From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Mon Apr 28 2008 - 11:20:43 ART
Hi.
Here is a config which worked for me pm ASA 7.2(4).
Note that for Windows XP VPN clients you have to stick to DefaultRAGroup
tunnel-group whilst for MAC OSX you can have a different name;
group-policy may have a non-default name in both cases.
ip local pool vpn_clients x.x.x.x-x.x.x.y mask z.z.z.z
crypto ipsec transform-set l2tp3desmd5 esp-3des esp-md5-hmac
crypto ipsec transform-set l2tp3desmd5 mode transport
crypto ipsec transform-set l2tp3des esp-3des esp-sha-hmac
crypto ipsec transform-set l2tp3des mode transport
crypto dynamic-map mymap_l2tp_dyn 12 set transform-set l2tp3desmd5 l2tp3des
crypto map mymap 65535 ipsec-isakmp dynamic mymap_l2tp_dyn
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp nat-traversal 20
group-policy l2tp_policy internal
group-policy l2tp_policy attributes
wins-server value x.x.x.x
dns-server value y.y.y.y
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ipsec-my-stunnel
default-domain value mydomain.com
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value x.x.x.x
dns-server value y.y.y.y
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ipsec-my-stunnel
default-domain value mydomain.com
username myuser password ****== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_clients
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
isakmp ikev1-user-authentication xauth
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
HTH
A.
eman mansouri said the following on 4/28/2008 5:28 AM:
> HI everybody
> I do have a PIX 525 with PIX v8 IOS which I am intending to configure it for my Remote users inorder to enable them to connect through the Internet to coprporate LAN and make use of services provided. I have usef my own knowledge , Cisco site Configuration guidlines and asdm 6.3 tool .But the problem is I get the below message using either Windows VPN Connection.
>
> Jan 01 00:02:09 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed, no match!
> Jan 01 00:02:09 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry
>
> this is the configuration I have done with ASDM. Please help me with it.
> I will be happy if you help me with it.
>
> PIX Version 8.0(3)
> !
> hostname pixfirewall
> enable password 8Ry2YjIyt7RRXU24 encrypted
> names
> !
> interface Ethernet0
> nameif inside
> security-level 100
> ip address 10.1.1.1 255.255.255.0
> !
> interface Ethernet1
> nameif outside
> security-level 0
> ip address 85.x.x.x 255.255.255.224
> !
> access-list OUT-ACCESS extended permit ip any interface outside
> access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 10.1.1.0 255.255.255.224
>
> ip local pool VPN-POOL 10.1.1.10-10.1.1.20 mask 255.255.255.0
>
> asdm image flash:/asdm-603.bin
>
> global (outside) 1 interface
> nat (inside) 0 access-list inside_nat0_outbound
> nat (inside) 1 10.1.1.0 255.255.255.0
> access-group OUT-ACCESS in interface outside
> route outside 0.0.0.0 0.0.0.0 85.15.52.1 1
>
> dynamic-access-policy-record DfltAccessPolicy
>
> crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac
> crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport
> crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
> crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
> crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_DES_SHA
> crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
> crypto map outside_map interface outside
> crypto isakmp enable outside
> crypto isakmp policy 10
> authentication pre-share
> encryption des
> hash sha
> group 2
> lifetime 86400
>
> group-policy VPN-Group internal
> group-policy VPN-Group attributes
> vpn-tunnel-protocol l2tp-ipsec
> default-domain value ibto.ir
> username iman password I02l0vJPx1MGTuzMwdwezg== nt-encrypted privilege 0
> username iman attributes
> vpn-group-policy VPN-Group
> tunnel-group DefaultRAGroup ipsec-attributes
> pre-shared-key *
> tunnel-group DefaultRAGroup ppp-attributes
> authentication pap
> no authentication chap
> authentication ms-chap-v2
> tunnel-group VPN-Group type remote-access
> tunnel-group VPN-Group general-attributes
> address-pool VPN-POOL
> default-group-policy VPN-Group
> tunnel-group VPN-Group ipsec-attributes
> pre-shared-key *
> isakmp ikev1-user-authentication none
> tunnel-group VPN-Group ppp-attributes
> authentication pap
> no authentication chap
> authentication ms-chap-v2
>
>
>
>
> _________________________________________________________________
> Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy!
> http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us
>
>
> Pass the CCIE in six weeks, Guaranteed!
> http://www.certscience.com/CCIE
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Pass the CCIE in six weeks, Guaranteed!
http://www.certscience.com/CCIE
This archive was generated by hypermail 2.1.4 : Thu May 01 2008 - 08:25:52 ART