at '^' marker.
0
 
fgasimzadeCommented:
Try a differebt name for the group. Take a look here  

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpnrmote.html
0
 
ok-fondenAuthor Commented:
ip local pool rapool 192.168.2.10-192.168.2.30
tunnel-group testgroup type remote-access
tunnel-group testgroup general-attributes
 address-pool rapool
tunnel-group testgroup ipsec-attributes
 pre-shared-key *****

Still saying : not connected :-(
0
 
Ernie BeekCommented:
Is it still saying: Hash verification failed... may be configured with invalid group password. ?
0
 
ok-fondenAuthor Commented:
YO - it allmost works - wrong groupname.
Now I can write username and password.

I can't get authentication from server.
Writing same username and password as the test inside ASA against server
0
 
Ernie BeekCommented:
Writing same username and password as the test inside ASA against server

So that would be the AD username/password?
0
 
ok-fondenAuthor Commented:
Yes

In the AAA-servergroups I testing with AD-name and password
and the test is ok. (Using GUI)
From my Cisco VPN, I do the same - not connected.
0
 
Ernie BeekCommented:
Ok, is it showing anything in the logs (ASA logs/event logs)?
Perhaps the user isn't allowed (yet) to setup a VPN?
0
 
ok-fondenAuthor Commented:
Dial in is active in AD for user

Nothing in ASA og event
0
 
Ernie BeekCommented:
So that would imply the RADIUS client is set up correctly in NPS (because the ASA can connect and succesfully test). We might want to have a look at your connection request policy and network policy in NPS.
0
 
ok-fondenAuthor Commented:
0
 
Ernie BeekCommented:
I assume you double checked the setup (of course :)
If you have a look at the NPS log (%systemroot%\System32\LogFiles), anything showing in there?
0
 
ok-fondenAuthor Commented:
Return later - double checking.
No NPS log appears - weird
0
 
Ernie BeekCommented:
0
 
ok-fondenAuthor Commented:
This is the log from VPN-client

18     15:23:43.378  09/10/12  Sev=Info/4      IKE/0x63000083
IKE Port in use - Local Port =  0xCFA0, Remote Port = 0x1194

19     15:23:43.378  09/10/12  Sev=Info/5      IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

20     15:23:43.378  09/10/12  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

21     15:23:43.378  09/10/12  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 81.161.191.97

22     15:23:43.378  09/10/12  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 81.161.191.97

23     15:23:43.378  09/10/12  Sev=Info/4      CM/0x63100015
Launch xAuth application

24     15:23:53.658  09/10/12  Sev=Info/6      IKE/0x63000055
Sent a keepalive on the IPSec SA

25     15:23:58.994  09/10/12  Sev=Info/4      CM/0x63100017
xAuth application returned

26     15:23:58.994  09/10/12  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 81.161.191.97

27     15:23:59.009  09/10/12  Sev=Info/5      IKE/0x6300002F
Received ISAKMP packet: peer = 81.161.191.97

28     15:23:59.009  09/10/12  Sev=Info/4      IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 81.161.191.97

29     15:23:59.009  09/10/12  Sev=Info/4      CM/0x63100015
Launch xAuth application

30     15:24:01.115  09/10/12  Sev=Info/4      CM/0x63100017
xAuth application returned

31     15:24:01.115  09/10/12  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 81.161.191.97

32     15:24:01.115  09/10/12  Sev=Info/4      CM/0x63100018
User does not provide any authentication data

33     15:24:01.115  09/10/12  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection
0
 
Ernie BeekCommented:
OK:
User does not provide any authentication data

?
0
 
ok-fondenAuthor Commented:
Yes ?

Client attached
Client.JPG
0
 
fgasimzadeCommented:
For group authentication tlyou need to use tunnel group name and pre shared key
0
 
Ernie BeekCommented:
That's what I was aiming at :)
0
 
ok-fondenAuthor Commented:
I suppose you mean in the asa ?

ip local pool rapool 192.168.2.10-192.168.2.30
tunnel-group Gade type remote-access
tunnel-group Gade general-attributes
 address-pool rapool
tunnel-group Gade ipsec-attributes
 pre-shared-key *****
0
 
fgasimzadeCommented:
Yes, group name is Gade, password - pre shared key
0
 
Ernie BeekCommented:
So it looks like you're using that, looking at Client.jpg.

Do all the clients experience this issue, did you try it from another client?
Perhaps you could try and see if there's a newer version of the client?
0
 
ok-fondenAuthor Commented:
Using the same client as I do for other connections against
other asa5505. Those firewalls is not configured by me.
This is the first time making my own connection :-)
No other clients has tried. It's a private one to my own
firewall.
Looking at the server later to day and will return.
Thanks guys for now :-)
0
 
Ernie BeekCommented:
We'll be here ;)
0
 
ok-fondenAuthor Commented:
Hi guys

WHEEEEE - it's done

1000 thanks for you great help. Win server was OK and did changes in ASA
listed below :

ip local pool rapool 192.168.2.10-192.168.2.30 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
dynamic-access-policy-record DfltAccessPolicy
aaa-server Gade protocol radius
aaa-server Gade (inside) host 192.168.1.2
 timeout 5
 key *****
 radius-common-pw *****
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
 reval-period 36000
 sq-period 300
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 40
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10
webvpn
group-policy Gade internal
group-policy Gade attributes
 vpn-tunnel-protocol IPSec
tunnel-group Gade type remote-access
tunnel-group Gade general-attributes
 address-pool rapool
 authentication-server-group Gade
 default-group-policy Gade
tunnel-group Gade ipsec-attributes
 pre-shared-key *****

Kind regards
0
 
ok-fondenAuthor Commented:
Thanks to both of you :-)

To fgasimzade :

Try to find out ow to get you points to :-)
0
 
Ernie BeekCommented:
I could reopen the question so you can redivide the points (?)
0
 
fgasimzadeCommented:
Well done! )) thanks for the points in advance!
0
 
ok-fondenAuthor Commented:
Erniebeek :

Would like to give both of you the max, but could not find out how :
0
 
Ernie BeekCommented:
Well, for two persons 250 each is the max (with grade A is times 4 so 1000 each) per question.
For the rest we'll have to do with eternal fame and glory (and t-shirts ;)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 18
  • 15
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now