12-20-2011 06:13 PM - edited 02-21-2020 05:46 PM
Hi all,
This is my first VPN configuration I have done with an ASA device. I am trying to setup a remote access VPN using windows L2TP/IPsec. I used the IPsec (IKEv1) Remote Access VPN Wizard in the ASDM to set it up. I have a user in the AAA/Local Users section configured and am using a Preshared Key.
When I try to connect in Windows 7 I get the error:
Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer.
Below is my config on the ASA.
ASA Version 8.4(1)
!
hostname mpdcSA
domain-name metapower
enable password ac3wyUYtitklff6l encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address 198.145.XXX.82 255.255.255.240
!
interface Ethernet0/1
nameif MGMT_LAN
security-level 100
ip address 192.168.180.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa841-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name metapower
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network MGMT_LAN
subnet 192.168.180.0 255.255.255.0
description MGMT-LAN to WAN
object network NETWORK_OBJ_192.168.180.128_26
subnet 192.168.180.128 255.255.255.192
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu MGMT_LAN 1500
mtu WAN 1500
ip local pool MPVPN_LAN 192.168.180.150-192.168.180.190 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
no asdm history enable
arp timeout 14400
nat (MGMT_LAN,WAN) source static any any destination static NETWORK_OBJ_192.168.180.128_26 NETWORK_OBJ_192.168.180.128_26
!
object network MGMT_LAN
nat (MGMT_LAN,WAN) dynamic interface
!
nat (management,WAN) after-auto source dynamic any interface
route WAN 0.0.0.0 0.0.0.0 198.145.120.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.180.113 255.255.255.255 MGMT_LAN
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec ikev2 ipsec-proposal AES-256-MD5
protocol esp encryption aes-256
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 enable WAN
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpn load-balancing
interface lbpublic MGMT_LAN
interface lbprivate MGMT_LAN
cluster key *****
cluster encryption
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd auto_config WAN interface management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol l2tp-ipsec
default-domain value metapower
group-policy MPVPN internal
group-policy MPVPN attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
username admin password VxZjbyhsFz3cVqCZ encrypted privilege 15
username admin attributes
vpn-group-policy MPVPN
tunnel-group DefaultRAGroup general-attributes
address-pool MPVPN_LAN
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group MPVPN type remote-access
tunnel-group MPVPN general-attributes
address-pool MPVPN_LAN
default-group-policy MPVPN
tunnel-group MPVPN ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group-map default-group MPVPN
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af71087924710e00e4cb2f5ebd73cdd2
: end
In windows the VPN is configured to connect my ASA WAN IP of 198.145.XXX.82
I am using the same user and pw to connect as set in the ASA AAA/Local Users.
The security tab is set to L2TP/IPsec and the presharedkey is checked and entered.
CHAP and MS-CHAP2 are the only protocols checked.
Any help would be great.
Thanks
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide