Solved

L2TP IPSec VPN Connection problems on Cisco ASA 5505.

Posted on 2012-03-21
4
1,917 Views
Last Modified: 2012-03-28
I am trying to get L2TP working on our Cisco ASA 5505  from our Windows XP and Windows 7 native VPN cilents.  We are having problems with the Phase2 connection of the VPN process.

I have attached the error message I receive when I try to connect.   I have also attached the configuration of our ASA.  The ASA is running software version 8.2(5).

Can anyone help me pinpoint what is wrong here?

Thank you,
Error.jpg
asa.txt
0
Comment
Question by:DataDudes
  • 2
4 Comments
 
LVL 35

Assisted Solution

by:Ernie Beek
Ernie Beek earned 250 total points
Comment Utility
It looks like the client and ASA can't agree about what encryption to use.
First have a look at: http://www.petenetlive.com/KB/Article/0000571.htm It's a good article from my esteemed fellow expert PeteLong which might help you out.
0
 
LVL 2

Author Comment

by:DataDudes
Comment Utility
I got it working if I connect using Mac OS X, but if I connect from Windows 7 I get "Error 809". It also doesn't connect from Windows XP.

Here's my config.

: Saved
:
ASA Version 8.3(2) 
!
hostname ciscoasa
enable password <redacted> encrypted
passwd <redacted> encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.230 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object network obj-192.168.3.0 
 subnet 192.168.3.0 255.255.255.0
object network obj-192.168.15.0 
 subnet 192.168.15.0 255.255.255.0
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.3.0_24 
 subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.80.0_26 
 subnet 192.168.80.0 255.255.255.192
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list outside_cryptomap_10 extended permit ip any any 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit ip host 74.94.82.28 any 
access-list outside_access_in extended permit ip any host 74.94.82.28 
access-list outside_access_in extended permit ip any any 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.3.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool L2TP 192.168.15.100-192.168.15.200 mask 255.255.255.0
ip local pool vpn_tunnel 10.4.5.10-10.4.5.20 mask 255.255.255.0
ip local pool test_tunnel 192.168.80.2-192.168.80.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.15.0 obj-192.168.15.0
nat (inside,outside) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.15.0 obj-192.168.15.0
nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.80.0_26 NETWORK_OBJ_192.168.80.0_26
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server default protocol radius
 accounting-mode simultaneous
 reactivation-mode timed
aaa-server default (inside) host 192.168.3.100
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****
 no mschapv2-capable
aaa authentication http console LOCAL 
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set LT2P_VPN esp-des esp-sha-hmac 
crypto ipsec transform-set LT2P_VPN mode transport
crypto ipsec transform-set trans esp-3des esp-sha-hmac 
crypto ipsec transform-set trans mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyno 10 set transform-set trans
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set transform-set LT2P_VPN
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpoint LOCAL-CA-SERVER
 keypair LOCAL-CA-SERVER
 crl configure
crypto ca server 
 shutdown
 keysize 2048
 keysize server 2048
 smtp from-address admin@ciscoasa.null
crypto ca certificate chain LOCAL-CA-SERVER
 certificate ca 01

  quit
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 1500
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.20-192.168.3.35 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
group-policy DfltGrpPolicy attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username <redacted> password <redacted> encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) L2TP
 address-pool test_tunnel
 authentication-server-group default
 default-group-policy l2tp-ipsec_policy
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect ipsec-pass-thru 
  inspect pptp 
!
service-policy global-policy global
prompt hostname context 
Cryptochecksum:70c847ef9d1ab90fb079663ce1ab0b73
: end
asdm image disk0:/asdm-645.bin
no asdm history enable

Open in new window

0
 
LVL 2

Author Comment

by:DataDudes
Comment Utility
Windows XP gives a 678 error and the connection times out.  I have tried applying the registry "fixes" from various Microsoft KB articles with no luck.  Any help is appreciated
0
 
LVL 15

Accepted Solution

by:
The_Warlock earned 250 total points
Comment Utility
In ref to this in your config:

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

You might want to add:

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

And try again. If this doesn't resolve your issue, enable debug and post the results here in a txt file.
using command: debug crypto isakmp


Let us know.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now