0

I am trying to setup our Cisco asa 5505 remote VPN access IKEv1 Pre-shared key, so I can access with Windows native VPN client using a L2TP/IPsec tunnel.

We have IKEv1 Pre-shared Key setup with a group ID configured already, but since Windows doesn't support group ID, I need to use the DefaultRA group.

I managed to complete Phase 1 after adding the correct IKEv1 policy. But to fix the mismatch problem at Phase 2, I figured out that I need to make add ESP-3DES-SHA-TRANS transport set to the dynamic crypto map.

The problem is: After adding the correct transform set (ESP-3DES-SHA-TRANS) to the crypto map using asdm, the router refuses to let any traffic out on the Internet… Not just the VPN traffic, but all traffic. I tried two times, needed to restart the Firewall both time to get it running again.

Not sure if I should post any running configuration. We don't have any advanced routing, just a static route outside really. We have another site-to-site VPN using a static crypto map. But it shouldn't affect.

Any idea what could cause this behavior? What is the cli command for adding that transform set to the crypto map?

Andreas
  • 309
  • 1
  • 5
  • 17
  • In asdm go to Tools 》preferences and enable `Preview commands before sending them to the device.`. Then when you make a change, before the change is actually pushed to the ASA it will pop up a window showing what cli command(s) will be pushed. If that doesn't help you to figure it out then please post your running config and the command(s) shown in the preview window. – hertitu Nov 07 '16 at 18:29

1 Answers1

1

Thx hertitu, that helped.

I tried to edit with ASDM --> Network (Client) Access --> Advanced --> IPsec --> Cryptomaps, and added the ESP-3DES-SHA-TRANS transform set to the default dynamic crypto map.

The following commands was generated...

 access-list outside_cryptomap_65535.65535 line 1 extended permit ip any4 any4 
      crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 match address outside_cryptomap_65535.65535

That didn't feel right, I trashed those and manually ran 

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 ESP-3DES-SHA-TRANS

instead. Now I managed to complete Phase 2 with my Windows client!

Andreas
  • 309
  • 1
  • 5
  • 17
  • Thanks for sharing... sounds like a possible bug in ASDM as it definitely should not push a "permit ip any4 any4 " entry into the crypto ACL. – hertitu Nov 08 '16 at 13:06
  • BTW please mark your own answer as correct, so your question doesn't stay in the unanswered question list :) thanks! – hertitu Nov 08 '16 at 13:09