Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Help with Cisco Easy VPN config

Help with Cisco Easy VPN config 7 years 11 months ago #28701

  • Ragathol
  • Ragathol's Avatar
  • Offline
  • New Member
  • Posts: 1
  • Karma: 0
Hello,

I get this message when trying to connect easy vpn between two ASA 5500.

construct_ipsec_delete(): No SPI to identify Phase 2 SA!

config of server:

: Saved
:
ASA Version 8.0(4)
!
hostname
domain-name
enable password 3f0HNhT6m1kcD9BX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.51.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name .local
same-security-traffic permit intra-interface
access-list Deny_ALL extended deny ip any any
access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.51.0 255.255.255.0 192.168.3.48 255.255.255.240
access-list split_tunnel_list standard permit 192.168.51.0 255.255.255.0
access-list ezvpn1 extended permit ip 192.168.51.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.51.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.51.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list easyvpn standard permit 192.168.51.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnusers 10.1.1.10-10.1.1.25 mask 255.255.255.0
ip local pool easyvpn 192.168.3.50-192.168.3.60 mask 255.255.255.0
ip local pool esayvpn 192.168.2.25-192.168.2.75 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-615.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record vpnusers
aaa-server concordia protocol ldap
aaa-server concordia (inside) host 192.168.51.21
ldap-base-dn dc=concordialund,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *
ldap-login-dn cn=cisco,cn=users,dc=concordialund,dc=local
server-type microsoft
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.51.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_3DES_MD5 mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set easy esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_3DES_MD5 ESP-3DES-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto dynamic-map ezvpn 30 set transform-set TRANS_3DES_MD5
crypto dynamic-map ezvpn 30 set security-association lifetime seconds 28800
crypto dynamic-map ezvpn 30 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic ezvpn
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet timeout 5
ssh timeout 5
console timeout 0
dhcp-client broadcast-flag
dhcp-client client-id interface outside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
internal-password enable
group-policy sslvpn internal
group-policy sslvpn attributes
wins-server value 192.168.51.21
dns-server value 192.168.51.21
vpn-tunnel-protocol IPSec svc webvpn
default-domain value .local
msie-proxy method no-proxy
webvpn
url-list value sslvpn
svc ask enable default svc timeout 30
group-policy DfltGrpPolicy attributes
wins-server value 192.168.51.21
dns-server value 192.168.51.21
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
re-xauth enable extended
pfs enable
address-pools value vpnusers
group-policy easy internal
group-policy easy attributes
wins-server value 192.168.51.21
dns-server value 192.168.51.21
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel_list
default-domain value .local
nem enable
username sslvpn password 2mu0CYcaFmzjSO9J encrypted privilege 0
username sslvpn attributes
vpn-group-policy sslvpn
username kontoretmalmo password RUgldTqjGOmn/xSl encrypted
username kontoretmalmo attributes
vpn-group-policy sslvpn
username easyvpn password OoscLyQ2ZAPLq.uY encrypted privilege 15
username christofer password UoxRR3qNpCdyhk.. encrypted
username christofer attributes
vpn-group-policy sslvpn
username compliq password 0v9ZVttUw1DvVrmi encrypted privilege 0
username compliq attributes
vpn-group-policy sslvpn
tunnel-group DefaultRAGroup general-attributes
address-pool vpnusers
authentication-server-group concordia
authorization-server-group concordia
username-from-certificate use-entire-name
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
tunnel-group sslvpn type remote-access
tunnel-group sslvpn general-attributes
default-group-policy sslvpn
tunnel-group ssl-vpn type remote-access
tunnel-group ssl-vpn general-attributes
address-pool vpnusers
authorization-server-group concordia
default-group-policy sslvpn
tunnel-group easyvpn type remote-access
tunnel-group easyvpn ipsec-attributes
pre-shared-key *
tunnel-group easy type remote-access
tunnel-group easy general-attributes
address-pool (inside) easyvpn
address-pool easyvpn
default-group-policy easy
tunnel-group easy ipsec-attributes
pre-shared-key *
tunnel-group concordia type remote-access
tunnel-group concordia general-attributes
default-group-policy easy
tunnel-group concordia ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:07f97284fd11295469669b50c78abeb7
: end

Config of client:

: Saved
:
ASA Version 8.0(4)
!
hostname Hemma
domain-name ingvald.net
enable password 6lDBSz3UQwTT1FqX encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name ingvald.net
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object gre
protocol-object tcp
access-list outside_access_in extended permit ip any any
access-list inside_access_in extended permit ip any any
access-list outside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 192.168.1.0 255.255.255.0 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-614.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside control-plane
access-group outside_access_in in interface outside control-plane
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.1.2-192.168.1.33 inside
dhcpd enable inside
!
vpnclient server xxx.xxx.xxx.188
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup easy password ********
vpnclient username easyvpn password ********
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:81bf6f20d1671e4ff55a617ceb039dc1
: end

Hopfully someone can help me I not very good at Cisco.

I wan't to use split tunneling on the client for internet access.

Thanks in Advance
Jorgen
The administrator has disabled public write access.

Re: Help with Cisco Easy VPN config 7 years 11 months ago #28705

  • r0nni3
  • r0nni3's Avatar
  • Offline
  • Distinguished Member
  • Posts: 107
  • Karma: 0
www.firewall.cx/ftopict-5441.html

maybe this one helps
Also there is a problem with the 8.0.4 software. The ISAKMP keepalives arent sent correctly meaning that your tunnel will time out allmost instantly if you dont send traffic over it. This isnt much of a problem if you dont have a backup line. Just a heads up because this once took me a day to figure out why the backup vpn was allways up and running and the main one wasnt
Currently working as Cisco Engineer at Neon-Networking.

Certifications:
CCNA - Have it
CCNA Security - Have it
CCSP - Almost!!!!
CCIE Security - Not so far away dream
The administrator has disabled public write access.
Time to create page: 0.108 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup