Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco PIX 515 - Setting up L2TP VPN for Windows Vista

Posted on 2009-04-09
5
Medium Priority
?
3,718 Views
Last Modified: 2012-05-06
PIX-515E 64 MB RAM, CPU Pentium II 433 MHz
PIX Version 7.2(2)
ASDM Ver: 5.2(2)

At this point we can connect with Cisco VPN Client 5.x, Shrew VPN Client 2.1 (free IPsec Client that we found that supports 64bit OS) and Windows XP SP3 L2TP native client. The only problem is connection from Windows Vista native L2TP client.

The debug log gives me the impression that there's something wrong on the pre-shared key but i double check it and its correct.  I'm starting to think that maybe its a bug from the 7.2(2) software

I guided my setup from here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

Below its the snip off the relevant part for the L2TP tunnel Ive also attached the debug log from the connection of a Windows Vista.

Any help would be appreciated to figure this out.

Thank you.
group-policy DefaultRAPolicy internal
group-policy DefaultRAPolicy attributes
 wins-server value 192.168.20.10 192.168.20.9
 dns-server value 192.168.20.10 192.168.20.9
 vpn-idle-timeout 30
 vpn-tunnel-protocol IPSec l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value acl_clientesvpn
 default-domain value moonlight.lan
 
crypto ipsec transform-set TRANS_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_SHA mode transport
crypto ipsec transform-set TUNN_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TUNN_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TUNN_ESP_AES_SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
 
crypto dynamic-map dcmap_clientesvpn 10 set transform-set TRANS_ESP_AES_SHA TUNN_ESP_3DES_MD5 TUNN_ESP_3DES_SHA TUNN_ESP_AES_SHA TRANS_ESP_3DES_SHA
crypto dynamic-map dcmap_clientesvpn 10 set security-association lifetime seconds 86400
 
crypto map cmap_clientesvpn 65535 ipsec-isakmp dynamic dcmap_clientesvpn
crypto map cmap_clientesvpn interface Outside
 
crypto isakmp identity address
crypto isakmp enable Outside
crypto isakmp nat-traversal  20
 
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
 
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
crypto isakmp policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
 
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group IAS
 default-group-policy DefaultRAPolicy
 dhcp-server 192.168.20.10
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
 
tunnel-group-map enable rules

Open in new window

debug-l2tp-vista.txt
0
Comment
Question by:rnuno007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24123835
>WARNING, had problems decrypting packet, probably due to mismatched pre-shared key.

Verify in the Vista L2TP network connection that you correctly inputted the preshared key and matches the tunnel-group preshared key.

The ASA config looks good.
0
 

Author Comment

by:rnuno007
ID: 24125902
The config on Vista L2TP is the same i'm using on XP client. I already changed the preshared key to something simple like 123456789 on both clients and Pix still no go.

If my config is ok im really starting to think that the problem maybe on the software version 7.2(2) of my Pix.
I already asked for the 7.2(4) software version to try it with the same config my hope is that using the lastest revision my problem will go away. What do you think?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 1500 total points
ID: 24125943
Actually, I know Vista only works with SHA (not MD5 (xp does)) and looks like your 3DES/SHA Transport Transform is incorrect which may be causing the problem.  Try this:

conf t
no crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
no crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map dcmap_clientesvpn 10 set transform-set TRANS_ESP_AES_SHA TUNN_ESP_3DES_MD5 TUNN_ESP_3DES_SHA TUNN_ESP_AES_SHA TRANS_ESP_3DES_SHA
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24125947
If it still doesn't work after the above changes, I'll compare your config to a working L2TP config I have on a test ASA.  I'm running 8.0(4) on my ASA.  Not sure if 7.2(4) will help at all but can't hurt anything.
0
 

Author Closing Comment

by:rnuno007
ID: 31568489
This worked on 7.2(4). Thanks.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question