Link to home
Start Free TrialLog in
Avatar of OAC Technology
OAC TechnologyFlag for United States of America

asked on

L2TP IPSec VPN Connection problems on Cisco ASA 5505.

I am trying to get L2TP working on our Cisco ASA 5505  from our Windows XP and Windows 7 native VPN cilents.  We are having problems with the Phase2 connection of the VPN process.

I have attached the error message I receive when I try to connect.   I have also attached the configuration of our ASA.  The ASA is running software version 8.2(5).

Can anyone help me pinpoint what is wrong here?

Thank you,
Error.jpg
asa.txt
SOLUTION
Avatar of Ernie Beek
Ernie Beek
Flag of Netherlands image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of OAC Technology
OAC Technology
Flag of United States of America image

ASKER

I got it working if I connect using Mac OS X, but if I connect from Windows 7 I get "Error 809". It also doesn't connect from Windows XP.

Here's my config.

: Saved
:
ASA Version 8.3(2) 
!
hostname ciscoasa
enable password <redacted> encrypted
passwd <redacted> encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.10.10.230 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
object network obj-192.168.3.0 
 subnet 192.168.3.0 255.255.255.0
object network obj-192.168.15.0 
 subnet 192.168.15.0 255.255.255.0
object network obj_any 
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.3.0_24 
 subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.80.0_26 
 subnet 192.168.80.0 255.255.255.192
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.3.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.3.0 255.255.255.0 192.168.15.0 255.255.255.0 
access-list outside_cryptomap_10 extended permit ip any any 
access-list inside_access_in extended permit ip any any 
access-list outside_access_in extended permit ip host 74.94.82.28 any 
access-list outside_access_in extended permit ip any host 74.94.82.28 
access-list outside_access_in extended permit ip any any 
access-list DefaultRAGroup_splitTunnelAcl_1 standard permit 192.168.3.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool L2TP 192.168.15.100-192.168.15.200 mask 255.255.255.0
ip local pool vpn_tunnel 10.4.5.10-10.4.5.20 mask 255.255.255.0
ip local pool test_tunnel 192.168.80.2-192.168.80.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.15.0 obj-192.168.15.0
nat (inside,outside) source static obj-192.168.3.0 obj-192.168.3.0 destination static obj-192.168.15.0 obj-192.168.15.0
nat (inside,outside) source static NETWORK_OBJ_192.168.3.0_24 NETWORK_OBJ_192.168.3.0_24 destination static NETWORK_OBJ_192.168.80.0_26 NETWORK_OBJ_192.168.80.0_26
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server default protocol radius
 accounting-mode simultaneous
 reactivation-mode timed
aaa-server default (inside) host 192.168.3.100
 key *****
 authentication-port 1812
 accounting-port 1813
 radius-common-pw *****
 no mschapv2-capable
aaa authentication http console LOCAL 
http server enable
http 192.168.3.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set LT2P_VPN esp-des esp-sha-hmac 
crypto ipsec transform-set LT2P_VPN mode transport
crypto ipsec transform-set trans esp-3des esp-sha-hmac 
crypto ipsec transform-set trans mode transport
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map dyno 10 set transform-set trans
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set transform-set LT2P_VPN
crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map vpn 65535 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto ca trustpoint LOCAL-CA-SERVER
 keypair LOCAL-CA-SERVER
 crl configure
crypto ca server 
 shutdown
 keysize 2048
 keysize server 2048
 smtp from-address admin@ciscoasa.null
crypto ca certificate chain LOCAL-CA-SERVER
 certificate ca 01

  quit
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 1500
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.3.20-192.168.3.35 inside
dhcpd dns 4.2.2.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
group-policy DefaultRAGroup_1 internal
group-policy DefaultRAGroup_1 attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl_1
group-policy DfltGrpPolicy attributes
 dns-server value 4.2.2.2
 vpn-tunnel-protocol IPSec l2tp-ipsec 
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
 dns-server value 8.8.8.8
 vpn-tunnel-protocol IPSec l2tp-ipsec 
username <redacted> password <redacted> encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) L2TP
 address-pool test_tunnel
 authentication-server-group default
 default-group-policy l2tp-ipsec_policy
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group DefaultRAGroup ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key *****
tunnel-group DefaultWEBVPNGroup ppp-attributes
 authentication pap
 no authentication chap
 no authentication ms-chap-v1
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global-policy
 class global-class
  inspect ipsec-pass-thru 
  inspect pptp 
!
service-policy global-policy global
prompt hostname context 
Cryptochecksum:70c847ef9d1ab90fb079663ce1ab0b73
: end
asdm image disk0:/asdm-645.bin
no asdm history enable

Open in new window

Avatar of OAC Technology
OAC Technology
Flag of United States of America image

ASKER

Windows XP gives a 678 error and the connection times out.  I have tried applying the registry "fixes" from various Microsoft KB articles with no luck.  Any help is appreciated
ASKER CERTIFIED SOLUTION
Avatar of Robert Sutton Jr
Robert Sutton Jr
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial