Guys,
Ive completed the Proctor labs Security Ebook lab 3 on POD 106 today, and
had some issues with tunnel groups while doing a L2TP with IPsec to the PIX.
The question asked to allow a VPN from any source to connect to the PIX
without the use of a vpn client.
Whenever i tried to connect to the PIX via the XP workstation it would
timeout and the PIX log would display the following meesage.
IX-4-713903: Group = 192.1.49.100, IP = 192.1.49.100, Can't find a valid
tunnel group, aborting...!
%PIX-7-715065: Group = 192.1.49.100, IP = 192.1.49.100, IKE MM Responder FSM
error history (struct &0x28e7d58) <state>, <event>: MM_DONE,
EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4,
EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4,
EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4,
NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
%PIX-7-713906: Group = 192.1.49.100, IP = 192.1.49.100, IKE SA MM:dc270f2c
terminating: flags 0x01000002, refcnt 0, tuncnt 0
This is a new on me. Ive not had a huge amount of exposure to L2TP but
thought I had covered all the bases.
Tunnel groups, group policies dynamic maps etc.
Even tried the solution config but still the same.
Any thoughts would be appreciated?
(Full config and log attached!)
thanks
Stu
--
Stuart Hare
stuart.h...@gmail.com
PIX# sh log
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Standby logging: disabled
Deny Conn when Queue Full: disabled
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 775 messages logged
Trap logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
'tunnel-group pixL2TP general-attributes' command.
%PIX-5-111008: User 'enable_15' executed the 'default-group-policy L2TP_GP'
command.
%PIX-5-111008: User 'enable_15' executed the 'address-pool VPN' command.
%PIX-5-111008: User 'enable_15' executed the 'tunnel-group pixL2TP
ipsec-attributes' command.
%PIX-5-111008: User 'enable_15' executed the 'pre-shared-key *' command.
%PIX-5-111005: console end configuration: OK
%PIX-5-111001: Begin configuration: console writing to memory
%PIX-5-111004: console end configuration: OK
%PIX-5-111008: User 'enable_15' executed the 'write' command.
%PIX-7-609001: Built local-host outside:192.1.49.100
%PIX-6-302015: Built inbound UDP connection 122 for outside:192.1.49.100/500
(192.1.49.100/500) to NP Identity Ifc:6.3.46.20/500 (6.3.46.20/500)
%PIX-7-713236: IP = 192.1.49.100, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13)
+ NONE (0) total length : 312
%PIX-7-715047: IP = 192.1.49.100, processing SA payload
%PIX-7-713906: IP = 192.1.49.100, Oakley proposal is acceptable
%PIX-7-715047: IP = 192.1.49.100, processing VID payload
%PIX-7-715047: IP = 192.1.49.100, processing VID payload
%PIX-7-715049: IP = 192.1.49.100, Received Fragmentation VID
%PIX-7-715047: IP = 192.1.49.100, processing VID payload
%PIX-7-715049: IP = 192.1.49.100, Received NAT-Traversal ver 02 VID
%PIX-7-715047: IP = 192.1.49.100, processing VID payload
%PIX-7-715047: IP = 192.1.49.100, processing IKE SA payload
%PIX-7-715028: IP = 192.1.49.100, IKE SA Proposal # 1, Transform # 3 acceptable
Matches global IKE entry # 2
%PIX-7-715046: IP = 192.1.49.100, constructing ISAKMP SA payload
%PIX-7-715046: IP = 192.1.49.100, constructing Fragmentation VID + extended
capabilities payload
%PIX-7-713236: IP = 192.1.49.100, IKE_DECODE SENDING Message (msgid=0) with
payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104
%PIX-7-713236: IP = 192.1.49.100, IKE_DECODE RECEIVED Message (msgid=0) with
payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
%PIX-7-715047: IP = 192.1.49.100, processing ke payload
%PIX-7-715047: IP = 192.1.49.100, processing ISA_KE payload
%PIX-7-715047: IP = 192.1.49.100, processing nonce payload
%PIX-7-715046: IP = 192.1.49.100, constructing ke payload
%PIX-7-715046: IP = 192.1.49.100, constructing nonce payload
%PIX-7-715046: IP = 192.1.49.100, constructing Cisco Unity VID payload
%PIX-7-715046: IP = 192.1.49.100, constructing xauth V6 VID payload
%PIX-7-715048: IP = 192.1.49.100, Send IOS VID
%PIX-7-715038: IP = 192.1.49.100, Constructing ASA spoofing IOS Vendor ID
payload (version: 1.0.0, capabilities: 20000001)
%PIX-7-715046: IP = 192.1.49.100, constructing VID payload
%PIX-7-715048: IP = 192.1.49.100, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
%PIX-4-713903: Group = 192.1.49.100, IP = 192.1.49.100, Can't find a valid
tunnel group, aborting...!
%PIX-7-715065: Group = 192.1.49.100, IP = 192.1.49.100, IKE MM Responder FSM
error history (struct &0x28e7d58) <state>, <event>: MM_DONE,
EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4,
EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4,
EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4,
NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY
%PIX-7-713906: Group = 192.1.49.100, IP = 192.1.49.100, IKE SA MM:dc270f2c
terminating: flags 0x01000002, refcnt 0, tuncnt 0
%PIX-7-713906: Group = 192.1.49.100, IP = 192.1.49.100, sending delete/delete
with reason message
%PIX-3-713902: Group = 192.1.49.100, IP = 192.1.49.100, Removing peer from peer
table failed, no match!
%PIX-4-713903: Group = 192.1.49.100, IP = 192.1.49.100, Error: Unable to remove
PeerTblEntry
%PIX-4-713903: IP = 192.1.49.100, Header invalid, missing SA payload! (next
payload = 4)
%PIX-7-713236: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR +
NOTIFY (11) + NONE (0) total length : 68
%PIX-4-713903: IP = 192.1.49.100, Header invalid, missing SA payload! (next
payload = 4)
%PIX-7-713236: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR +
NOTIFY (11) + NONE (0) total length : 68
PIX#
PIX#
sh run
: Saved
:
PIX Version 7.2(2)
!
hostname PIX
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
ip address 6.3.46.20 255.255.255.0
!
interface Ethernet0.1
vlan 32
nameif inside
security-level 100
ip address 6.3.32.20 255.255.255.0
!
interface Ethernet1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
logging enable
logging buffered debugging
mtu outside 1500
mtu inside 1500
ip local pool VPN 192.168.99.1-192.168.99.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
router ospf 1
network 6.3.46.0 255.255.255.0 area 0
log-adj-changes
redistribute ospf 32 subnets
!
router ospf 32
network 6.3.32.0 255.255.255.0 area 32
log-adj-changes
default-information originate always
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
aaa-server ACS protocol tacacs+
aaa-server ACS (outside) host 6.3.46.100
timeout 5
key cisco
group-policy L2TP_GP internal
group-policy L2TP_GP attributes
vpn-tunnel-protocol l2tp-ipsec
username vpnu password mANo8HAtyABdoKeO encrypted
username cisco password 3USUcOPFUiMCO4Jk encrypted
aaa authentication ssh console ACS LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec transform-set TS mode transport
crypto dynamic-map DM 10 set transform-set TS
crypto dynamic-map DM 10 set reverse-route
crypto map CRM 10 ipsec-isakmp dynamic DM
crypto map CRM interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
tunnel-group L2TP type ipsec-ra
tunnel-group L2TP general-attributes
address-pool VPN
default-group-policy L2TP_GP
tunnel-group L2TP ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh 6.3.46.100 255.255.255.255 outside
ssh 6.3.32.32 255.255.255.255 inside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b25f658827f2b39962754e3e5553cb06
: end
PIX#
