Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1296
Views
0
Helpful
3
Replies

Cisco ASA 5505 L2TP troubles

Martijn.Best
Level 1
Level 1

‎11-05-2010 08:45 AM

I have been trying to setup a L2TP VPN between my computer at home and my Cisco ASA 5505 (Version 8.3(2)) at work. I followed the setup wizard as I did with the Cisco VPN client setup, but I can not get my L2TP connection to work. The Cisco VPN client works fine, but I don't want to install the client on every PC I use to connect to the office.

When I look at the logging I see the following error, which would indicate a problem with the crypto maps, but I have no idea what.

3

Nov 05 2010

16:33:00

Group = DefaultRAGroup, IP = 188.203.234.103, QM FSM error (P2 struct &0xd52ac5b8, mess id 0x1)!


Any help anybody could give me would be greatly appreciated!

Full config below.

!
hostname Gaurdian
domain-name Horizons.local
enable password df6oflcDl3ZfQe.K encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan3

shutdown
no forward interface Vlan1
nameif dmz
security-level 50
ip address 172.16.10.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup outside
dns server-group DefaultDNS
name-server 213.51.144.37
name-server 213.51.127.37
domain-name Horizons.local
object network LANRange
subnet 192.168.10.0 255.255.255.0
description LAN IPv4 Range
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network VPNRange
subnet 192.168.254.0 255.255.255.248
description VPN IPv4 Range
object network NETWORK_OBJ_192.168.254.0_29
subnet 192.168.254.0 255.255.255.248
object-group network obj_any
access-list CiscoVPNTunnel_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 object VPNRange
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool IPv4_VPN_Pool 192.168.254.1-192.168.254.6 mask 255.255.255.248
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static LANRange LANRange destination static VPNRange VPNRange
nat (inside,outside) source static LANRange LANRange destination static NETWORK_OBJ_192.168.254.0_29 NETWORK_OBJ_192.168.254.0_29
!
object network obj_any-01
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 inside
http 188.203.234.103 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 192.168.10.0 255.255.255.0 inside
ssh 188.203.234.103 255.255.255.255 outside
ssh timeout 30
ssh version 2
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.10.101-192.168.10.130 inside
dhcpd dns 213.51.144.37 213.51.129.37 interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 217.170.3.212 source outside
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 213.51.144.37 213.51.127.37
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
group-policy CiscoVPNTunnel internal
group-policy CiscoVPNTunnel attributes
dns-server value 213.51.144.37 213.51.129.37
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value CiscoVPNTunnel_splitTunnelAcl
username User1 password QJeyLmG4xl/d5Lt3OIfL3w== nt-encrypted privilege 0
username User1 attributes
vpn-group-policy DefaultRAGroup
username Remote password eNx0Dbm7JeyvNEkQ encrypted privilege 0
username Remote attributes
vpn-group-policy CiscoVPNTunnel
username Martijn password F6DATcUscJQ3RuX6 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool IPv4_VPN_Pool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group CiscoVPNTunnel type remote-access
tunnel-group CiscoVPNTunnel general-attributes
address-pool IPv4_VPN_Pool
default-group-policy CiscoVPNTunnel
tunnel-group CiscoVPNTunnel ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect icmp
  inspect pptp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4eadfcc35a057112ffb05dca5a5bd886
: end

Labels:
0 Helpful
3 Replies 3

pudawat
Level 1
Level 1

‎11-05-2010 09:44 AM

Do this and check L2TP:

no crypto dynamic-map outside_dyn_map 20 set pfs group1

no crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA

Pradhuman

0 Helpful

Martijn.Best
Level 1
Level 1
In response to pudawat

‎11-05-2010 12:00 PM

Hello Pradhuman,

Thanks for the quick reply. I removed the old mapping and added the one you recommended, unfortunately when I tried to connect I received the same error message.

0 Helpful

Martijn.Best
Level 1
Level 1
In response to Martijn.Best

‎11-05-2010 02:09 PM

Think I found the solution, apparently crypto isakmp nat-traversal was disabled. I enabled it and the connection was established!

0 Helpful
Customers Also Viewed These Support Documents