• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3760
  • Last Modified:

Cisco PIX 515 - Setting up L2TP VPN for Windows Vista

PIX-515E 64 MB RAM, CPU Pentium II 433 MHz
PIX Version 7.2(2)
ASDM Ver: 5.2(2)

At this point we can connect with Cisco VPN Client 5.x, Shrew VPN Client 2.1 (free IPsec Client that we found that supports 64bit OS) and Windows XP SP3 L2TP native client. The only problem is connection from Windows Vista native L2TP client.

The debug log gives me the impression that there's something wrong on the pre-shared key but i double check it and its correct.  I'm starting to think that maybe its a bug from the 7.2(2) software

I guided my setup from here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

Below its the snip off the relevant part for the L2TP tunnel Ive also attached the debug log from the connection of a Windows Vista.

Any help would be appreciated to figure this out.

Thank you.
group-policy DefaultRAPolicy internal
group-policy DefaultRAPolicy attributes
 wins-server value 192.168.20.10 192.168.20.9
 dns-server value 192.168.20.10 192.168.20.9
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_clientesvpn
 default-domain value moonlight.lan
 
crypto ipsec transform-set TRANS_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_SHA mode transport
crypto ipsec transform-set TUNN_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TUNN_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TUNN_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
 
crypto dynamic-map dcmap_clientesvpn 10 set transform-set TRANS_ESP_AES_SHA TUNN_ESP_3DES_MD5 TUNN_ESP_3DES_SHA TUNN_ESP_AES_SHA TRANS_ESP_3DES_SHA
crypto dynamic-map dcmap_clientesvpn 10 set security-association lifetime seconds 86400
 
crypto map cmap_clientesvpn 65535 ipsec-isakmp dynamic dcmap_clientesvpn
crypto map cmap_clientesvpn interface Outside
 
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp nat-traversal  20
 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
 
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group IAS
 default-group-policy DefaultRAPolicy
 dhcp-server 192.168.20.10
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
 
tunnel-group-map enable rules

Open in new window

debug-l2tp-vista.txt
0
rnuno007
Asked:
rnuno007
  • 3
  • 2
1 Solution
 
JFrederick29Commented:
>WARNING, had problems decrypting packet, probably due to mismatched pre-shared key.

Verify in the Vista L2TP network connection that you correctly inputted the preshared key and matches the tunnel-group preshared key.

The ASA config looks good.
0
 
rnuno007Author Commented:
The config on Vista L2TP is the same i'm using on XP client. I already changed the preshared key to something simple like 123456789 on both clients and Pix still no go.

If my config is ok im really starting to think that the problem maybe on the software version 7.2(2) of my Pix.
I already asked for the 7.2(4) software version to try it with the same config my hope is that using the lastest revision my problem will go away. What do you think?
0
 
JFrederick29Commented:
Actually, I know Vista only works with SHA (not MD5 (xp does)) and looks like your 3DES/SHA Transport Transform is incorrect which may be causing the problem.  Try this:

conf t
no crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
no crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map dcmap_clientesvpn 10 set transform-set TRANS_ESP_AES_SHA TUNN_ESP_3DES_MD5 TUNN_ESP_3DES_SHA TUNN_ESP_AES_SHA TRANS_ESP_3DES_SHA
0
 
JFrederick29Commented:
If it still doesn't work after the above changes, I'll compare your config to a working L2TP config I have on a test ASA.  I'm running 8.0(4) on my ASA.  Not sure if 7.2(4) will help at all but can't hurt anything.
0
 
rnuno007Author Commented:
This worked on 7.2(4). Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now