Solved: Re: L2TP don't work in some Windows10 Client and in other yes

AlexBar76 · ‎01-19-2022

Hi All,

I've been configure an L2TP connection on a cisco router cp 1111-8p ios-xe with this parameters

vpdn enable

vpdn-group 1
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
 
interface Virtual-Template1
 ip unnumbered Loopback100
 peer default ip address pool test
 ppp authentication chap callout
 ppp ipcp dns 4.2.2.1 4.2.2.2
end
 
ip local pool test 10.1.1.2 10.1.1.100 

Then i've configure my w10 client using the vpn software enbedded on w10 ... all ok the l2tp works fine, then take another 
client w10 and doing the same thing but doesn't work and the router return this error
Jan 19 15:52:17.586: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:public ip of the client local_id:public ip of the client remote:public ip remote remote_id:public ip remote IKE profile:None fvrf:None fail_reason:Proposal failure fail_class_cnt:1
try to use another client doing the same error.
only one up tree works, all clients had the same updates annd sw version

please anyone can help me ?

MHM Cisco World · ‎01-24-2022

https://social.technet.microsoft.com/Forums/Azure/en-US/75d78372-185e-4df0-900f-7e9da73cc20f/l2tp-no-ipsec-to-cisco-2901-from-win10-use-wrong-port?forum=win10itpronetworking

View solution in original post

balaji.bandi · ‎01-19-2022

what is the IOS XE version, also check what is the difference between working vs not working, any windows patches extra ? different ISP ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AlexBar76 · ‎01-19-2022

Hi the cisco sw version is the 16.09.02

the w10 client have the same os version and the same patchs

i have also try to change isp and the machine that works still to work fine if i do the same with the w10 that do not work have the same result

balaji.bandi · ‎01-19-2022

Run complete debug on router, also run wireshark capture what is wrong ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AlexBar76 · ‎01-19-2022

the debug on the router return that all negotiations are ok in the connection that work

and for the connection that do not work return this

Jan 19 15:52:17.586: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:public ip of the client local_id:public ip of the client remote:public ip remote remote_id:public ip remote IKE profile:None fvrf:None fail_reason:Proposal failure fail_class_cnt:1

balaji.bandi · ‎01-19-2022

troubleshoot from windows side :

https://docs.microsoft.com/en-us/troubleshoot/windows-client/networking/l2tp-ipsec-vpn-client-connection-issue

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AlexBar76 · ‎01-19-2022

Thanks..

as i told you the two client windows are configured in the same way

One work the other not

balaji.bandi · ‎01-20-2022

as i told you the two client windows are configured in the same way

we understand - since you have problem you need to troubleshoot to get bottom of the problem, since we can only suggest based on the information we have here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎01-19-2022

this debug show IPSec over L2TP, are you config any IPSec?

check windows if the Ipsec is enable with L2TP.

AlexBar76 · ‎01-23-2022

The VDPN in W10 had the L2TP / IPSEC selected

I've check Security >Type of VPN >Layer 2 Tunneling Protocol with IPsec

No encryption allowed

Like the other w10 that work fine

I can share the router configuration if must be an help

MHM Cisco World · ‎01-21-2022

friend
IPSec SA like encrypt hash...etc is different between each window OS, so if it work in some it failed in other, check IPSec I think the L2TP is OK.

AlexBar76 · ‎01-24-2022

How can i Check the ipsec on the router if i have configured the l2tp ?

There is an IPSec configured and the crypto is applyed on the outside interface because i have an ipsec isakmp vpn

MHM Cisco World · ‎01-24-2022

can you share the config of the router ?

AlexBar76 · ‎01-24-2022

here the conf

!
!
version 16.9
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 9 $9$R.dF66pVmIN14U$tBfVtx7OIjBCns0YjcfmjEb/pPuc0tqEevacIIlRj8M
!
no aaa new-model
!
!
!
!
!
!
!
ip domain name
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3881647904
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3881647904
revocation-check none
rsakeypair TP-self-signed-3881647904
!
!

!
diagnostic bootup level minimal
!
spanning-tree extend system-id
spanning-tree vlan 1,20-21,25-26,30,50 priority 8192
!
!
username nnnnn privilege 15 secret 9 S5/Sa8HWRSuqXBLMWyo
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
no cdp run
!
track 1 ip sla 1
!
!
!
crypto logging session
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 43334rfr4431 address xx.xx.xx.xxx
crypto isakmp key ssswwxxedqdd! address xx.xx.xx.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 local-address Vlan100
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer xx.xx.xx.xx
set peer xx.xx.xx.xx
set transform-set ESP-3DES-SHA
match address VPN-TO-xxx
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.30.16.254 255.255.255.255
!
interface Loopback100
no ip address
!
interface Tunnel1
bandwidth 1000
ip address 172.30.0.254 255.255.255.0
no ip redirects
ip nhrp network-id 1
ip tcp adjust-mss 1350
ip ospf network broadcast
ip ospf priority 2
delay 1000
tunnel source GigabitEthernet0/0/0
tunnel mode gre multipoint
!
interface GigabitEthernet0/0/0
ip address 10.0.146.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.20
encapsulation dot1Q 20
ip address 172.21.0.20 255.255.255.192
!
interface GigabitEthernet0/0/1.21
encapsulation dot1Q 21
ip address 172.21.1.20 255.255.255.192
!
interface GigabitEthernet0/0/1.25
encapsulation dot1Q 25
ip address 172.21.21.20 255.255.255.192
!
interface GigabitEthernet0/0/1.26
encapsulation dot1Q 26
ip address 172.21.22.20 255.255.255.192
ip nat inside
!
interface GigabitEthernet0/0/1.30
encapsulation dot1Q 30
ip address 172.20.1.148 255.255.255.128
!
interface GigabitEthernet0/1/0
description OUTSIDE
switchport access vlan 100
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet0/1/1
description TRUNK-INTERNAL-VLAN
switchport trunk native vlan 110
switchport trunk allowed vlan 40,101-103,110
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0/1/4
shutdown
!
interface GigabitEthernet0/1/5
shutdown
!
interface GigabitEthernet0/1/6
shutdown
!
interface GigabitEthernet0/1/7
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback100
peer default ip address pool test
ppp authentication chap callout
ppp ipcp dns 4.2.2.1 4.2.2.2
!
interface Vlan1
no ip address
!
interface Vlan40
description
ip address 10.0.174.253 255.255.255.0
standby 1 ip 10.0.174.254
standby 1 priority 150
!
interface Vlan100
description WAN-CISCO
ip address 2.117.211.194 255.255.255.252
ip nat outside
crypto map SDM_CMAP_1
!
interface Vlan101
description
ip address 10.0.171.253 255.255.255.0
ip nat inside
standby 1 ip 10.0.171.254
standby 1 priority 150
!
interface Vlan102
description
ip address 10.0.173.253 255.255.255.0
standby 1 ip 10.0.173.254
standby 1 priority 150
!
interface Vlan103
description
ip address 10.0.172.253 255.255.255.0
standby 1 ip 10.0.172.254
standby 1 priority 150
!
interface Vlan110
description
ip address 10.0.145.253 255.255.255.0
ip nat inside
standby 1 ip 10.0.145.254
standby 1 priority 150
!
router ospf 1
router-id 172.30.16.254
passive-interface Loopback0
network 172.16.1.0 0.0.0.255 area 0
network 172.20.1.128 0.0.0.127 area 0
network 172.21.0.0 0.0.0.63 area 0
network 172.21.1.0 0.0.0.63 area 0
network 172.21.21.0 0.0.0.63 area 0
network 172.21.22.0 0.0.0.63 area 0
network 172.30.0.0 0.0.0.255 area 0
network 172.30.16.254 0.0.0.0 area 0
!
ip local pool test 10.1.1.2 10.1.1.100
ip nat inside source static tcp 10.0.171.250 22 2.117.211.194 24 extendable
ip nat inside source static tcp 10.0.145.251 443 2.117.211.194 443 extendable
ip nat inside source list NAVIGAZIONE interface Vlan100 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip tftp source-interface GigabitEthernet0/0/0
ip route 10.0.1.0 255.255.255.0 2.117.211.193 track 1
ip route 10.0.1.0 255.255.255.0 10.0.146.253 10 track 1
ip route 0.0.0.0 0.0.0.0 2.117.211.193 track 1
ip route 0.0.0.0 0.0.0.0 2.117.211.193
ip route 10.1.47.0 255.255.255.0 10.0.145.251
ip ssh version 2
!
!
ip access-list extended MANAGEMENT
permit tcp 94.124.48.0 0.0.0.255 any eq 22
permit tcp host 89.96.177.201 any eq 22
permit tcp host 88.50.156.171 any eq 22
permit tcp host 217.133.194.150 any eq 22
permit tcp host 217.133.194.150 any eq 24
permit ip 10.0.1.0 0.0.0.255 any
permit ip 10.0.146.0 0.0.0.255 any
permit ip 10.0.145.0 0.0.0.255 any
deny ip any any log
ip access-list extended NAVIGAZIONE
deny ip 10.0.145.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.0.145.0 0.0.0.255 10.1.47.0 0.0.0.255
deny ip 10.0.145.0 0.0.0.255 195.1.0.0 0.0.1.255
deny ip 10.0.145.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.0.145.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 10.0.146.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 10.0.171.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 10.0.171.0 0.0.0.255 195.1.0.0 0.0.1.255
deny ip 10.0.172.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 10.0.173.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 172.21.22.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 172.21.21.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.0.145.0 0.0.0.255 any
permit ip host 172.21.22.24 any
permit ip 172.21.21.0 0.0.0.255 any
permit ip 10.0.171.0 0.0.0.255 any
ip access-list extended VPN-TO-xxx
permit ip 10.0.145.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.0.145.0 0.0.0.255 195.1.0.0 0.0.1.255
permit ip 10.0.146.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 172.20.0.0 0.0.1.255 10.0.1.0 0.0.0.255
permit ip 172.21.0.0 0.0.1.255 10.0.1.0 0.0.0.255
permit ip 172.16.96.0 0.0.31.255 10.0.1.0 0.0.0.255
permit ip 172.16.128.0 0.0.31.255 10.0.1.0 0.0.0.255
permit ip 10.0.171.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.0.172.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 10.0.173.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 172.21.21.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 172.21.22.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 172.21.24.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 172.21.25.0 0.0.0.255 10.0.1.0 0.0.0.255
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Vlan110
ip sla schedule 1 life forever start-time now
!
!
!
!
control-plane
!
!
line con 0
login local
transport input none
stopbits 1
line vty 0
access-class MANAGEMENT in
login local
transport input telnet ssh
line vty 1
access-class MANAGEMENT in
no activation-character
login local
no exec
transport preferred none
transport input telnet ssh
stopbits 1
line vty 2 4
access-class MANAGEMENT in
login local
transport input telnet ssh
line vty 5 15
access-class MANAGEMENT in
login local
transport input telnet ssh
!
!
!
!
!
!
end

MHM Cisco World · ‎01-24-2022

https://social.technet.microsoft.com/Forums/Azure/en-US/75d78372-185e-4df0-900f-7e9da73cc20f/l2tp-no-ipsec-to-cisco-2901-from-win10-use-wrong-port?forum=win10itpronetworking