Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

remote access vpn error

Status
Not open for further replies.

Maj0r123

IS-IT--Management
Aug 6, 2009
3
NG
i am configuring remote access vpn on cisco asa5500 and i have this error: Aug 06 12:18:59 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 1 Cfg'd: Group 2

Attempt to get Phase 1 ID data failed while constructing ID

please what is the cause of this error?
who has noticed this and what is the solution?
thanks for your response in advance.

major
 
you are failing phase one. phase one consists of 3 parts

peer (the two connecting devices)
policy (3DES or MD5 or whatever you choose)
password (not the username/password but the tunnel group password)

one of these does not match at one end.
 
thanks for the response. i ahve checked and checked and i seem not to be siting the error. below is my config:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3des-md5 esp-aes esp-sha-hmac
crypto ipsec transform-set certvpn esp-aes esp-sha-hmac
crypto ipsec transform-set cert esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-AES-128-SHA certvpn
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 21 set transform-set certvpn
crypto dynamic-map Outside_dyn_map 21 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 21 set security-association lifetime kilobytes 4608000
crypto dynamic-map Outside_dyn_map 31 set transform-set cert ESP-3DES-SHA ESP-3des-md5 certvpn
crypto dynamic-map Outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime seconds 28800
crypto dynamic-map Outside_dyn_map 40 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto ca trustpoint major
enrollment url subject-name CN=bng-asa.wcsa.com,OU=ict,O=wcsa lng,C=ng,St=la,L=hq
serial-number
keypair dmzca
crl configure
crypto ca certificate chain major
crypto isakmp enable Outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 1000
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 1100
authentication rsa-sig
encryption aes
hash md5
group 1
lifetime 86400
crypto isakmp policy 65530
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
group-policy defaultgroup internal
group-policy Defaultgroup internal
group-policy Defaultgroup attributes
default-domain value wcsa.com
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.13.200.113
address-pools value Certvpnip
tunnel-group DefaultRAGroup general-attributes
address-pool Certvpnip
address-pool certvpnip
authentication-server-group ACS LOCAL
tunnel-group DefaultRAGroup ipsec-attributes
trust-point major
tunnel-group wcsa_Remote type remote-access
tunnel-group wcsa_Remote general-attributes
address-pool wcsaVPN
authentication-server-group ACS
accounting-server-group ACS
default-group-policy wcsa_Remote
tunnel-group wcsa_Remote ipsec-attributes
pre-shared-key *
tunnel-group defaultgroup type remote-access
tunnel-group defaultgroup general-attributes
address-pool Certvpnip
tunnel-group defaultgroup ipsec-attributes
trust-point major


please, note that we have two tunnels and one is working perfectly, except fpr the CA one!
 
are you certain this is the correct info:
crypto ca trustpoint major
enrollment url subject-name CN=bng-asa.wcsa.com,OU=ict,O=wcsa lng,C=ng,St=la,L=hq
serial-number
keypair dmzca
crl configure
crypto ca certificate chain major
 
it is correct. i use to have this error: unable to authenticate peer identity because my ca was on the inside but eventually i moved it to the dmz and this error stopped while the earlier error still persist
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top