Solved

Cisco PIX 515 - Setting up L2TP VPN for Windows Vista

Posted on 2009-04-09
5
3,697 Views
Last Modified: 2012-05-06
PIX-515E 64 MB RAM, CPU Pentium II 433 MHz
PIX Version 7.2(2)
ASDM Ver: 5.2(2)

At this point we can connect with Cisco VPN Client 5.x, Shrew VPN Client 2.1 (free IPsec Client that we found that supports 64bit OS) and Windows XP SP3 L2TP native client. The only problem is connection from Windows Vista native L2TP client.

The debug log gives me the impression that there's something wrong on the pre-shared key but i double check it and its correct.  I'm starting to think that maybe its a bug from the 7.2(2) software

I guided my setup from here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

Below its the snip off the relevant part for the L2TP tunnel Ive also attached the debug log from the connection of a Windows Vista.

Any help would be appreciated to figure this out.

Thank you.
group-policy DefaultRAPolicy internal
group-policy DefaultRAPolicy attributes
 wins-server value 192.168.20.10 192.168.20.9
 dns-server value 192.168.20.10 192.168.20.9
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_clientesvpn
 default-domain value moonlight.lan
 
crypto ipsec transform-set TRANS_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_SHA mode transport
crypto ipsec transform-set TUNN_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TUNN_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TUNN_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
 
crypto dynamic-map dcmap_clientesvpn 10 set transform-set TRANS_ESP_AES_SHA TUNN_ESP_3DES_MD5 TUNN_ESP_3DES_SHA TUNN_ESP_AES_SHA TRANS_ESP_3DES_SHA
crypto dynamic-map dcmap_clientesvpn 10 set security-association lifetime seconds 86400
 
crypto map cmap_clientesvpn 65535 ipsec-isakmp dynamic dcmap_clientesvpn
crypto map cmap_clientesvpn interface Outside
 
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp nat-traversal  20
 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
 
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group IAS
 default-group-policy DefaultRAPolicy
 dhcp-server 192.168.20.10
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
 
tunnel-group-map enable rules

Open in new window

debug-l2tp-vista.txt
0
Comment
Question by:rnuno007
  • 3
  • 2
5 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24123835
>WARNING, had problems decrypting packet, probably due to mismatched pre-shared key.

Verify in the Vista L2TP network connection that you correctly inputted the preshared key and matches the tunnel-group preshared key.

The ASA config looks good.
0
 

Author Comment

by:rnuno007
ID: 24125902
The config on Vista L2TP is the same i'm using on XP client. I already changed the preshared key to something simple like 123456789 on both clients and Pix still no go.

If my config is ok im really starting to think that the problem maybe on the software version 7.2(2) of my Pix.
I already asked for the 7.2(4) software version to try it with the same config my hope is that using the lastest revision my problem will go away. What do you think?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24125943
Actually, I know Vista only works with SHA (not MD5 (xp does)) and looks like your 3DES/SHA Transport Transform is incorrect which may be causing the problem.  Try this:

conf t
no crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
no crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map dcmap_clientesvpn 10 set transform-set TRANS_ESP_AES_SHA TUNN_ESP_3DES_MD5 TUNN_ESP_3DES_SHA TUNN_ESP_AES_SHA TRANS_ESP_3DES_SHA
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24125947
If it still doesn't work after the above changes, I'll compare your config to a working L2TP config I have on a test ASA.  I'm running 8.0(4) on my ASA.  Not sure if 7.2(4) will help at all but can't hurt anything.
0
 

Author Closing Comment

by:rnuno007
ID: 31568489
This worked on 7.2(4). Thanks.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question