12-13-2018 11:08 AM - edited 03-12-2019 05:32 AM
I have a 2811 router that is acting as a DMVPN headend to a few remote routers and I want to add the ability to connect Windows 10 based L2TP VPNs to it. I have followed the instructions (https://community.cisco.com/t5/security-documents/l2tp-over-ipsec-on-cisco-ios-router-using-windows-8/ta-p/3142831) but I am unable to get it working.
The 2811 is behind a firewall, but I am forwarding all ports from a public IP to it. I see the connection come in on the router from the PC, but it never completes.
The PC gives me this error:
The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g., firewalls, NAT, Router etc.) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.
I also saw error 809 in the event viewer. I followed the steps to modify the registry and I no longer see the 809 error, but it still won’t connect.
Any help to fix this is greatly appreciated. And I really don’t want to tell users to modify their registry.
Here is the redacted version of my config:
aaa new-model
!
aaa authentication login default group radius local
aaa authentication ppp default local
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
username cisco privilege 15 password xxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxx address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set Strong esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set Strong
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface Loopback0
ip address 192.168.47.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Loopback1
description loopback for IPsec-pool
ip address 1.1.1.11 255.255.255.255
dot1x host-mode single-host
!
interface FastEthernet0/1
description to WAN
ip address 172.16.30.253 255.255.255.252
ip nat outside
crypto map outside_map
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication chap ms-chap
!
ip local pool l2tp-pool 1.1.1.1 1.1.1.10
!
ip access-list extended NAT
permit ip 192.167.47.0 0.0.0.255 any
And here is the output from a debug crypto isakmp:
005794: ISAKMP (1022): received packet from 172.16.30.254 dport 4500 sport 22736 Global (R) QM_IDLE
005795: ISAKMP: set new node 6 to QM_IDLE
005796: ISAKMP:(1022): processing HASH payload. message ID = 6
005797: ISAKMP:(1022): processing SA payload. message ID = 6
005798: ISAKMP:(1022):Checking IPSec proposal 1
005799: ISAKMP: transform 1, ESP_AES
005800: ISAKMP: attributes in transform:
005801: ISAKMP: encaps is 4 (Transport-UDP)
005802: ISAKMP: key length is 256
005803: ISAKMP: authenticator is HMAC-SHA
005804: ISAKMP: SA life type in seconds
005805: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
005806: ISAKMP: SA life type in kilobytes
005807: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
005808: ISAKMP:(1022):atts are acceptable.
005809: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
005810: ISAKMP:(1022):Checking IPSec proposal 2
005811: ISAKMP: transform 1, ESP_AES
005812: ISAKMP: attributes in transform:
005813: ISAKMP: encaps is 4 (Transport-UDP)
005814: ISAKMP: key length is 128
005815: ISAKMP: authenticator is HMAC-SHA
005816: ISAKMP: SA life type in seconds
005817: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
005818: ISAKMP: SA life type in kilobytes
005819: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
005820: ISAKMP:(1022):atts are acceptable.
005821: ISAKMP:(1022): IPSec policy invalidated proposal with error 256
005822: ISAKMP:(1022):Checking IPSec proposal 3
005823: ISAKMP: transform 1, ESP_3DES
005824: ISAKMP: attributes in transform:
005825: ISAKMP: encaps is 4 (Transport-UDP)
005826: ISAKMP: authenticator is HMAC-SHA
005827: ISAKMP: SA life type in seconds
005828: ISAKMP: SA life duration (VPI) of 0x0 0x0 0xE 0x10
005829: ISAKMP: SA life type in kilobytes
005830: ISAKMP: SA life duration (VPI) of 0x0 0x3 0xD0 0x90
005831: ISAKMP:(1022):atts are acceptable.
005832: ISAKMP:(1022): processing NONCE payload. message ID = 6
005833: ISAKMP:(1022): processing ID payload. message ID = 6
005834: ISAKMP:(1022): processing ID payload. message ID = 6
005835: ISAKMP:received payload type 21
005836: ISAKMP:received payload type 21
005837: ISAKMP:(1022):QM Responder gets spi
005838: ISAKMP:(1022):Node 6, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
005839: ISAKMP:(1022):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
005840: ISAKMP:(1022): Creating IPSec SAs
005841: inbound SA from 172.16.30.254 to 172.16.30.253 (f/i) 0/ 0
(proxy 172.16.30.254 to 47.206.138.44)
005842: has spi 0x306D44D1 and conn_id 0
005843: lifetime of 3600 seconds
005844: lifetime of 250000 kilobytes
005845: outbound SA from 172.16.30.253 to 172.16.30.254 (f/i) 0/0
(proxy 47.206.138.44 to 172.16.30.254)
005846: has spi 0xB5D74E74 and conn_id 0
005847: lifetime of 3600 seconds
005848: lifetime of 250000 kilobytes
005849: ISAKMP:(1022): sending packet to 172.16.30.254 my_port 4500 peer_port 22736 (R) QM_IDLE
005850: ISAKMP:(1022):Sending an IKE IPv4 Packet.
005851: ISAKMP:(1022):Node 6, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
005852: ISAKMP:(1022):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
005853: ISAKMP (1022): received packet from 172.16.30.254 dport 4500 sport 22736 Global (R) QM_IDLE
005854: ISAKMP: set new node -1158036900 to QM_IDLE
005855: ISAKMP:(1022): processing HASH payload. message ID = -1158036900
005856: ISAKMP:(1022): processing DELETE payload. message ID = -1158036900
005857: ISAKMP:(1022):peer does not do paranoid keepalives.
005858: ISAKMP:(1022):deleting node -1158036900 error FALSE reason "Informational (in) state 1"
005859: ISAKMP (1022): received packet from 172.16.30.254 dport 4500 sport 22736 Global (R) QM_IDLE
005860: ISAKMP:(1022):deleting node 6 error FALSE reason "QM done (await)"
005861: ISAKMP:(1022):Node 6, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
005862: ISAKMP:(1022):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
005863: ISAKMP (1009): received packet from 172.16.30.254 dport 4500 sport 4500 Global (R) QM_IDLE
005864: ISAKMP: set new node -62172605 to QM_IDLE
005865: ISAKMP:(1009): processing HASH payload. message ID = -62172605
005866: ISAKMP:(1009): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -62172605, sa = 4AB52A30
005867: ISAKMP:(1009):deleting node -62172605 error FALSE reason "Informational (in) state 1"
005868: ISAKMP:(1009):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
005869: ISAKMP:(1009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
005870: ISAKMP:(1009):DPD/R_U_THERE received from peer 172.16.30.254, sequence 0x3465F0B1
005871: ISAKMP: set new node -880713076 to QM_IDLE
005872: ISAKMP:(1009):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1224839088, message ID = -880713076
005873: ISAKMP:(1009): seq. no 0x3465F0B1
005874: ISAKMP:(1009): sending packet to 172.16.30.254 my_port 4500 peer_port 4500 (R) QM_IDLE
005875: ISAKMP:(1009):Sending an IKE IPv4 Packet.
005876: ISAKMP:(1009):purging node -880713076
005877: ISAKMP:(1009):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
005878: ISAKMP:(1009):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
005879: ISAKMP:(1021):purging node -297405767
005880: ISAKMP (1022): received packet from 172.16.30.254 dport 4500 sport 22736 Global (R) QM_IDLE
005881: ISAKMP: set new node 1940283731 to QM_IDLE
005882: ISAKMP:(1022): processing HASH payload. message ID = 1940283731
005883: ISAKMP:(1022): processing DELETE payload. message ID = 1940283731
005884: ISAKMP:(1022):peer does not do paranoid keepalives.
005885: ISAKMP:(1022):deleting node 1940283731 error FALSE reason "Informational (in) state 1"
005886: ISAKMP (1022): received packet from 172.16.30.254 dport 4500 sport 22736 Global (R) QM_IDLE
005887: ISAKMP: set new node 3676181 to QM_IDLE
005888: ISAKMP:(1022): processing HASH payload. message ID = 3676181
005889: ISAKMP:(1022): processing DELETE payload. message ID = 3676181
005890: ISAKMP:(1022):peer does not do paranoid keepalives.
005891: ISAKMP:(1022):deleting SA reason "No reason" state (R) QM_IDLE (peer 172.16.30.254)
005892: ISAKMP:(1022):deleting node 3676181 error FALSE reason "Informational (in) state 1"
005893: ISAKMP: set new node -207579860 to QM_IDLE
005894: ISAKMP:(1022): sending packet to 172.16.30.254 my_port 4500 peer_port 22736 (R) QM_IDLE
005895: ISAKMP:(1022):Sending an IKE IPv4 Packet.
005896: ISAKMP:(1022):purging node -207579860
005897: ISAKMP:(1022):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
005898: ISAKMP:(1022):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
005899: ISAKMP:(1022):deleting SA reason "No reason" state (R) QM_IDLE (peer 172.16.30.254)
005900: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
005901: ISAKMP: Unlocking peer struct 0x4A58A818 for isadb_mark_sa_deleted(), count 0
005902: ISAKMP: Deleting peer node by peer_reap for 172.16.30.254: 4A58A818
005903: ISAKMP:(1022):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
005904: ISAKMP:(1022):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide