07-08-2011 06:16 AM
Hi,
I have configure L2TP vpn using ASDM and now i am not able to connect my Cisco ASA 5505.
it's showing error message
3 | Jul 07 2011 | 18:57:38 | IP = *.*.*.*, Error processing payload: Payload ID: 1 |
Please suggest me how to solve this problem (Using ASDM)
Thanks
Solved! Go to Solution.
07-12-2011 01:53 AM
Hi Nikhil,
Your config seems incomplete, command " vpn-tunnel-protocol IPSec l2tp-ipsec" is missing, which is required for L2tp connection. Try to reconfigure your firewall using following link:-
http://www.cisco.com/en/US/customer/docs/security/asa/asa80/configuration/guide/l2tp_ips.html
Hope this helps,
Parminder Sian
07-13-2011 03:54 AM
Nikhil,
According to me config should look like following, in your config, I dont see any crypto maps:-
ip local pool sales_addresses x.x.x.x-x.x.x.x
group-policy sales_policy internal
group-policy sales_policy attributes
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
default-group-policy sales_policy
address-pool sales_addresses
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Try the following config.
Parminder Sian
07-12-2011 12:04 AM
Hi ,
Usually this mesesage comes up for IPSEC VPN tunnel when isakmp policies do not match. Here's a link for your referance.
Can we have a look at the config?
Parminder Sian
07-12-2011 12:47 AM
Hello Parmindar,
I am sending my firewall configuration.
I have configure this firewall using ASDM. So can you please guide me through ASDM.
or suggest me cli configuration.
Thanks,
Nikhil.
Result of the command: "show startup config"
show startup config
^
ERROR: % Invalid input detected at '^' marker.
Result of the command: "show startu"
: Saved
: Written by enable_15 at 12:26:07.115 IST Tue Jul 12 2011
!
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name ******.net
enable password 9p9RlVCQln.VPpnz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
dns-guard
!
interface Ethernet0/0
switchport access vlan 337
switchport trunk allowed vlan 337
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 20
!
interface Vlan1
nameif inside
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.0.0
!
interface Vlan337
nameif outside
security-level 0
ip address Router-Outside 255.255.255.252
!
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone IST 5 30
dns domain-lookup inside
dns server-group DefaultDNS
name-server Sg-dc1-int
name-server *.*.*.*
name-server *.*.*.*
name-server *.*.*.*
domain-name spheregen.net
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list inside_access_out extended permit gre any any
access-list inside_access_out extended permit tcp any any eq pptp
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit object-group TCPUDP any host epost-ext eq www
access-list outside_access_in extended permit ip 10.0.0.0 255.255.255.0 any
access-list outside_access_in remark outside to DMZ access
access-list outside_access_in extended permit ip any interface DMZ
access-list outside_access_out extended permit gre any any
access-list outside_access_out extended permit tcp any any eq pptp
access-list outside_access_out extended permit ip interface outside any
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any
access-list inside_access_in remark inside to DMZ access
access-list inside_access_in extended permit ip interface inside interface DMZ
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit gre any any
access-list DMZ_access_in remark DMZ to inside access
access-list DMZ_access_in extended permit ip interface DMZ interface inside
access-list inside_nat0_outbound extended permit ip any 192.168.40.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255.0
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
ip local pool vpnpool 192.168.40.1-192.168.40.254 mask 255.255.255.0
ip local pool vpnpool2 192.168.50.1-192.168.50.200 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 *.*.*.*
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns Sg-dc1-int 10.0.0.2 interface inside
!
dhcpd dns Sg-dc1-int 202.54.10.2 interface outside
!
dhcprelay server 10.0.0.2 inside
dhcprelay server Sg-dc1-int inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
enable outside
group-policy DfltGrpPolicy attributes
dns-server value *.*.*.* *.*.*.*
default-domain value .net
username test1 password qs0S0nyHysj8C4U4rtbwWA== nt-encrypted
tunnel-group DefaultRAGroup general-attributes
address-pool vpnpool2
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 3600 retry 2
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map Unblock
match access-list inside_mpc_1
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all AppHeaderClass
match response header regex contenttype regex applicationheader
class-map httptraffic
match access-list inside_mpc
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class AppHeaderClass
drop-connection log
class BlockDomainsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
policy-map inside-policy
class Unblock
inspect http
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
smtp-server 10.0.0.9
prompt hostname
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ee3e6d0eefe95b0f7f4986120f30c3f2
07-12-2011 01:53 AM
Hi Nikhil,
Your config seems incomplete, command " vpn-tunnel-protocol IPSec l2tp-ipsec" is missing, which is required for L2tp connection. Try to reconfigure your firewall using following link:-
http://www.cisco.com/en/US/customer/docs/security/asa/asa80/configuration/guide/l2tp_ips.html
Hope this helps,
Parminder Sian
07-13-2011 03:22 AM
Hi Parmindar,
I have configure ASA using CLI.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/l2tp_ips.html
and its still showing error. I hv 8.2 ios on ASA.
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name spheregen.net
enable password 9p9RlVCQln.VPpnz encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
!
interface Ethernet0/0
switchport access vlan 337
switchport trunk allowed vlan 337
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 20
!
interface Vlan1
nameif inside
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Vlan20
nameif DMZ
security-level 50
ip address 172.16.0.1 255.255.0.0
!
interface Vlan337
nameif outside
security-level 0
ip address Router-Outside 255.255.255.252
ftp mode passive
clock timezone IST 5 30
dns domain-lookup inside
dns server-group DefaultDNS
name-server Sg-dc1-int
name-server 121.242.190.211
name-server 202.54.10.2
name-server 202.144.10.50
domain-name spheregen.net
same-security-traffic permit inter-interface
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network Trusted-Users
network-object host Ashish-Machine
network-object host Ani-Machine
network-object host Anija-Machine
network-object host Mathew-Machine
network-object host tfs2008-int
network-object host SMTPServer-int
network-object host Sg-dc1-int
network-object host Ani2-Machine
network-object host Utkarsh-Machine
object-group service SMTP-MSOnline tcp
port-object eq 587
object-group service TFSPorts tcp
port-object eq 8080
port-object eq www
object-group service RDP tcp
port-object eq 3389
access-list inside_access_out extended permit gre any any
access-list inside_access_out extended permit tcp any any eq pptp
access-list inside_access_out extended permit object-group TCPUDP any host epost
-int eq www
access-list outside_access_in extended permit gre any any
access-list outside_access_in extended permit tcp any any eq pptp
access-list outside_access_in extended permit tcp any host Development-ext objec
t-group RDP inactive
access-list outside_access_in extended permit object-group TCPUDP any host tfs20
08-ext eq www
access-list outside_access_in remark outside to DMZ access
access-list outside_access_in extended permit ip any interface DMZ
access-list outside_access_out extended permit gre any any
access-list outside_access_out extended permit tcp any any eq pptp
access-list outside_access_out extended permit tcp any any object-group SMTP-MSO
nline
access-list outside_access_out extended permit tcp host tfs2008-int any object-g
roup SMTP-MSOnline
access-list outside_access_out extended permit tcp host SMTPServer-int any objec
t-group SMTP-MSOnline
access-list outside_access_out extended permit ip interface outside any
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any
access-list inside_access_in remark inside to DMZ access
access-list inside_access_in extended permit ip interface inside interface DMZ
access-list inside_access_in extended permit tcp any any eq pptp
access-list inside_access_in extended permit gre any any
access-list inside_mpc extended permit object-group TCPUDP any any eq www
access-list inside_mpc_1 extended permit object-group TCPUDP object-group Truste
d-Users any eq www
access-list inside_mpc_1 extended permit tcp object-group Trusted-Users any eq h
ttps
access-list DMZ_access_in remark DMZ to inside access
access-list DMZ_access_in extended permit ip interface DMZ interface inside
access-list inside_nat0_outbound extended permit ip any 192.168.50.0 255.255.255
.192
pager lines 24
logging enable
logging asdm warnings
logging from-address noreply@cisco.com
logging recipient-address ni@cisco.com level errors
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
ip local pool vpn-pool 192.168.50.1-192.168.50.60 mask 255.255.255.0
ip verify reverse-path interface inside
ip verify reverse-path interface DMZ
ip verify reverse-path interface outside
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-643.bin
asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.0.0.0 255.255.255.0
static (inside,outside) epost-ext epost-int netmask 255.255.255.255 dns
static (inside,outside) timesheet-ext timesheet-int netmask 255.255.255.255 dns
static (inside,outside) tfs2008-ext tfs2008-int netmask 255.255.255.255 dns
static (inside,outside) tfs2010-ext tfs2010-int netmask 255.255.255.255
static (inside,outside) Development-ext Development-int netmask 255.255.255.255
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group DMZ_access_in in interface DMZ
access-group outside_access_in in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 121.241.66.218 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection preserve-vpn-flows
sysopt noproxyarp inside
sysopt noproxyarp outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set my-transform-set esp-des esp-sha-hmac
crypto ipsec transform-set my-transform-set mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto isakmp nat-traversal 1500
no vpn-addr-assign dhcp
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
l2tp tunnel hello 100
dhcpd dns Sg-dc1-int 10.0.0.2 interface inside
!
dhcpd dns Sg-dc1-int 202.54.10.2 interface outside
!
dhcprelay server 10.0.0.2 inside
dhcprelay server Sg-dc1-int inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag
e-rate 200
webvpn
enable outside
group-policy DfltGrpPolicy attributes
dns-server value *.*.*.* *.*.*.*
vpn-idle-timeout none
vpn-tunnel-protocol l2tp-ipsec
default-domain value spheregen.net
username test1 password qs0S0nyHysj8C4U4rtbwWA== nt-encrypted
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 3600 retry 2
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group sales-tunnel type remote-access
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map type inspect http http_inspection_policy
parameters
protocol-violation action drop-connection
match request method connect
drop-connection log
class AppHeaderClass
drop-connection log
class BlockDomainsClass
reset log
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect pptp
policy-map inside-policy
class Unblock
inspect http
class httptraffic
inspect http http_inspection_policy
!
service-policy global_policy global
service-policy inside-policy interface inside
smtp-server 10.0.0.9
prompt hostname
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DD
CEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f22458f824bb5a517918a8998b594b46
ciscoasa#
ciscoasa# show crypto isakmp sa
There are no isakmp sas
07-13-2011 03:54 AM
Nikhil,
According to me config should look like following, in your config, I dont see any crypto maps:-
ip local pool sales_addresses x.x.x.x-x.x.x.x
group-policy sales_policy internal
group-policy sales_policy attributes
vpn-tunnel-protocol l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
default-group-policy sales_policy
address-pool sales_addresses
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto dynamic-map dyno 10 set transform-set set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Try the following config.
Parminder Sian
07-13-2011 11:06 PM
vpn is working fine.
thanks parminder.
07-14-2011 11:38 PM
problem is solved
05-27-2021 11:05 AM - edited 05-27-2021 11:05 AM
Why is the L2TP relying only on the 3DES policy which is the weakest?
Is there any other option to make it connect to a stronger policy?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide