Hi,
I try to configure a Cisco 892 Integrated Service Router for IPsec xauth & L2TP/IPsec on the same interface. The config is actually for a test setup (test ips, accounts etc), but it shoud go in production setup.
If I reboot the router I just can connect over L2TP/IPsec. Over IPsec xauth I get the message "Mar 19 14:59:19.807: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at 10.28.100.3"
When I remote the line "crypto isakmp key keygeheim address 0.0.0.0 no-xauth" make a IPsec xauth connection and add the line again, everything works as it should. Why?
Maybe one of you can see something in this configuration
startup-config:
----------------------------------------------------------------------------------------------------------
Current configuration : 6368 bytes
!
! Last configuration change at 15:00:49 UTC Mon Mar 19 2012 by elvis
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname testvpn
!
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3079241446
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3079241446
revocation-check none
rsakeypair TP-self-signed-3079241446
!
!
crypto pki certificate chain TP-self-signed-3079241446
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326
5BD8935C AAB214EA A12323A3
0A8C3DF1 2B4F5ECE E2DC20C9 D00646
quit
!
!
!
!
!
no ip domain lookup
ip domain name example.com
ip name-server 10.28.1.1
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
!
!
license udi pid CISCO892-K9 sn FCZ1543C1AQ
!
!
username elvis privilege 15 secret 5 geheim
username Tester password 0 geheim
!
!
!
!
!
ip ssh version 2
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 5
crypto isakmp key keygeheim address 0.0.0.0 no-xauth
crypto isakmp nat keepalive 20
crypto isakmp client configuration address-pool local vpnpool
!
crypto isakmp client configuration group MyGroup
key 12345678
dns 10.28.1.1 10.28.1.2
save-password
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set aessha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set l2tpconfig esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map MyGroup 10
set ip access-group vpntraffic in
set transform-set aessha
match address vpnlist
crypto dynamic-map MyGroup 20
set ip access-group vpntraffic in
set transform-set 3des-sha
match address vpnlist
!
crypto dynamic-map l2tpconfig-map 30
set nat demux
set transform-set l2tpconfig
!
!
crypto map vpn client authentication list userauthen
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 998 ipsec-isakmp dynamic MyGroup
crypto map vpn 999 ipsec-isakmp dynamic l2tpconfig-map
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
spanning-tree portfast
!
interface FastEthernet1
no ip address
spanning-tree portfast
!
interface FastEthernet2
no ip address
spanning-tree portfast
!
interface FastEthernet3
no ip address
spanning-tree portfast
!
interface FastEthernet4
no ip address
spanning-tree portfast
!
interface FastEthernet5
no ip address
spanning-tree portfast
!
interface FastEthernet6
no ip address
spanning-tree portfast
!
interface FastEthernet7
no ip address
spanning-tree portfast
!
interface FastEthernet8
ip address 10.28.1.97 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0
peer default ip address pool vpnpool
ppp encrypt mppe auto
ppp authentication ms-chap-v2
!
interface GigabitEthernet0
description WAN Port
ip address 10.28.100.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn
!
interface Vlan1
no ip address
shutdown
!
ip local pool vpnpool 192.168.252.20 192.168.252.30
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 10.28.1.100
!
ip access-list extended vpnlist
permit ip any 192.168.252.0 0.0.0.255
ip access-list extended vpntraffic
permit ip 192.168.252.0 0.0.0.255 10.28.1.0 0.0.0.255
!
no cdp run
!
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
banner login ^C
==================================================
Hostname: testvpn
Cisco 892 Integrated Service Router
Description: Test L2TP/IPsec and IPsec with xauth
==================================================
^C
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
end
----------------------------------------------------------------------------------------------------------
