• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2121
  • Last Modified:

L2TP IPSec VPN Connection problems on Cisco ASA 5505.

I am trying to get L2TP working on our Cisco ASA 5505  from our Windows XP and Windows 7 native VPN cilents.  We are having problems with the Phase2 connection of the VPN process.

I have attached the error message I receive when I try to connect.   I have also attached the configuration of our ASA.  The ASA is running software version 8.2(5).

Can anyone help me pinpoint what is wrong here?

Thank you,
Error.jpg
asa.txt
0
OAC Technology
Asked:
OAC Technology
  • 2
2 Solutions
 
Ernie BeekCommented:
It looks like the client and ASA can't agree about what encryption to use.
First have a look at: http://www.petenetlive.com/KB/Article/0000571.htm It's a good article from my esteemed fellow expert PeteLong which might help you out.
0
 
OAC TechnologyProfessional NerdsAuthor Commented:
I got it working if I connect using Mac OS X, but if I connect from Windows 7 I get "Error 809". It also doesn't connect from Windows XP.

Here's my config.

: Saved
:
ASA Version 8.3(2) 
!
hostname ciscoasa
enable password <redacted> encrypted
passwd <redacted> encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.230 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object network obj-192.168.3.0 
 subnet 192.168.3.0 255.255.255.0
object network obj-192.168.15.0 
 subnet 192.168.15.0 255.255.255.0
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.3.0_24 
 subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.80.0_26 
 subnet 192.168.80.0 255.255.255.192
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list outside_cryptomap_10 extended permit ip any any 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit ip host 74.94.82.28 any 
access-list outside_access_in extended permit ip any host 74.94.82.28 
access-list outside_access_in extended permit ip any any 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.3.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool L2TP 192.168.15.100-192.168.15.200 mask 255.255.255.0
ip local pool vpn_tunnel 10.4.5.10-10.4.5.20 mask 255.255.255.0
ip local pool test_tunnel 192.168.80.2-192.168.80.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.15.0 obj-192.168.15.0
nat (inside,outside) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.15.0 obj-192.168.15.0
nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.80.0_26 NETWORK_OBJ_192.168.80.0_26
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server default protocol radius
 accounting-mode simultaneous
 reactivation-mode timed
aaa-server default (inside) host 192.168.3.100
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****
 no mschapv2-capable
aaa authentication http console LOCAL 
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set LT2P_VPN esp-des esp-sha-hmac 
crypto ipsec transform-set LT2P_VPN mode transport
crypto ipsec transform-set trans esp-3des esp-sha-hmac 
crypto ipsec transform-set trans mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyno 10 set transform-set trans
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set transform-set LT2P_VPN
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpoint LOCAL-CA-SERVER
 keypair LOCAL-CA-SERVER
 crl configure
crypto ca server 
 shutdown
 keysize 2048
 keysize server 2048
 smtp from-address admin@ciscoasa.null
crypto ca certificate chain LOCAL-CA-SERVER
 certificate ca 01

  quit
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 1500
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.20-192.168.3.35 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
group-policy DfltGrpPolicy attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username <redacted> password <redacted> encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) L2TP
 address-pool test_tunnel
 authentication-server-group default
 default-group-policy l2tp-ipsec_policy
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect ipsec-pass-thru 
  inspect pptp 
!
service-policy global-policy global
prompt hostname context 
Cryptochecksum:70c847ef9d1ab90fb079663ce1ab0b73
: end
asdm image disk0:/asdm-645.bin
no asdm history enable

Open in new window

0
 
OAC TechnologyProfessional NerdsAuthor Commented:
Windows XP gives a 678 error and the connection times out.  I have tried applying the registry "fixes" from various Microsoft KB articles with no luck.  Any help is appreciated
0
 
Robert Sutton JrSenior Network ManagerCommented:
In ref to this in your config:

crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

You might want to add:

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

And try again. If this doesn't resolve your issue, enable debug and post the results here in a txt file.
using command: debug crypto isakmp


Let us know.
0

Featured Post

Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now