designetwork(EN)

IT technical memo of networking

VPN from Chromebook Acer C720 to ASA5505 (L2TP / IPsec PSK) ( in failure )

f:id:daichi703n:20150627012549j:plain

This is the English version of My Japanese blog.
Sorry in machine translation.
Soon I'll rewrite.


The VPN connection in order to use the seamless on the go the Chromebook.
Because you are considering the use of remote desktop at home PC and VM, it will be home of one of the private cloud.

Diagram

Roughly the home network configuration , please refer to this article. http://en-designetwork.hatenablog.com/entry/2016/02/04/022830en-designetwork.hatenablog.com

Internet connection on the go is assumed the following .

It should be noted that the IPsec connection with Cisco VPN Client , which is a standard feature from the usual iPhone.

Configuration

I tried to set as it is for the setting procedure of ASA5505 to Google's support page is written. support.google.com

However, it does not lead ... !

Investigation

What work on cause specific from the time being log and capture not know what the cause is.

Since IP Reach was able to verify the authentication phase ...
Or try to be in the debug ...   Analysis is by setting the following that
debug crypto ikev1 255
Level to a maximum of 255 because well I do not know.
From the following log , it found that have failed in the Phase1 of IKEv1.

Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2

Chromebook of SA Proposal

From the debug log , it can be seen that the throwing of the following two methods: the Chromebook.

  • 3DES-CBC, SHA1, DH-Group2, Lifetime86400
  • AES-128, MD5, DH-Group'Unknown', Lifetime86400

Phase1

Since the request from the Chromebook is a problem that seems , explore the changes in the log try changing the settings on the ASA side.

  • Addition and deletion of the authentication method
  • 3DES Delete
  • 3DES added
  • AES Delete
  • AES added

When you add the AES, the mismatch of the DH-Group is detected.

Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Unknown Cfg'd: Group 2

Given the configuration of the log and ASA, authentication of the AES is considered to not be able to.
For now explore other causes in a state that has been set either.

  • Option settings
  • Disabling PFS

PFS in which had been searching for the authentication method ( for Perfect F S was looking at the description of non-compliant , but I tried to disable , no change.
Keep the time being effectively returned.

Disabling X-AUTH

In the course of haphazardly touch , I tried to the X-AUTH to disable. f:id:daichi703n:20150806004049j:plain

Phase 1 Completed!

Because not find the appropriate settings in the Chromebook side , proceed then for the time being the X-AUTH to disable.
By the way , IPsec SA Proposal Mismatch in the next Phase 2.

Phase2

Check the SA Proposal of Chromebook as in the case of Phase 1.

I often do not know , I tried to disable the PFS.
PHASE 2 COMPLETED! Connected it was.

However, even if also at the next IPsec communication...

aaa-server-group missing L2TP initiated

Not lead become a ...

L2TP

When I look at , such as Cisco Support Comunnity and Expert Exchange, people who are suffering in the same matter is present here and there .

VPN for Chromebook

Support for ChromeOS / Chromebook - Cisco Community

However , there is also a thing that can not understand the nuances of the English language , do not find a solution and next step ...
In addition , Chromebook is found to be that it is not included in the L2TP / IPsec support of ASA, become at once anxiety and or not than not lead the first place ...
There describe AnyConnect Once try BugSearch.

CSCtu30260 AnyConnect support on Chromebook AnyConnect client not supported on Chromebook platform.

In order to calm the mind , even a little , first connected by Win7 supported switch and going to extract the difference to know the ideal state .

Win7 in L2TP / IPsec connection

In the case of Win7 is also the option of AnyConnect , but first will be crushed from L2TP / IPsec connection of standard equipment .
ASA setting of Once the time being connected is try as it is , Mismatch in Phase1 ...
Once you turn it back the X-AUTH with a hit somehow , all too soon at a stretch COMPLETE the Phase1,2!
However! L2TP does not lead in the same way in the case of the above-mentioned Chromebook!
Strictly speaking , immediately expire after the led . Referred to in the Duration and 1 to 3 seconds seems to be connected .
I tried , such as to enable the MS-CHAPv2 as the authentication method , but , ASA side of the message does not change .
Win7 side error does not proceed in "verifying the user name and password ."

Future Policy

  • Re-Configuration ASA
  • Connection test of VyOS , etc.
  • VPN give up Chrome Rimode use

Information provision request

Please let me know if some people that have been successful in L2TP / IPsec PSK connection with ASA5505 × Chromebook.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork