09-10-2013 01:26 AM - edited 02-21-2020 07:08 PM
Hello all!
I can't connect Mikrotick RB433UAH (running latest RouterOS 6.3) as L2TP VPN Client to my ASA5512x (running 8.6(1)2).
Microtik connected to public network via gsm modem.
MACoS, Windows Pcs, iOS and Android smartphones connect without any doubts as L2TP VPN clients.
Microtik configuration (vpn regarding part):
[admin@Linux] >
ip ipsec peer print
Flags: X - disabled
0 * address=XX.XX.XX.XX/32 passive=no port=500 auth-method=pre-shared-key secret="XXXXXX"
generate-policy=port-override exchange-mode=main send-initial-contact=yes
nat-traversal=yes hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d
dpd-interval=2m dpd-maximum-failures=5
ip ipsec proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=md5,sha1,null
enc-algorithms=null,des,3des,aes-128,aes-192,aes-256 lifetime=30m pfs-group=modp1024
interface l2tp-client print
Flags: X - disabled, R - running
0 * name="l2tp-out1" max-mtu=1450 max-mru=1450 mrru=disabled connect-to=XX.XX.XX.XX
user="XXXXXX" password="XXXXXXXX" profile=default-encryption keepalive-timeout=60
add-default-route=yes default-route-distance=1 dial-on-demand=no
allow=pap,chap,mschap1,mschap2
ASA configuration (vpn regarding part):
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSPORT esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANSPORT mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANSPORT esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANSPORT mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-MD5 ESP-3DES-SHA ESP-3DES-SHA-TRANSPORT ESP-3DES-MD5-TRANSPORT
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map INTERNET_map 100 match address Crypto_ACL_to_Office
crypto map INTERNET_map 100 set ikev1 transform-set ESP-AES-256-SHA
crypto map INTERNET_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map INTERNET_map interface INTERNET
crypto isakmp nat-traversal 60
crypto ikev1 enable INTERNET
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh 192.168.77.0 255.255.255.0 INSIDE
ssh 192.168.200.8 255.255.255.252 INSIDE
ssh 192.168.70.115 255.255.255.255 INSIDE
ssh timeout 60
console timeout 0
dhcprelay server 192.168.70.13 INSIDE
dhcprelay enable WAN
dhcprelay enable REST
dhcprelay timeout 60
priority-queue SIPTRUNKS
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 1 md5 *****
ntp trusted-key 1
ntp server 192.168.200.1 key 1
tftp-server INSIDE 192.168.70.115 CC-ASA5512.cfg
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1
webvpn
group-policy NoAccess internal
group-policy NoAccess attributes
dns-server value 192.168.70.1
dhcp-network-scope 192.168.111.1
vpn-simultaneous-logins 0
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value domain.local
intercept-dhcp enable
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
password-storage enable
group-policy CiscoVPNClient internal
group-policy CiscoVPNClient attributes
dns-server value 192.168.70.1
dhcp-network-scope 192.168.111.1
vpn-simultaneous-logins 50
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value domain.local
intercept-dhcp 255.255.255.255 enable
group-policy L2LVPN internal
group-policy L2LVPN attributes
vpn-simultaneous-logins 1
vpn-tunnel-protocol ikev1
group-policy L2TP internal
group-policy L2TP attributes
dns-server value 192.168.70.1
vpn-simultaneous-logins 50
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT_TUNNEL
default-domain value domain.local
intercept-dhcp 255.255.255.255 enable
username 1312312 password 213123 encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool CC_VPN_POOL
authentication-server-group LDAP_domain
default-group-policy L2TP
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
tunnel-group USER_VPN_ACCESS type remote-access
tunnel-group USER_VPN_ACCESS general-attributes
address-pool CC_VPN_POOL
authentication-server-group LDAP_Domain
default-group-policy NoAccess
dhcp-server 192.168.70.13
dhcp-server link-selection 192.168.200.9
tunnel-group USER_VPN_ACCESS ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group USER_VPN_ACCESS ppp-attributes
authentication ms-chap-v2
tunnel-group VV.VV.VV.VV type ipsec-l2l
tunnel-group VV.VV.VV.VV general-attributes
default-group-policy L2LVPN
tunnel-group VV.VV.VV.VV ipsec-attributes
ikev1 pre-shared-key *****
!
class-map VoIP
description High Priority for VoIP
match dscp ef
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map VoIP_QoS
class VoIP
priority
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map sip_policy
class inspection_default
inspect sip
!
service-policy global_policy global
service-policy VoIP_QoS interface SIP101
service-policy VoIP_QoS interface SIP102
service-policy VoIP_QoS interface SIP2460
prompt hostname context
no call-home reporting anonymous
ASA logs (with l2tp, ike, ha debugs enabled): http://pastebin.com/qrRQCfiG
Microtik logs: http://pastebin.com/ZEstEwWK
(ASA public ip was replaced as XX.XX.XX.XX and Microtik public ip was replaced as YY.YY.YY.YY)
Also, in Microtic's logs i see weird message:
03:51:25 l2tp,debug,packet rcvd control message from XX.XX.XX.XX:1701
03:51:25 l2tp,debug,packet tunnel-id=81, session-id=0, ns=0, nr=1
03:51:25 l2tp,debug,packet (M) Message-Type=StopCCN
03:51:25 l2tp,debug,packet (M) Result-Code=2
03:51:25 l2tp,debug,packet Error-Code=0
03:51:25 l2tp,debug,packet Error-Message="No cc config for Linux"
03:51:25 l2tp,debug,packet (M) Assigned-Tunnel-ID=23497
What does it mean?
Thanks you in advance!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide