cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
0
Replies
Highlighted
Beginner

Setting up an L2TP VPN

I have been trying to setup an L2TP VPN for a customer on an ASA 5505. I setup the Active Directory AAA Server, tested that and it seams to work (authentication and authorization both succeed, and I am able to pull a list of Group Names). Clientless L2TP VPN through the Wizard. Which at first seamed to work as the log indicated that Phase 1 and Phase 2 was successfull with the connection but the Windows 7 Client I'm trying to connect always comes back with Error 691: Username or Password not recognized. The two users I've tried to log in as are both members of the VPN Access group and if I user thier respective username/passwords in the AAA Server's Test dialog, they authenticate successfully. Any help or ideas would be greatly appreciated. Below I will include the configuration for the ASA. Also of note is that this ASA already has a fully functional IPSec Site-to-Site tunnel that works correctly, and thier is probably a lot of extra garbage in the VPN configuration that doesnt need to be thier as other hands have been tinkering with this device trying to get the VPN to work. Thanks in advance.

: Saved

:

ASA Version 8.2(5)

!

hostname CYLON-CONTROLS-01

domain-name cylonenergy.local

enable password rTzJdPJDxaMe6sUX encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

switchport access vlan 3

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 50.79.172.129 255.255.255.248

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 10

ip address 10.10.0.1 255.255.255.0

!

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.20.4

domain-name cylonenergy.local

object-group service ElutionsTCP tcp

port-object eq 3024

port-object eq 3026

port-object eq 3028

object-group service ElutionsUDP udp

port-object range 1 65535

object-group service DM_INLINE_TCP_1 tcp

group-object ElutionsTCP

port-object eq www

object-group service BacNet47808 udp

port-object eq 47808

object-group service L2TP-IPSec udp

port-object eq 1701

access-list wan-in extended permit esp any any

access-list wan-in extended permit udp any any eq 1701

access-list wan-in extended permit udp any any eq isakmp

access-list wan-in extended permit tcp any host 50.79.172.131 eq sip

access-list wan-in extended permit tcp any host 50.79.172.131 eq 5061

access-list wan-in extended permit udp any host 50.79.172.131 eq sip

access-list wan-in extended permit udp any host 50.79.172.131 eq 5061

access-list wan-in extended permit udp any host 50.79.172.131 range 30000 30999

access-list wan-in extended permit tcp any host 50.79.172.131 eq www

access-list wan-in extended permit tcp any host 50.79.172.131 eq https

access-list wan-in extended permit tcp any host 50.79.172.131 eq 8000

access-list wan-in extended permit icmp any host 50.79.172.131

access-list wan-in extended permit tcp any host 50.79.172.131 eq 7117

access-list wan-in extended permit tcp any host 50.79.172.131 eq 7100

access-list wan-in extended permit tcp any host 50.79.172.131 eq 7134

access-list wan-in extended permit tcp any host 50.79.172.131 eq 7505

access-list wan-in extended permit tcp any host 50.79.172.130 eq 3389

access-list wan-in extended permit tcp any host 50.79.172.132 object-group DM_INLINE_TCP_1

access-list wan-in extended permit udp any host 50.79.172.132 object-group ElutionsUDP

access-list wan-in extended permit udp any any object-group BacNet47808

access-list nonat extended permit ip 192.0.0.0 255.0.0.0 20.0.0.0 255.255.255.0

access-list split standard permit 192.168.20.0 255.255.255.0

access-list acl extended permit ip 192.168.0.0 255.255.255.0 30.0.0.0 255.255.255.0

access-list acl extended permit ip 192.168.0.0 255.255.0.0 30.0.0.0 255.255.255.0

access-list acl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list acl extended permit ip 192.168.20.0 255.255.255.0 10.10.0.0 255.255.255.0

access-list acl extended permit ip any 192.168.120.0 255.255.255.0

access-list ac extended permit ip 30.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list inside_access_in extended permit udp any any object-group BacNet47808

access-list inside_access_in extended permit ip 192.168.20.0 255.255.255.0 any log disable

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool NHVPNClients 192.168.120.100-192.168.120.200 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list acl

nat (inside) 1 0.0.0.0 0.0.0.0

nat (dmz) 1 0.0.0.0 0.0.0.0

static (outside,inside) 192.168.20.4 50.79.172.130 netmask 255.255.255.255

static (outside,inside) 192.168.20.90 50.79.172.132 netmask 255.255.255.255

static (inside,outside) 50.79.172.132 192.168.20.91 netmask 255.255.255.255

static (inside,outside) 50.79.172.131 192.168.20.250 netmask 255.255.255.255

static (inside,outside) 192.168.20.250 50.79.172.131 netmask 255.255.255.255

static (inside,outside) 50.79.172.130 192.168.20.4 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group wan-in in interface outside

route outside 0.0.0.0 0.0.0.0 50.79.172.134 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

action terminate

dynamic-access-policy-record VpnADAccessPolicy

aaa-server ActiveDirectory protocol ldap

aaa-server ActiveDirectory (inside) host 192.168.20.4

ldap-base-dn dc=cylonenergy, dc=local

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password *****

ldap-login-dn cn=admin,cn=users,dc=cylonenergy,dc=local

server-type microsoft

ldap-attribute-map Dial-In-Permisions

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.20.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set Firebox esp-3des esp-sha-hmac

crypto ipsec transform-set tset esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set TRANS_ESP_DES_SHA esp-des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_DES_SHA mode transport

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn 1 set transform-set tset

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_DES_MD5

crypto map cmap 1 match address outside_1_cryptomap

crypto map cmap 1 set pfs

crypto map cmap 1 set peer 89.101.141.61 87.192.230.97

crypto map cmap 1 set transform-set ESP-3DES-SHA

crypto map cmap 1 set security-association lifetime seconds 86400

crypto map cmap 1 set security-association lifetime kilobytes 1288000

crypto map cmap 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map cmap interface inside

crypto map cmap interface outside

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp enable outside

crypto isakmp enable dmz

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 2

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

crypto isakmp policy 32

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 34

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 36

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 38

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

no vpn-addr-assign aaa

no vpn-addr-assign dhcp

telnet 192.168.20.4 255.255.255.255 inside

telnet timeout 5

ssh 192.168.20.0 255.255.255.0 inside

ssh 30.0.0.2 255.255.255.255 inside

ssh timeout 5

console timeout 0

management-access inside

dhcpd auto_config outside

!

dhcpd address 10.10.0.2-10.10.0.32 dmz

dhcpd dns 75.75.76.76 75.75.75.75 interface dmz

dhcpd enable dmz

!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept

webvpn

enable outside

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 192.168.20.4

vpn-tunnel-protocol l2tp-ipsec

default-domain value cylonenergy.local

group-policy DfltGrpPolicy attributes

dns-server value 192.168.20.4

vpn-idle-timeout 60

vpn-tunnel-protocol IPSec svc

default-domain value cylonenergy.local

username paddy.gunn password E8uRHkYxXMJQht9e encrypted privilege 15

username everett.dickey password ZYGl25WJpqEhPiF5 encrypted

username mike.rizzo password NTDUfLOG63gK.HOS encrypted

username Administrator password Sx7aRmMH/KdSBL3R encrypted privilege 15

username Administrator attributes

vpn-group-policy DefaultRAGroup

username cisco password U9jfi27.up5bKt1T encrypted

username marina.greene password ATIKCHPPDcQXkpWa encrypted

tunnel-group DefaultL2LGroup ipsec-attributes

isakmp keepalive threshold 20 retry 10

tunnel-group DefaultRAGroup general-attributes

address-pool NHVPNClients

authentication-server-group ActiveDirectory LOCAL

default-group-policy DefaultRAGroup

strip-realm

strip-group

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

peer-id-validate cert

isakmp keepalive disable

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

no authentication ms-chap-v1

authentication ms-chap-v2

tunnel-group DefaultWEBVPNGroup ipsec-attributes

isakmp keepalive threshold 20 retry 10

tunnel-group 87.192.230.97 type ipsec-l2l

tunnel-group 87.192.230.97 ipsec-attributes

pre-shared-key *****

tunnel-group 89.101.141.61 type ipsec-l2l

tunnel-group 89.101.141.61 ipsec-attributes

pre-shared-key *****

tunnel-group-map default-group remote

!

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:4309d396bf5e8276337e17011f9b2aec

: end

asdm location 50.79.172.129 255.255.255.255 inside

asdm location 192.168.20.4 255.255.255.255 inside

asdm location 50.79.172.130 255.255.255.255 inside

no asdm history enable


Everyone's tags (5)