1841 authentication issues when creating L2TP/IPSec VPN for client access.

accarda · ‎02-22-2019

Hello everyone,

hopefully you might give me some idea on what to look for in order to solve this issue.

I'm trying to setup L2TP/IPSec access on my 1841 in order to allow my Mac client to access it when outside.

This is a second step of an already working config that I have about accessing my 1841 via IPSec, which works fine.

But I'd like to setup L2TP/IPSec, because on recent MacOSX they have left an option to "forward all traffic through VPN" only when you use L2TP, otherwise when using native Cisco IPSec client mode MacOSX won't have such option.

So I checked on this forum and found a possible configuration to try, but I'm having issues I believe with L2TP authentication.

I was following this discussion https://community.cisco.com/t5/security-documents/l2tp-over-ipsec-on-cisco-ios-router-using-windows-8/ta-p/3142831/show-comments/true

Consider that I have already tested my MacOSX as client with another router, where I have successfully enabled L2TP/IPSec with no issues in the same environment of access router behind NAT.
So I have forwarded all 3 UDP ports 500, 1701 and 4500 to reach my 1841.

In the Cisco config for only IPSec I use only 500 and 4500 indeed and it works fine.

What I can see right now is that IPSec portion works as I can see trace of my client being accessing and establishing the connection, but then the VPN client terminates saying authentication failed.

Here below is the relevant part of the current config that I'm testing on my 1841; I have checked IPSec secret and L2TP username/password to make sure no typo during login, but no success to authenticate.

aaa new-model

!

aaa authentication ppp VPDN_AUTH local

!

aaa session-id common

!

ip cef

no ip domain lookup

ip domain name ddns.net

ip name-server 208.67.222.222

ip name-server 208.67.220.220

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group L2TP

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

!

username USER privilege 15 secret 5 XXXXXXXXXX

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key SECRET address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac

mode transport

!

crypto dynamic-map EXT_DYNAMIC_MAP 10

set nat demux

set transform-set L2TP-Set2

!

crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

!

interface Loopback1

description Loopback-IPSec-pool

ip address 10.10.20.1 255.255.255.255

!

interface FastEthernet0/1

ip address 192.168.1.2 255.255.255.248

ip access-group WAN in

ip verify unicast reverse-path

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

no ip mroute-cache

duplex auto

speed 100

crypto map EXT_MAP

!

interface Virtual-Template1

ip unnumbered Loopback1

peer default ip address pool VPN_CLIENT_POOL

ppp authentication ms-chap-v2 VPDN_AUTH

!

ip local pool VPN_CLIENT_POOL 10.10.20.2 10.10.20.100

!

ip nat inside source static udp 192.168.1.2 500 192.168.1.2 500 extendable

ip nat inside source static udp 192.168.1.2 1701 192.168.1.2 1701 extendable

ip nat inside source static udp 192.168.1.2 4500 192.168.1.2 4500 extendable

!

ip access-list extended WAN

permit udp any host 192.168.1.2 eq isakmp

permit udp any host 192.168.1.2 eq 1701

permit udp any host 192.168.1.2 eq non500-isakmp

!

Thanks in advance for any suggestion that you can provide.

Regards,

Armando.

Deepak Kumar · ‎02-22-2019

Hi,

Sorry, I missed the description. So I deleted.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

accarda · ‎02-22-2019

Hi Deepak,

those ports are correctly forwarded to the Cisco.

Here is the sh ip access-list WAN output:

Extended IP access list WAN

10 permit udp any host 192.168.1.2 eq isakmp (31 matches)

20 permit udp any host 192.168.1.2 eq 1701 (108 matches)

30 permit udp any host 192.168.1.2 eq non500-isakmp (252 matches)

These are my tests in trying to access the VPN and you can see several matches on all those ports from outside Internet.

As I said this config works fine when I set the same for accessing the VPN only with IPSec (where definition for UDP 1701 is not there of course).

Regards,

Armando.

accarda · ‎02-22-2019

Actually to add to this I have checked with debug vpdn for some error and I have got this portion of report, where it says some vendor issues. May be MacOSX L2TP/IPSec is not compatible with Cisco IOS ?????

7:37:48.841 CET: L2TP tnl 0100F:000070FD: VPDN Session count now 1

019278: Feb 22 17:37:48.841 CET: L2TP _____:0100F:00000011: VPDN: process AVPs

019279: Feb 22 17:37:48.841 CET: L2TP _____:0100F:00000011: Local AC is now UP

019280: Feb 22 17:37:48.841 CET: L2TP _____:0100F:00000011: Remote AC is now UP

019281: Feb 22 17:37:48.841 CET: L2TP _____:0100F:00000011:

019282: Feb 22 17:37:48.861 CET: L2TP _____:0100F:00000011: App type set to VPDN

019283: Feb 22 17:37:48.861 CET: L2TP 00010:0100F:00000011: Session classname VPDN group L2TP ip addr 0.0.0.0

019284: Feb 22 17:37:48.861 CET: L2TP 00010:0100F:00000011: UDP checksum ignore is enabled

019285: Feb 22 17:37:48.861 CET: L2TP 00010:0100F:00000011: Framing set to sync

019286: Feb 22 17:37:48.861 CET: L2TP 00010:0100F:00000011: Bearer set to none

019287: Feb 22 17:37:48.861 CET: L2TP 00010:0100F:00000011: group set to "VPDN group L2TP ip addr 0.0.0.0"

019288: Feb 22 17:37:48.861 CET: L2TP 00010:0100F:00000011: FSM-Sn ev ICRQ-OK

019289: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: FSM-Sn Proc-ICRQ->Wt-Tx-ICRP

019290: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: FSM-Sn do Tx-ICRP-Local-Check

019291: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: FSM-Sn ev Local-Cont

019292: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: FSM-Sn Wt-Tx-ICRP->Wt-Rx-ICCN

019293: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: FSM-Sn do Tx-ICRP

019294: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: Open sock 192.168.1.2:1701->W.X.Y.Z:53113

019295: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: FSM-Sn ev Sock-Ready

019296: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: FSM-Sn in Wt-Rx-ICCN

019297: Feb 22 17:37:48.865 CET: L2TP 00010:0100F:00000011: FSM-Sn do Ignore-Sock-Up

019298: Feb 22 17:37:48.869 CET: L2TP 00010:0100F:00000011:

019299: Feb 22 17:37:48.873 CET: L2TP 00010:0100F:00000011: FSM-Sn ev DP-Setup

0: Feb 22 17:37:48.873 CET: L2TP 00010:0100F:00000011: FSM-Sn in Wt-Rx-ICCN

019301: Feb 22 17:37:48.873 CET: L2TP 00010:0100F:00000011: FSM-Sn do Ignore-DP-Setup

019302: Feb 22 17:37:49.005 CET: L2TP tnl 0100F:000070FD: Control connection authentication skipped/passed.

019303: Feb 22 17:37:49.005 CET: L2TP 00010:0100F:00000011: FSM-Sn ev Rx-ICCN

019304: Feb 22 17:37:49.005 CET: L2TP 00010:0100F:00000011: FSM-Sn Wt-Rx-ICCN->Proc-ICCN

019305: Feb 22 17:37:49.005 CET: L2TP 00010:0100F:00000011: FSM-Sn do Rx-ICCN

019306: Feb 22 17:37:49.005 CET: L2TP 00010:0100F:00000011: MTU is 65535

019307: Feb 22 17:37:49.009 CET: L2TP 00010:0100F:00000011: Session data plane UP

019308: Feb 22 17:37:49.009 CET: L2TP 00010:0100F:00000011: VPDN: process AVPs

019309: Feb 22 17:37:49.009 CET: L2TP 00010:0100F:00000011:

019310: Feb 22 17:37:49.009 CET: L2TP 00010:0100F:00000011: FSM-Sn ev ICCN-OK

019311: Feb 22 17:37:49.009 CET: L2TP 00010:0100F:00000011: FSM-Sn Proc-ICCN->established

019312: Feb 22 17:37:49.009 CET: L2TP 00010:0100F:00000011: FSM-Sn do Established

019313: Feb 22 17:37:49.009 CET: L2TP 00010:0100F:00000011: Session up

019314: Feb 22 17:37:49.009 CET: L2TP 00010:0100F:00000011: 192.168.1.2<->W.X.Y.255

019315: Feb 22 17:37:52.125 CET: L2TP tnl 0100F:000070FD: Control connection authentication skipped/passed.

019316: Feb 22 17:37:52.125 CET: L2TP 00010:0100F:00000011: FSM-Sn ev Rx-CDN

019317: Feb 22 17:37:52.125 CET: L2TP 00010:0100F:00000011: FSM-Sn established->Idle

019318: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: FSM-Sn do Rx-CDN

019319: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: VPDN: process AVPs

019320: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011:

019321: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: Shutting down session

019322: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: Result Code

019323: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: Reserved (0)

019324: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: Error Code

019325: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: No error (0)

019326: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: Vendor Error

019327: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: None (0)

019328: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011:

019329: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: FSM-Sn ev Shut

019330: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: FSM-Sn Idle->Dead

019331: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: FSM-Sn do Destroy

019332: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011:

019333: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: Session down

019334: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: 192.168.1.2<->W.X.Y.255

019335: Feb 22 17:37:52.129 CET: L2TP 00010:0100F:00000011: Destroying session

019336: Feb 22 17:37:52.133 CET: L2TP 00010:0100F:00000011: Request teardown data plane

019337: Feb 22 17:37:52.133 CET: L2TP tnl 0100F:000070FD: FSM-CC ev Session-Disc

019338: Feb 22 17:37:52.133 CET: L2TP tnl 0100F:000070FD: FSM-CC in established

019339: Feb 22 17:37:52.133 CET: L2TP tnl 0100F:000070FD: FSM-CC do Session-Disc-Est

019340: Feb 22 17:37:52.133 CET: L2TP tnl 0100F:00007