Solved

Cisco PIX 515 - Setting up L2TP VPN for Windows Vista

Posted on 2009-04-09
5
3,682 Views
Last Modified: 2012-05-06
PIX-515E 64 MB RAM, CPU Pentium II 433 MHz
PIX Version 7.2(2)
ASDM Ver: 5.2(2)

At this point we can connect with Cisco VPN Client 5.x, Shrew VPN Client 2.1 (free IPsec Client that we found that supports 64bit OS) and Windows XP SP3 L2TP native client. The only problem is connection from Windows Vista native L2TP client.

The debug log gives me the impression that there's something wrong on the pre-shared key but i double check it and its correct.  I'm starting to think that maybe its a bug from the 7.2(2) software

I guided my setup from here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

Below its the snip off the relevant part for the L2TP tunnel Ive also attached the debug log from the connection of a Windows Vista.

Any help would be appreciated to figure this out.

Thank you.
group-policy DefaultRAPolicy internal

group-policy DefaultRAPolicy attributes

 wins-server value 192.168.20.10 192.168.20.9

 dns-server value 192.168.20.10 192.168.20.9

 vpn-idle-timeout 30

 vpn-tunnel-protocol IPSec l2tp-ipsec

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value acl_clientesvpn

 default-domain value moonlight.lan

 

crypto ipsec transform-set TRANS_ESP_AES_SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_AES_SHA mode transport

crypto ipsec transform-set TUNN_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TUNN_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TUNN_ESP_AES_SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

 

crypto dynamic-map dcmap_clientesvpn 10 set transform-set TRANS_ESP_AES_SHA TUNN_ESP_3DES_MD5 TUNN_ESP_3DES_SHA TUNN_ESP_AES_SHA TRANS_ESP_3DES_SHA

crypto dynamic-map dcmap_clientesvpn 10 set security-association lifetime seconds 86400

 

crypto map cmap_clientesvpn 65535 ipsec-isakmp dynamic dcmap_clientesvpn

crypto map cmap_clientesvpn interface Outside

 

crypto isakmp identity address

crypto isakmp enable Outside

crypto isakmp nat-traversal  20

 

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 86400
 

crypto isakmp policy 20

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400
 

crypto isakmp policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

 

tunnel-group DefaultRAGroup general-attributes

 authentication-server-group IAS

 default-group-policy DefaultRAPolicy

 dhcp-server 192.168.20.10

tunnel-group DefaultRAGroup ipsec-attributes

 pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

 no authentication chap

 authentication ms-chap-v2

 

tunnel-group-map enable rules

Open in new window

debug-l2tp-vista.txt
0
Comment
Question by:rnuno007
  • 3
  • 2
5 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24123835
>WARNING, had problems decrypting packet, probably due to mismatched pre-shared key.

Verify in the Vista L2TP network connection that you correctly inputted the preshared key and matches the tunnel-group preshared key.

The ASA config looks good.
0
 

Author Comment

by:rnuno007
ID: 24125902
The config on Vista L2TP is the same i'm using on XP client. I already changed the preshared key to something simple like 123456789 on both clients and Pix still no go.

If my config is ok im really starting to think that the problem maybe on the software version 7.2(2) of my Pix.
I already asked for the 7.2(4) software version to try it with the same config my hope is that using the lastest revision my problem will go away. What do you think?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24125943
Actually, I know Vista only works with SHA (not MD5 (xp does)) and looks like your 3DES/SHA Transport Transform is incorrect which may be causing the problem.  Try this:

conf t
no crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
no crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map dcmap_clientesvpn 10 set transform-set TRANS_ESP_AES_SHA TUNN_ESP_3DES_MD5 TUNN_ESP_3DES_SHA TUNN_ESP_AES_SHA TRANS_ESP_3DES_SHA
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24125947
If it still doesn't work after the above changes, I'll compare your config to a working L2TP config I have on a test ASA.  I'm running 8.0(4) on my ASA.  Not sure if 7.2(4) will help at all but can't hurt anything.
0
 

Author Closing Comment

by:rnuno007
ID: 31568489
This worked on 7.2(4). Thanks.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now