Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1380
Views
0
Helpful
0
Replies

Can't connect to Remote VPN on ASA using Windows L2TP over IPsec

Chris Ivy
Level 1
Level 1

‎12-20-2011 06:13 PM - edited ‎02-21-2020 05:46 PM

Hi all,

This is my first VPN configuration I have done with an ASA device.  I am trying to setup a remote access VPN using windows L2TP/IPsec.  I used the IPsec (IKEv1) Remote Access VPN Wizard in the ASDM to set it up.  I have a user in the AAA/Local Users section configured and am using a Preshared Key. 

When I try to connect in Windows 7 I get the error:

Error 789:  The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer.

Below is my config on the ASA.

ASA Version 8.4(1)

!

hostname mpdcSA

domain-name metapower

enable password ac3wyUYtitklff6l encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif WAN

security-level 0

ip address 198.145.XXX.82 255.255.255.240

!

interface Ethernet0/1

nameif MGMT_LAN

security-level 100

ip address 192.168.180.1 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa841-k8.bin

ftp mode passive

dns server-group DefaultDNS

domain-name metapower

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network MGMT_LAN

subnet 192.168.180.0 255.255.255.0

description MGMT-LAN to WAN

object network NETWORK_OBJ_192.168.180.128_26

subnet 192.168.180.128 255.255.255.192

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu MGMT_LAN 1500

mtu WAN 1500

ip local pool MPVPN_LAN 192.168.180.150-192.168.180.190 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (MGMT_LAN,WAN) source static any any destination static NETWORK_OBJ_192.168.180.128_26 NETWORK_OBJ_192.168.180.128_26

!

object network MGMT_LAN

nat (MGMT_LAN,WAN) dynamic interface

!

nat (management,WAN) after-auto source dynamic any interface

route WAN 0.0.0.0 0.0.0.0 198.145.120.81 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 management

http 192.168.180.113 255.255.255.255 MGMT_LAN

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec ikev2 ipsec-proposal AES-256-MD5

protocol esp encryption aes-256

protocol esp integrity md5

crypto ipsec ikev2 ipsec-proposal AES-256

protocol esp encryption aes-256

protocol esp integrity sha-1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map WAN_map interface WAN

crypto ikev2 policy 10

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev1 enable WAN

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

vpn load-balancing

interface lbpublic MGMT_LAN

interface lbprivate MGMT_LAN

cluster key *****

cluster encryption

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd auto_config WAN interface management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol l2tp-ipsec

default-domain value metapower

group-policy MPVPN internal

group-policy MPVPN attributes

vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

username admin password VxZjbyhsFz3cVqCZ encrypted privilege 15

username admin attributes

vpn-group-policy MPVPN

tunnel-group DefaultRAGroup general-attributes

address-pool MPVPN_LAN

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group MPVPN type remote-access

tunnel-group MPVPN general-attributes

address-pool MPVPN_LAN

default-group-policy MPVPN

tunnel-group MPVPN ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group-map default-group MPVPN

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:af71087924710e00e4cb2f5ebd73cdd2

: end

In windows the VPN is configured to connect my ASA WAN IP of 198.145.XXX.82

I am using the same user and pw to connect as set in the ASA AAA/Local Users.

The security tab is set to L2TP/IPsec and the presharedkey is checked and entered.

CHAP and MS-CHAP2 are the only protocols checked.

Any help would be great.

Thanks

Chris

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents