Cisco – How to connect to a Cisco ASA5540 from Windows Server 2012 over IPSEC

ciscocisco-asaipsecvpn

Given a windows server 2012 client (which I have under full administrator control), and an external Cisco ASA5540 router (which I don't), I'd like to connect to the router to access their internal network via ipsec VPN.

Connection details are:

IKE Phase-1:
Encryption Scheme: IKE
Key Exchange methods: 3DES
Hashing Algorithm: MD5
Authentication Method: Pre-shared Secret
Aggressive Mode Support: No
Diffie Helmen Group for Phase1: Group 2 (preferred)
IKE SA (phase 1 ) lifetime: 1440 Seconds

IKE Phase-2:
Encryption Scheme: IKE
Transform (IPSec Protocol): ESP
Encryption Algorithm 3DES
Data Integrity: MD5
Use Perfect Forward Secrecy (PFS): No
Diffie Helmen group for PFS: Group 2 (preferred)
IPSEC SA (phase 2) lifetime 28800 seconds
Key Exchange For Subnets: Yes

Encryption domain: 192.168.113.0/24
Security policy rules: Source: 10.135.1.80/32 -> Destination: 192.168.251.32/32

(I can't make changes to the router's config)

What are the specific steps to connect to this router using any client, or method whatsoever?

Best Answer

The path of least resistance is to ask the people who manage the destination firewall for a copy of the Cisco IPSEC VPN client or for access using an SSL AnyConnect VPN. See if they can provide a PCF configuration file to you.

Related Solutions

RV082 Gateway-Gateway VPN Won’t Connect

I have a site to site VPN beween two rv082's also. Checking my settings they show on both sides:

Local Security Gateway Type: IP Only
IP Address: external address
Local Security Group Type: Subnet
IP Address 192.168.188.0
Subnet Mask: 255.255.255.0

Remote Security Gateway Type: IP Only
IP Address: external address
Remote Security Group Type: Subnet
IP Address 192.168.166.0
Subnet Mask: 255.255.255.0

Keying Mode: IKE with Preshared key
Phase1 DH Group: Group 1
Phase1 Encryption: DES
Phase1 Authentication: MD5
Phase1 SA Life Time: 28800
Perfect Forward Secrecy: Enabled
Phase2 DH Group: Group 1
Phase2 Encryption: DES
Phase2 Authentication: MD5
Phase2 SA Life Time: 3600

Aggressive Mode: Disabled
Dead Peer Detection (DPD): Enabled

The only difference I see is agressive mode, but you tried that. Obviously you have a matching preshared key. Interface is WAN1 on both. So you don't have anything glaring - but maybe disable aggressive mode. I also remember having to delete and recreate them a few times to get it connected. Have you tried that?

SonicOS Enhanced 5.8.1.2 L2TP VPN Authentication Failed

Solve it myself. Just in case anyone comes across this configuring L2TP on SonicOS 5.8: The preferred authentication method for PPP is MSCHAPv2. I looked at my logs and saw that my pre-authentication was succeeding through both phases but I was getting an authentication error during MSCHAPv2 mutual authentication. I changed the preferred method to CHAP rather than the Microsoft Implementation and it works. I presume this is an OS X thing.

Related Topic