05-23-2011 01:35 PM - edited 02-21-2020 05:21 PM
I'm on Day 4 trying to figure this out and I'm now at a point where it is beyond my level of troubleshooting.
This is an extremely EASY request for configuration setup....or so I thought.
All I want to do is connect three remote VPN clients to my ASA using L2TP over IPEC and all three clients will be using Windows 7.
Here is the configuration of my ASA:
ASA Version 8.2(1)
!
hostname fw-aimetrix-asa5505
enable password ******************** encrypted
passwd ********************* encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 10.10.68.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.xxx.xxx.90 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 10.10.70.5
name-server 000.000.000.0000
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip any 10.10.72.240 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool L2TP-Pool 10.10.72.245-10.10.72.250 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.89 1
route inside 10.10.70.0 255.255.255.0 10.10.68.2 1
route inside 10.10.71.0 255.255.255.0 10.10.68.2 1
route inside 10.10.72.0 255.255.255.0 10.10.68.2 1
route inside 10.10.73.0 255.255.255.0 10.10.68.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-3DES-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.10.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
l2tp tunnel hello 100
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 10.10.70.5 10.10.71.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy DfltGrpPolicy attributes
dns-server value 10.10.70.5
address-pools value L2TP-Pool
username lee.berdick password ****************************** nt-encrypted privilege 0
username lee.berdick attributes
vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool L2TP-Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
When connecting from Windows 7 clients I get a Error 789
I've done an exhausive search on this error message and I have checked for everything people have listed including:
- Make sure "IPsec Policy Agent" and "IKE and AuthIP IPsec Keying Modules" services are running (Check, and set for Automatic)
- Modify registry to allow NAT Traversal with AssumeUDPEncapsulationContextOnSendRule=2. (Check)
- Check that pre-shared key is correct. (Check)
- Check Windows 7 FW (Check, nothing is blocking)
I can ping the outside IP address (xxx.90)
My initial thoughts have always been some access allow that is not being set. When client tries to connect, it's like the ASA doesn't even see it.
Any help would be appreciated.
Thanks,
Lee
05-25-2011 03:42 AM
>>. When client tries to connect, it's like the ASA doesn't even see it.
How did you verify this?
Technically it is the L2TP which kick start the IKE on the Windows PC. the ASA should see UDP/500 packet and should accept the request. Once the IPSEC tunnel is built the L2TP negotiation takes place.
IKE/IPSEC configuration on ASA looks fine.
In case you do not see any UDP/500 packets hitting your outside interface (show log,captures) you should check if the PC is actually initiating the IKE.
Please run 'deb cry isa 127' and paste the output.
Did you try from any other windows PC (7 or XP)?
-Vikas
05-26-2011 07:23 AM
Yeah, I don't think this PC I'm testing from is actually making a connection.
When I look at the syslog screen (or debug) on the ASDM while trying to make a L2TP connection, I don't see anything on UDP 500 or anything at all that would seem like something is trying to connect. All I see is DNS crap from my DNS server.
Do I need to add an ACL or some ingress allow on the outside interface for UDP 500?
05-26-2011 08:20 AM
UPDATE:
This is entirely a Windows 7 issue
I got a Mac and a Win XP box to connect
05-26-2011 10:56 PM
That's what I suspected.
Check if IPSEC IKE service in the Windows has started or not. (services.msc).
Try disabling the Windows FW may be the UDP/500, UDP/4500 are disabled.
-Vikas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide