Configure L2TP over IPsec using Cisco ASA 8.4 and LOCAL authentication

Jeet Kumar · ‎12-13-2014

Introduction:

This document describes the process of configuring L2TP over IPSEC between Cisco ASA and windows 7 machine.

Prerequesites:

This document requires a basic understanding of IPSec protocol. To learn more about IPSec, please refer to An Introduction to IP Security (IPSec) Encryption.

Components Used:

Cisco Adaptive Security Appliance Software Version 8.4(2)

Cisco ASA 5520

Windows 7 machine

Diagram:

Configuration on Cisco ASA:

ASA Version 8.4(2)
!
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 47.47.47.100 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!

object network local_lan
subnet 192.168.2.0 255.255.255.0
!
object network obj_192.168.2.0
subnet 192.168.2.0 255.255.255.0
!
object network obj_192.168.100.0
subnet 192.168.100.0 255.255.255.0
!
!
ip local pool L2TP-Pool 192.168.100.1-192.168.100.100 mask 255.255.255.0
!
!
nat (inside,outside) source static obj_192.168.2.0 obj_192.168.2.0 destination static obj_192.168.100.0 obj_192.168.100.0 no-proxy-arp route-lookup
!
object network local_lan
nat (inside,outside) dynamic interface
!
route outside 0.0.0.0 0.0.0.0 47.47.47.47 1
!
!
crypto ipsec ikev1 transform-set L2TP-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set L2TP-set mode transport
!
crypto dynamic-map client-map 10 set ikev1 transform-set L2TP-set
crypto map outside-map 65535 ipsec-isakmp dynamic client-map
crypto map outside-map interface outside
!
!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
!
group-policy L2TP-Client internal
group-policy L2TP-Client attributes
dns-server value 192.168.2.100
vpn-tunnel-protocol l2tp-ipsec
default-domain value testlab.com
!
!
username cisco password cisco mschap privilege 15
!
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP-Pool
default-group-policy L2TP-Client
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key cisco
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication pap
authentication ms-chap-v2
authentication ms-chap-v1
!
!
: end

Configuration on Windows Machine:

1. Click on Start and select Control Panel:

2. Select Network and Sharing center :

3. Select "Set up a new connection or network":

4. Select "Connect to a workplace:

5. Select Use my Internet Connection (VPN):

6. Add the public IP address of the ASA (IP on the outside interface of the ASA). Destination name is optional and you can choose anything of your choice and then click on NEXT:

7. Add the username and the password and select "Remember Password" and click on create:

8. In the network and sharing center you will see the connection tab, right click on and click on Properties.

9. In the general TAB make sure the IP address is correct.

10. In the security TAB make sure that type of connection is set to L2TP/IPsec.

11. Go to Advanced settings and add the pre-shared key

12. In the Security, under allow these protocols select MS-CHAP v2 and then click on OK.

13. Double click on L2TP icon and you will get the connection window. Make sure username and passwords are correct. Then click on Connect. And if everything else in place it will get connected :)

Check the connection Status on ASA:

show vpn-sessiondb detail ra-ikev1-ipsec

Session Type: IKEv1 IPsec Detailed

Username     : cisco                  Index        : 8
Assigned IP : 192.168.100.1          Public IP    : 57.57.57.110
Protocol     : IKEv1 IPsec L2TPOverIPsec
License      : Other VPN
Encryption   : 3DES                   Hashing      : SHA1 none
Bytes Tx     : 2891                   Bytes Rx     : 9014
Pkts Tx      : 38                     Pkts Rx      : 83
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : L2TP-Client            Tunnel Group : DefaultRAGroup
Login Time   : 11:00:01 UTC Sat Dec 13 2014
Duration     : 0h:00m:06s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKEv1 Tunnels: 1
IPsec Tunnels: 1
L2TPOverIPsec Tunnels: 1

IKEv1:
Tunnel ID    : 8.1
UDP Src Port : 500                    UDP Dst Port : 500
IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
Encryption   : 3DES                   Hashing      : SHA1
Rekey Int (T): 28800 Seconds          Rekey Left(T): 28794 Seconds
D/H Group    : 2
Filter Name :

IPsec:
Tunnel ID    : 8.2
Local Addr   : 47.47.47.100/255.255.255.255/17/1701
Remote Addr : 57.57.57.110/255.255.255.255/17/1701
Encryption   : 3DES                   Hashing      : SHA1
Encapsulation: Transport
Rekey Int (T): 3600 Seconds           Rekey Left(T): 3593 Seconds
Rekey Int (D): 250000 K-Bytes         Rekey Left(D): 249991 K-Bytes
Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
Bytes Tx     : 3008                   Bytes Rx     : 9415
Pkts Tx      : 39                     Pkts Rx      : 87

L2TPOverIPsec:
Tunnel ID    : 8.3
Username     : cisco
Assigned IP : 192.168.100.1          Public IP    : 110.57.57.57
Encryption   : none                   Auth Mode    : msCHAPV2
Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
Client OS    : Microsoft
Client OS Ver: 6.1
Bytes Tx     : 2497                   Bytes Rx     : 9213
Pkts Tx      : 34                     Pkts Rx      : 85

NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 8 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :

Successful Debugs outputs:

Dec 13 10:00:14 [IKEv1]IP = 57.57.57.110, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, processing SA payload
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 1
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, constructing ISAKMP SA payload
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, constructing NAT-Traversal VID ver 02 payload
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, constructing Fragmentation VID + extended capabilities payload
Dec 13 10:00:14 [IKEv1]IP = 57.57.57.110, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Dec 13 10:00:14 [IKEv1]IP = 57.57.57.110, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 260
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, Connection landed on tunnel_group DefaultRAGroup
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing ID payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing hash payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Computing hash for ISAKMP
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing dpd vid payload
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, PHASE 1 COMPLETED
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, Keep-alive type for this connection: None
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, Keep-alives configured on but peer does not support keep-alives (type = None)
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, Received remote Proxy Host data in ID Payload: Address 57.57.57.110, Protocol 17, Port 1701
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, processing ID payload
Dec 13 10:00:15 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 57.57.57.110, ID_IPV4_ADDR ID received
47.47.47.100
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, Received local Proxy Host data in ID Payload: Address 47.47.47.100, Protocol 17, Port 1701
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, L2TP/IPSec session detected.
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, QM IsRekeyed old sa not found by addr
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, IKE Remote Peer configured for crypto map: client-map
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, processing IPSec SA payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, IPSec SA Proposal # 2, Transform # 1 acceptable Matches global IPSec SA entry # 10
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0xbc42d020,
    SCB: 0xBC39F608,
    Direction: inbound
    SPI      : 0x5F792F6C
    Session ID: 0x00003000
    VPIF num : 0x00000002
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, IKE got SPI from key engine: SPI = 0x5f792f6c
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, oakley constucting quick mode
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing blank hash payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing IPSec SA payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing IPSec nonce payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing proxy ID
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Transmitting Proxy Id:
Remote host: 57.57.57.110 Protocol 17 Port 1701
Local host: 47.47.47.100 Protocol 17 Port 1701
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing qm hash payload
Dec 13 10:00:15 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 57.57.57.110, IKE Responder sending 2nd QM pkt: msg id = 00000001
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, IKE_DECODE SENDING Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 160
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, processing hash payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, loading all IPSEC SAs
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Generating Quick Mode Key!
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, NP encrypt rule look up for crypto map client-map 10 matching ACL Unknown: returned cs_id=bc2e90b8; rule=00000000
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Generating Quick Mode Key!
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, NP encrypt rule look up for crypto map client-map 10 matching ACL Unknown: returned cs_id=bc2e90b8; rule=00000000
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, Security negotiation complete for User () Responder, Inbound SPI = 0x5f792f6c, Outbound SPI = 0x50129404
IPSEC: New embryonic SA created @ 0xbc427a18,
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Pitcher: received KEY_UPDATE, spi 0x5f792f6c
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Starting P2 rekey timer: 3060 seconds.
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, PHASE 2 COMPLETED (msgid=00000001)
Dec 13 10:00:15 [IKEv1]IKEQM_Active() Add L2TP classification rules: ip <57.57.57.110> mask <0xFFFFFFFF> port <1701>

aldrabkin · ‎04-01-2016

Hello, Jeet! Thanks for this document.

I try to configure Cisco ASA VPN with native Windows client but it's not working. I receive "Error 720 - A connection to the remote computer could not be established"

I think there are no problems with crypto, here is the output messages from debug crypto ikev1 255:

PHASE 1 COMPLETED

...

Static Crypto Map check, map SYSTEM_DEFAULT_CRYPTO_MAP, seq = 65535 is a successful match

...

PHASE 2 COMPLETED

Looks fine, but last message looks not fine:

[IKEv1 DEBUG]Group = DefaultRAGroup, Username = admin, IP = My_External_IP, Active unit receives a delete event for remote peer My_External_IP.

[IKEv1 DEBUG]Group = DefaultRAGroup, Username = admin, IP = My_External_IP, IKE Deleting SA: Remote Proxy My_External_IP, Local Proxy ASA_External_IP
[IKEv1 DEBUG]Group = DefaultRAGroup, Username = admin, IP = My_External_IP, IKE SA MM:c7a27bc9 terminating: flags 0x01000002, refcnt 0, tuncnt 0
[IKEv1 DEBUG]Group = DefaultRAGroup, Username = admin, IP = My_External_IP, sending delete/delete with reason message

...

[IKEv1]Group = DefaultRAGroup, Username = admin, IP = My_External_IP, Session is being torn down. Reason: User Requested

...

[IKEv1]IP = My_External_IP, Received encrypted packet with no matching SA, dropping

I have no idea how to fix it. Maybe you can help me? Thanks in advance.

razzaque003 · ‎02-26-2019

@Jeet Kumar wrote:

Check the connection Status on ASA:

show vpn-sessiondb detail ra-ikev1-ipsec

Session Type: IKEv1 IPsec Detailed

Username     : cisco                  Index        : 8
Assigned IP : 192.168.100.1          Public IP    : 57.57.57.110
Protocol     : IKEv1 IPsec L2TPOverIPsec
License      : Other VPN
Encryption   : 3DES                   Hashing      : SHA1 none
Bytes Tx     : 2891                   Bytes Rx     : 9014
Pkts Tx      : 38                     Pkts Rx      : 83
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : L2TP-Client            Tunnel Group : DefaultRAGroup
Login Time   : 11:00:01 UTC Sat Dec 13 2014
Duration     : 0h:00m:06s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKEv1 Tunnels: 1
IPsec Tunnels: 1
L2TPOverIPsec Tunnels: 1

IKEv1:
Tunnel ID    : 8.1
UDP Src Port : 500                    UDP Dst Port : 500
IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
Encryption   : 3DES                   Hashing      : SHA1
Rekey Int (T): 28800 Seconds          Rekey Left(T): 28794 Seconds
D/H Group    : 2
Filter Name :

IPsec:
Tunnel ID    : 8.2
Local Addr   : 47.47.47.100/255.255.255.255/17/1701
Remote Addr : 57.57.57.110/255.255.255.255/17/1701
Encryption   : 3DES                   Hashing      : SHA1
Encapsulation: Transport
Rekey Int (T): 3600 Seconds           Rekey Left(T): 3593 Seconds
Rekey Int (D): 250000 K-Bytes         Rekey Left(D): 249991 K-Bytes
Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
Bytes Tx     : 3008                   Bytes Rx     : 9415
Pkts Tx      : 39                     Pkts Rx      : 87

L2TPOverIPsec:
Tunnel ID    : 8.3
Username     : cisco
Assigned IP : 192.168.100.1          Public IP    : 110.57.57.57
Encryption   : none                   Auth Mode    : msCHAPV2
Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
Client OS    : Microsoft
Client OS Ver: 6.1
Bytes Tx     : 2497                   Bytes Rx     : 9213
Pkts Tx      : 34                     Pkts Rx      : 85

NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 8 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :

Successful Debugs outputs:

Dec 13 10:00:14 [IKEv1]IP = 57.57.57.110, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, processing SA payload
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 1
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, constructing ISAKMP SA payload
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, constructing NAT-Traversal VID ver 02 payload
Dec 13 10:00:14 [IKEv1 DEBUG]IP = 57.57.57.110, constructing Fragmentation VID + extended capabilities payload
Dec 13 10:00:14 [IKEv1]IP = 57.57.57.110, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Dec 13 10:00:14 [IKEv1]IP = 57.57.57.110, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 260
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, Connection landed on tunnel_group DefaultRAGroup
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing ID payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing hash payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Computing hash for ISAKMP
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing dpd vid payload
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, PHASE 1 COMPLETED
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, Keep-alive type for this connection: None
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, Keep-alives configured on but peer does not support keep-alives (type = None)
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, Received remote Proxy Host data in ID Payload: Address 57.57.57.110, Protocol 17, Port 1701
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, processing ID payload
Dec 13 10:00:15 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 57.57.57.110, ID_IPV4_ADDR ID received
47.47.47.100
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, Received local Proxy Host data in ID Payload: Address 47.47.47.100, Protocol 17, Port 1701
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, L2TP/IPSec session detected.
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, QM IsRekeyed old sa not found by addr
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, IKE Remote Peer configured for crypto map: client-map
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, processing IPSec SA payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, IPSec SA Proposal # 2, Transform # 1 acceptable Matches global IPSec SA entry # 10
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, IKE: requesting SPI!
IPSEC: New embryonic SA created @ 0xbc42d020,
    SCB: 0xBC39F608,
    Direction: inbound
    SPI      : 0x5F792F6C
    Session ID: 0x00003000
    VPIF num : 0x00000002
    Tunnel type: ra
    Protocol   : esp
    Lifetime   : 240 seconds
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, IKE got SPI from key engine: SPI = 0x5f792f6c
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, oakley constucting quick mode
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing blank hash payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing IPSec SA payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing IPSec nonce payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing proxy ID
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Transmitting Proxy Id:
Remote host: 57.57.57.110 Protocol 17 Port 1701
Local host: 47.47.47.100 Protocol 17 Port 1701
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, constructing qm hash payload
Dec 13 10:00:15 [IKEv1 DECODE]Group = DefaultRAGroup, IP = 57.57.57.110, IKE Responder sending 2nd QM pkt: msg id = 00000001
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, IKE_DECODE SENDING Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 160
Dec 13 10:00:15 [IKEv1]IP = 57.57.57.110, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, processing hash payload
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, loading all IPSEC SAs
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Generating Quick Mode Key!
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, NP encrypt rule look up for crypto map client-map 10 matching ACL Unknown: returned cs_id=bc2e90b8; rule=00000000
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Generating Quick Mode Key!
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, NP encrypt rule look up for crypto map client-map 10 matching ACL Unknown: returned cs_id=bc2e90b8; rule=00000000
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, Security negotiation complete for User () Responder, Inbound SPI = 0x5f792f6c, Outbound SPI = 0x50129404
IPSEC: New embryonic SA created @ 0xbc427a18,
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Pitcher: received KEY_UPDATE, spi 0x5f792f6c
Dec 13 10:00:15 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 57.57.57.110, Starting P2 rekey timer: 3060 seconds.
Dec 13 10:00:15 [IKEv1]Group = DefaultRAGroup, IP = 57.57.57.110, PHASE 2 COMPLETED (msgid=00000001)
Dec 13 10:00:15 [IKEv1]IKEQM_Active() Add L2TP classification rules: ip <57.57.57.110> mask <0xFFFFFFFF> port <1701>

Hello Jeet,

Its an old post but i hope you still can help on this. IO did as you explained but session drops after completing phase 2

Feb 26 15:41:39 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, PHASE 2 COMPLETED (msgid=00000001)

Feb 26 15:42:14 [IKEv1]IP = <client ip>, IKE_DECODE RECEIVED Message (msgid=d2c7e844) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, processing hash payload
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, processing delete
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Connection terminated for peer . Reason: Peer Terminate Remote Proxy 0.0.0.0, Local Proxy 0.0.0.0
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, Active unit receives a delete event for remote peer <client ip>.

Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 389120
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Remove from IKEv1 MIB Table succeeded for SA with logical ID 389120
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, IKE Deleting SA: Remote Proxy <client ip>, Local Proxy <ASA IP>
Feb 26 15:42:14 [IKEv1]MSG_FSM_QM lookup failed (handle 1)!
Feb 26 15:42:14 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = <client ip>, IKE SA MM:83dac607 terminating: flags 0x01000802, refcnt 0, tuncnt 0
Feb 26 15:42:14 [IKEv1]Group = DefaultRAGroup, IP = <client ip>, Session is being torn down. Reason: User Requested
Feb 26 15:42:14 [IKEv1]Ignoring msg to mark SA with dsID 389120 dead because SA deleted
Feb 26 15:42:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdcaca6e5
Feb 26 15:42:14 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0xdcaca6e5