https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404501#M744669 <HTML><HEAD></HEAD><BODY><P>Oh.&nbsp; It was that nat-t-disable option that was screwing things up, it didn't need to be there <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Still, job done - and thanks for the reply.</P><P></P><P>Philip</P></BODY></HTML> Wed, 20 Jan 2010 19:34:13 GMT philipplant 2010-01-20T19:34:13Z https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404498#M744653 <PRE>Hi folks, I have a Cisco ASA-5505 running 8.2(1), and I'm trying to configure it for remote access VPN connections using L2TP over IPsec.&nbsp; It completes Phase 1 with no problem.&nbsp; Then it picks up the correct dynamic crypto-map, but fails to negotiate an IPsec SA: Jan 20 18:29:38 [IKEv1]: Group = DefaultRAGroup, IP = x, PHASE 1 COMPLETED Jan 20 18:29:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x, processing IPSec SA payload Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, IKE Remote Peer configured for crypto map: x-VPN Jan 20 18:29:39 [IKEv1]: Phase 2 failure:&nbsp; Mismatched attribute types for class Encapsulation Mode:&nbsp; Rcv'd: UDP Transport&nbsp; Cfg'd: Transport Jan 20 18:29:39 [IKEv1]: Phase 2 failure:&nbsp; Mismatched attribute types for class Encapsulation Mode:&nbsp; Rcv'd: UDP Transport&nbsp; Cfg'd: Transport Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, All IPSec SA proposals found unacceptable! So the problem seems to be that the VPN client is requesting UDP transport, but the ASA will not accept it. Please would someone have a look at these snippets of config and tell me if there's something I've missed? crypto isakmp policy 119 authentication pre-share encryption 3des hash sha&nbsp;&nbsp;&nbsp;&nbsp; group 2 lifetime 86400 crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport crypto dynamic-map x-VPN 10 set transform-set TRANSPORT_ESP_3DES_SHA crypto dynamic-map x-VPN 10 set nat-t-disable crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes wins-server value 172.20.0.1 dns-server value 172.20.0.1 vpn-tunnel-protocol IPSec l2tp-ipsec ipsec-udp enable default-domain value x.local tunnel-group DefaultRAGroup general-attributes address-pool clientVPNpool authentication-server-group x default-group-policy DefaultRAGroup Thanks, Philip </PRE> Mon, 11 Mar 2019 16:59:21 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404498#M744653 philipplant 2019-03-11T16:59:21Z https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404499#M744660 <HTML><HEAD></HEAD><BODY><P>Missing transform-set.</P><P></P><P>-KS</P></BODY></HTML> Wed, 20 Jan 2010 19:18:47 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404499#M744660 Kureli Sankar 2010-01-20T19:18:47Z https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404500#M744666 <HTML><HEAD></HEAD><BODY><PRE>Missed that from my config snips above, added now.&nbsp; Any other thoughts please? Thanks, Philip </PRE></BODY></HTML> Wed, 20 Jan 2010 19:24:39 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404500#M744666 philipplant 2010-01-20T19:24:39Z https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404501#M744669 <HTML><HEAD></HEAD><BODY><P>Oh.&nbsp; It was that nat-t-disable option that was screwing things up, it didn't need to be there <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>Still, job done - and thanks for the reply.</P><P></P><P>Philip</P></BODY></HTML> Wed, 20 Jan 2010 19:34:13 GMT https://community.cisco.com/t5/network-security/remote-access-vpn-over-udp-transport/m-p/1404501#M744669 philipplant 2010-01-20T19:34:13Z