08-08-2008 12:39 AM - edited 03-11-2019 06:28 AM
Hi,
I have configured a PIX, running v803 software, to allow L2TP/IPSEC VPN connections using the Windows VPN client. It was working fine for a while. However, now clients can no longer connect. Now in the debugs I get 'No valid authentication type found for the tunnel group'. If I look on the RADIUS server (Windows Server running IAS) I see no authentication attempts. The output of the debug is attached.
My config is:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-3DES-SHA
crypto map vpnmap 65535 ipsec-isakmp dynamic vpnmap_dynmap
crypto map vpnmap interface outside2
crypto isakmp identity address
crypto isakmp enable outside2
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server value 172.22.x.x
dns-server value 172.22.x.x
group-policy DefaultRAGrpup internal
aaa-server AUTHSERVER protocol radius
aaa-server AUTHSERVER host server
key ************
tunnel-group DefaultRAGroup general-attributes
authentication-server-group AUTHSERVER
default-group-policy DefaultRAGroup
dhcp-server dc1
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp ikev1-user-authentication (outside2) none
tunnel-group DefaultRAGroup ppp-attributes
no authentication ms-chap-v1
authentication ms-chap-v2
crypto isakmp identity address
crypto isakmp enable outside2
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 40
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 80
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
Any help would be greatly appreciated.
Thanks
08-08-2008 01:26 AM
try to add the following command to ur config
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,
set the mode to transport.
The default is tunnel mode
crypto ipsec transform-set ESP-3DES-SHA mode transport
also make sure the configuration of ur client is right
also from ur PIX try to test the authentication with windows IAS
through the command
i am not sure
but shoul be somthing like
test authentication aaa
or test aaa and try with ? to find out the right command
in this case u can make sure u the authentication paasing from the pix to the windows box
good luck
please, if helpful rate
08-08-2008 03:15 AM
Hi I have made the changes as above:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA mode transport
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol IPsec l2tp-ipsec
Also, the aaa-server authentication test came back successful. However, I still have the same problem.
Thanks
08-08-2008 04:10 AM
have a look to this exampe config link should be helpful
these config steps also useful
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html
and let me know if worked
please, if helpful rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide