12-04-2011 01:03 PM - edited 02-21-2020 05:44 PM
Hi
I try to connect android 2.3 to cisco asa 8.2.5(13) via l2tp/ipsec with psk. I have freeradius (with motp) to store passwords. Between asa and freeradius i use pap authentication. I see that connection i set up but after 2-3 seconds connection fail. I think that phase 1 and 2 are ok, authorization is ok but l2tpd disconnect session. I don't have any idea why. Thanks for any advice
logs from asa:
Dec 4 22:17:21 ASA Group = DefaultRAGroup, IP = 13.6.6.65, PHASE 2 COMPLETED (msgid=b44493a2)
Dec 4 22:17:22 ASA AAA user authentication Successful : server = 10.62.1.10 : user = tom3
Dec 4 22:17:22 ASA AAA group policy for user tom3 is being set to press
Dec 4 22:17:22 ASA AAA retrieved user specific group policy (press) for user = tom3
Dec 4 22:17:22 ASA AAA retrieved default group policy (l2tp-ipsec_policy) for user = tom3
Dec 4 22:17:22 ASA AAA transaction status ACCEPT : user = tom3
Dec 4 22:17:22 ASA IPAA: Error freeing address 0.0.0.0, not found
Dec 4 22:17:22 secondASA (VPN-Secondary) Failed to update IPSec failover runtime data on the standby unit.
Dec 4 22:17:22 ASA L2TP Tunnel created, tunnel_id is 27, remote_peer_ip is 13.6.6.65
ppp_virtual_interface_id is 1, client_dynamic_ip is 0.0.0.0
username is tom3
Dec 4 22:17:22 ASA L2TP Tunnel deleted, tunnel_id = 27, remote_peer_ip = 13.6.6.65
Dec 4 22:17:22 ASA IPSEC: An outbound remote access SA (SPI= 0x0AC1E13C) between 13.6.6.66 and 13.6.6.65 (user= DefaultRAGroup) has been deleted.
Dec 4 22:17:22 ASA IPSEC: An inbound remote access SA (SPI= 0x1266C98E) between 13.6.6.66 and 13.6.6.65 (user= DefaultRAGroup) has been deleted.
Dec 4 22:17:22 ASA Group = DefaultRAGroup, IP = 13.6.6.65, Session is being torn down. Reason: L2TP initiated
Dec 4 22:17:22 ASA Group = DefaultRAGroup, Username = , IP = 13.6.6.65, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 730, Bytes rcv: 724, Reason: L2TP initiated
my config:
ip local pool l2tp-ipsec 12.2.2.163-12.2.2.164 mask 255.255.255.192
crypto ipsec transform-set trans esp-3des esp-md5-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyn_dla_l2tp-ipsec 10 set transform-set trans
crypto map outside_map_FR 199 ipsec-isakmp dynamic dyn_dla_l2tp-ipsec
crypto map outside_map_FR interface vlan65
crypto isakmp enable vlan65
crypto isakmp policy 7
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy l2tp-ipsec_policy internal
group-policy l2tp-ipsec_policy attributes
dns-server value 1.1.1.1
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool l2tp-ipsec
authentication-server-group radius_no_otp
default-group-policy l2tp-ipsec_policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
no authentication chap
no authentication ms-chap-v1
kindly regards
Peter
12-04-2011 03:17 PM
Hi Peter,
What if you try with the MS client? Do you experience the same issue?
Also, please add a couple of more IP addresses to the VPN pool and test.
In addition, could you please provide the following outputs?
1. show ip local pool
2. show run vpn-addr-assign
Thanks.
12-05-2011 01:22 AM
Hi Javier,
I try on Win XP and i get the same error, i change type of authorization in ms client but no effect.
It seems that i'm very close ( P1,P2, auth seems ok) but there is something i make wrong
Below my output:
ASA# sh ip local pool l2tp-ipsec
Begin End Mask Free Held In use
12.2.2.163 12.7.2.164 255.255.255.192 2 0 0
Available Addresses:
12.2.2.163
12.2.2.164
ASA# show run vpn-addr-assign
ASA#
kindly regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide