Solved: Re: VPN Client : support L2TP/IPSEC and IPSEC simultaneously

FREDERIC FABRE · ‎08-22-2017

Hello,

My purpose is to have a VPN configuration working for L2TP/IPSEC client (Windows 10) and IPSEC client (VPN Cisco client).

I have the following configuration :

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set myset mode transport
crypto ipsec ikev1 transform-set myset2 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
crypto dynamic-map dynmap 20 set ikev1 transform-set myset2
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
l2tp tunnel hello 30
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-idle-timeout 720
vpn-tunnel-protocol l2tp-ipsec
address-pools value vpn-admin
!
group-policy grp-admin internal
group-policy grp-admin attributes
vpn-idle-timeout 720
vpn-tunnel-protocol ikev1
address-pools value vpn-admin
!
username admin password **************
username admin attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol l2tp-ipsec
username reseau password ****************
username reseau attributes
vpn-group-policy grp-admin
!
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-admin
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
!
tunnel-group grp-admin type remote-access
tunnel-group grp-admin general-attributes
address-pool vpn-admin
default-group-policy grp-admin
tunnel-group grp-admin ipsec-attributes
ikev1 pre-shared-key *****

L2TP/IPSEC works well but not Cisco client VPN.

The debug returns the following line :

"Aug 21 06:49:21 [IKEv1]Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: Tunnel Cfg'd: Transport"

-> it means the following configuration using mode transport is used "crypto dynamic-map dynmap 10 set ikev1 transform-set myset".

Why "crypto dynamic-map dynmap 20 set ikev1 transform-set myset2" is not checked too ?

If i change priority :

crypto dynamic-map dynmap 5 set ikev1 transform-set myset2

crypto dynamic-map dynmap 10 set ikev1 transform-set myset
L2TP/IPSEC doesn't work and Cisco client VPN works well .

In this case "crypto dynamic-map dynmap 10 set ikev1 transform-set myset" is not checked and L2TP/IPSEC fails.

How to fix it ?

ASA version : 9.1(7)16

Thanking you in advance.

Fred

GioGonza · ‎08-30-2017

Hello,

Remove the dynmap 20 and test with this command:

crypto dynamic-map dynmap 10 set ikev1 transform-set myset myset2

This should do the trick.

Gio

View solution in original post

Mohammad Alhyari · ‎08-30-2017

HI,

Apply the two transform sets in one crypto dynamic map entry:

crypto dynamic-map dynmap 5 set ikev1 transform-set myset2 myset

HTH

Moh,