09-07-2010 11:33 PM - edited 02-21-2020 04:50 PM
Below is the config of my 1811, and the IPSec tunnel works fine, but L2TP gets past Phase 1 and then has an error about the encryption mismatching (sorry didn't grab the exact error). I imagine it is one line or something that is preventing me from success.. let me know...
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip address-pool local
vpdn enable
!
vpdn-group L2TP-LNS
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
username joe password 0 pass1
!
!
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
lifetime 7200
crypto isakmp key 6 key123456 address 166.1.2.3 no-xauth
!
!
crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP-LNS esp-3des esp-md5-hmac
mode transport
!
crypto map IPSEC 45 ipsec-isakmp
set peer 166.1.2.3
set security-association lifetime seconds 7200
set transform-set L2TP-LNS
set pfs group2
match address 104
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
ip address 64.1.2.3 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
crypto map IPSEC
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1
ip unnumbered FastEthernet0
peer default ip address pool L2TP-LNS-IP-POOL
ppp authentication chap ms-chap
!
interface Vlan1
ip address 192.168.111.1 255.255.255.0
!
interface Async1
no ip address
encapsulation slip
!
ip local pool L2TP-LNS-IP-POOL 192.168.1.55 192.168.1.56
no ip classless
ip route 0.0.0.0 0.0.0.0 64.1.2.3
ip route 192.168.17.0 255.255.255.0 166.1.2.3
ip route 192.168.72.0 255.255.255.0 166.1.2.3
!
!
no ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.111.0 0.0.0.255 192.168.72.0 0.0.0.255
access-list 103 permit ip 192.168.111.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 104 permit ip 192.168.111.0 0.0.0.255 192.168.13.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 90 0
password enable
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
exec-timeout 90 0
password enable
login
transport preferred none
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
09-08-2010 07:30 AM
i have seen that happen in past on win 7 machines and i changed the phase 2 encryption parameters, try adding aes or des in place of 3 des for phase 2
also remove the pfs configuration, pfs is not supported on l2tp
so try these
remove pfs and try
change encryption in transform set and try
also make sure that the username password that you have are chap. mschap,
09-08-2010 08:55 AM
I'm not sure much uses md5 anymore that won't do sha1 as well.
crypto ipsec transform-set L2TP-LNS1 esp-3des esp-md5-hmac
crypto ipsec transform-set L2TP-LNS1 mode transport
crypto ipsec transform-set L2TP-LNS2 esp-3des esp-sha-hmac
crypto ipsec transform-set L2TP-LNS2 mode transport
crypto ipsec transform-set L2TP-LNS3 esp-aes esp-sha-hmac
crypto ipsec transform-set L2TP-LNS3 mode transport
crypto ipsec transform-set L2TP-LNS4 esp-aes-256 esp-sha-hmac
crypto ipsec transform-set L2TP-LNS4 mode transport
...
no set transform set L2TP-LNS
set transform-set L2TP-LNS4 L2TP-LNS3 L2TP-LNS2 L2TP-LNS1
... should cover most of the bases
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: