- Cisco Community
- Technology and Support
- Security
- VPN
- l2tp and vpnclient?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
l2tp and vpnclient?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-19-2012 02:44 AM
Hello.
We have an ASA 5510 up and running since 2 years, with many vpnclients configured.
Now we want to enable also l2tp.
I've followed this guide:
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7540.shtml
at the end of the configuration steps (I've also upgraded to 8.2.5 as required), l2tp vpns work properly, but vpnclients don't work anymore.
I've removede crypto map l2tp entry from configuration, and now vpnclients work again.
I've tried to insert L2TP transform set (3des/sha/transport) into dynamic entry 65535, but l2tp doesn't work anyway.
Configuration of crypto map now is:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set L2TP-TS ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
if I configure
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set L2TP-TS
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
l2tp works, but not vpnclients.
Anyone has successfully configured both vpn on same asa?
Thanks
Daniele
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2012 12:23 PM
Hi Daniele,
If I recall, this should work with:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set L2TP-TS ESP-AES-128-SHA
What error does the client report?
Any Phase II debugging? debug crypto ipsec 190
Thanks.
Portu.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2012 01:38 AM
Thanks for your suggestion, but it doesn't work
I've enabled debug, error follows:
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 500
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Oakley proposal is acceptable
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal RFC VID
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal ver 03 VID
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received NAT-Traversal ver 02 VID
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received Fragmentation VID
Oct 26 2012 10:36:05: %ASA-7-715064: IP = 217.200.185.232, IKE Peer included IKE fragmentation capability flags: Main Mode: True Aggressive Mode: False
Oct 26 2012 10:36:05: %ASA-7-715049: IP = 217.200.185.232, Received DPD VID
Oct 26 2012 10:36:05: %ASA-7-715028: IP = 217.200.185.232, IKE SA Proposal # 1, Transform # 5 acceptable Matches global IKE entry # 1
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 228
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
Oct 26 2012 10:36:05: %ASA-7-715048: IP = 217.200.185.232, Send IOS VID
Oct 26 2012 10:36:05: %ASA-7-715038: IP = 217.200.185.232, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Oct 26 2012 10:36:05: %ASA-7-715048: IP = 217.200.185.232, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, computing NAT Discovery hash
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Connection landed on tunnel_group DefaultRAGroup
Oct 26 2012 10:36:05: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, Generating keys for Responder...
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NOTIFY (11) + NONE (0) total length : 92
Oct 26 2012 10:36:05: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
Oct 26 2012 10:36:05: %ASA-7-715076: Group = DefaultRAGroup, IP = 217.200.185.232, Computing hash for ISAKMP
Oct 26 2012 10:36:05: %ASA-6-713172: Group = DefaultRAGroup, IP = 217.200.185.232, Automatic NAT Detection Status: Remote end IS behind a NAT device This end is NOT behind a NAT device
Oct 26 2012 10:36:05: %ASA-7-713906: IP = 217.200.185.232, Connection landed on tunnel_group DefaultRAGroup
Oct 26 2012 10:36:05: %ASA-7-715076: Group = DefaultRAGroup, IP = 217.200.185.232, Computing hash for ISAKMP
Oct 26 2012 10:36:05: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Oct 26 2012 10:36:05: %ASA-5-713119: Group = DefaultRAGroup, IP = 217.200.185.232, PHASE 1 COMPLETED
Oct 26 2012 10:36:05: %ASA-7-713121: IP = 217.200.185.232, Keep-alive type for this connection: DPD
Oct 26 2012 10:36:05: %ASA-7-715080: Group = DefaultRAGroup, IP = 217.200.185.232, Starting P1 rekey timer: 2700 seconds.
Oct 26 2012 10:36:05: %ASA-7-720041: (VPN-Primary) Sending New Phase 1 SA message (type RA, remote addr 217.200.185.232, my cookie 1EE358C2, his cookie 591DEF02) to standby unit
Oct 26 2012 10:36:06: %ASA-7-714003: IP = 217.200.185.232, IKE Responder starting QM: msg id = d148be4a
Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE RECEIVED Message (msgid=d148be4a) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NAT-OA (131) + NAT-OA (131) + NONE (0) total length : 304
Oct 26 2012 10:36:06: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
Oct 26 2012 10:36:06: %ASA-7-713025: Group = DefaultRAGroup, IP = 217.200.185.232, Received remote Proxy Host data in ID Payload: Address 10.170.18.159, Protocol 17, Port 58636
Oct 26 2012 10:36:06: %ASA-7-714011: Group = DefaultRAGroup, IP = 217.200.185.232, ID_IPV4_ADDR ID received
Oct 26 2012 10:36:06: %ASA-7-713024: Group = DefaultRAGroup, IP = 217.200.185.232, Received local Proxy Host data in ID Payload: Address 89.96.154.130, Protocol 17, Port 1701
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, L2TP/IPSec session detected.
Oct 26 2012 10:36:06: %ASA-7-720041: (VPN-Primary) Sending Phase 1 Rcv Delete message (type RA, remote addr 217.200.185.232, my cookie 1EE358C2, his cookie 591DEF02) to standby unit
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, QM IsRekeyed old sa not found by addr
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 1...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 2...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 3...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 3, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 4...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 4, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 5...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 5, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 6...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 6, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 7...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 7, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 8...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 8, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 9...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 9, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 10...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 11...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 11, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-713221: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, checking map = outside_map, seq = 12...
Oct 26 2012 10:36:06: %ASA-7-713222: Group = DefaultRAGroup, IP = 217.200.185.232, Static Crypto Map check, map = outside_map, seq = 12, ACL does not match proxy IDs src:217.200.185.232 dst:89.96.154.130
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-715059: Group = DefaultRAGroup, IP = 217.200.185.232, Selecting only UDP-Encapsulated-Tunnel and UDP-Encapsulated-Transport modes defined by NAT-Traversal
Oct 26 2012 10:36:06: %ASA-7-713066: Group = DefaultRAGroup, IP = 217.200.185.232, IKE Remote Peer configured for crypto map: SYSTEM_DEFAULT_CRYPTO_MAP
Oct 26 2012 10:36:06: %ASA-5-713904: Group = DefaultRAGroup, IP = 217.200.185.232, All IPSec SA proposals found unacceptable!
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending notify message
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, constructing ipsec notify payload for msg id d148be4a
Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=949acedb) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Oct 26 2012 10:36:06: %ASA-3-713902: Group = DefaultRAGroup, IP = 217.200.185.232, QM FSM error (P2 struct &0xd8819da8, mess id 0xd148be4a)!
Oct 26 2012 10:36:06: %ASA-7-715065: Group = DefaultRAGroup, IP = 217.200.185.232, IKE QM Responder FSM error history (struct &0xd8819da8)
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending delete/delete with reason message
Oct 26 2012 10:36:06: %ASA-3-713902: Group = DefaultRAGroup, IP = 217.200.185.232, Removing peer from correlator table failed, no match!
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, IKE SA MM:1ee358c2 rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, IKE SA MM:1ee358c2 terminating: flags 0x01010002, refcnt 0, tuncnt 0
Oct 26 2012 10:36:06: %ASA-7-713906: Group = DefaultRAGroup, IP = 217.200.185.232, sending delete/delete with reason message
Oct 26 2012 10:36:06: %ASA-7-713236: IP = 217.200.185.232, IKE_DECODE SENDING Message (msgid=ce2eb537) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Oct 26 2012 10:36:06: %ASA-5-713259: Group = DefaultRAGroup, IP = 217.200.185.232, Session is being torn down. Reason: Phase 2 Mismatch
Oct 26 2012 10:36:06: %ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 217.200.185.232, Session disconnected. Session Type: IKE, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide