01-15-2024 05:14 AM
Hi,
I have a problem with ASA5506-X 9.8(2) since I cannot create L2TP VPN to ASA5506-X through ASDM. After completing the wizard I am getting an error that NAT is not complete.
I remember from old ASA5505 that there was easy to create NAT exempt rule. Now I cannot find it anymore. I am not vrey familiar with NAT creation by CLI so I see only "dark tunnel" in front of me.
So, can someone help me to create necessary NAT to enable remote access to internal LAN throught ASA 5506-X in order to support L2TP RA VPN to inside interface? I would like to enable split tunnel option and use NAT exempt rule that I cannot create by ASDM. Let the L2TP pool be e.g. 10.10.10.0/24.
02-11-2024 11:07 PM
First add more option for encryption hash and group of phase 1
crypto ikev1 policy 100
authentication pre-share
encryption 3des des
hash sha md5
group 2 5
lifetime 86400
then share again
show crypto ikev1 sa
show vpn-sessiondb detail ra-ikev1-ipsec filter protocol l2tpOverIpsec
also can you confirm that you adjust the client PC for you split tunnel config ? can I see from client PC
L2TP VPN Properties page
advanced TCP/IP setting
MHM
02-12-2024 12:01 AM
hi MHM,
I cannot add both 3des and des... obviously there is a problem with sysntax that is preventing me to add two encryption types.
There is no special configuration part to enable split tunneling at win10 PC.
There is only:
CONNECTION NAME, IP ADRESS, VPN TYPE: L2TP/IPsec with PSK type, FIELD for PSK, USER and PASS.
02-12-2024 12:27 AM
add new policy
crypto ikev1 policy 110
authentication pre-share
encryption des
hash md5
group 5
lifetime 86400
also what is OS of client PC?
MHM
02-12-2024 11:35 AM
Hi MHM,
I have restored old config without L2TP and tried to do the config again by some web instruction. The result seems to be better, there is no red marks in log. Check it please:
02-11-2024 03:15 AM - edited 02-11-2024 03:17 AM
Please provide the L2TP configuration you have used.
Are you using the ASA (BVI interfaces) as a switch? If not I would recommend removing the BVI configuration from the device replacing it with regular ASA interface configuration. I have seen quite a few unexpected behavior with the integration of to the box traffic (i.e. VPN traffic) when using BVI.
02-11-2024 04:17 AM
Hi Marius,
Yes, I am using ASA as GB switch. I do not know how can I remove BVI configuration, else that using one port for one interface. Is there another way. My old ASA5505 dd not have this problem with BVI. There I had to make one rule that applied to one interface with 4-6 physical ports.
02-11-2024 04:42 AM - edited 02-11-2024 04:39 PM
..
02-12-2024 12:50 PM
can you please take screen shots of your wizard and win 10 VPN config
send it to me as PM
thanks a lot
MHM
02-12-2024 01:07 PM
Dear MHM,
I used the following procedure:
This is my other windows 7 PC, but VPN connection is the same as on windows 10 PC:
02-14-2024 10:57 PM
the screenshot you share is correct
this log what I point to is relate to phaseI mismatch issue
can you try connect and share
debug crypto isakmp <<-
MHM
02-15-2024 09:22 AM - edited 02-15-2024 09:24 AM
There it is:
mojaasa02(config)# debug crypto isakmp
mojaasa02(config)# Feb 15 16:32:44 [IKEv1]Group = 37.244.199.129, IP = 37.244.199.129, Can't find a valid tunnel group, aborting...!
Feb 15 16:32:45 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
Feb 15 16:32:46 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
Feb 15 16:32:49 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
Feb 15 16:32:56 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
Feb 15 16:33:11 [IKEv1]IP = 37.244.199.129, Header invalid, missing SA payload! (next payload = 4)
You are looking at old log screenshot since I tried to kreate a new tunnel, this time without split tunnel according to other tutorial. The result log I posted to You yesterday at:
02-12-2024 11:35 AM
Bellow is that log:
No red lines any more. It should be better.
02-15-2024 09:45 AM
Dear MHM,
should the IP Pool be the same as INSIDE subnet or not?
02-15-2024 10:05 AM
1- for Pool subnet it must different than Inside
2- add SVC to group-policy
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol svc l2tp-ipsec
3-for username you add to ASA local DB follow this guide and check green note I add below
https://www.speaknetworks.com/configuring-l2tp-ipsec-vpn-cisco-asa/
username vpnuser password PASS123 mschap <<- this need in end of username/password
02-15-2024 10:14 AM
do that same steps as you do in original post (split and l2tp/ipsec) and only modify the group-policy vpn-tunnel-group and add username correctly
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide