Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2002
Views
0
Helpful
2
Replies

L2TP Client set up in PIX 501

bachma0507
Level 1
Level 1

‎04-08-2011 12:35 PM

I'm trying to setup a L2TP over IPSEC vpn connection on a PIX 501 that will use key sharing. In addition, I have a PPTP connection setup which allows connectivity. Two things, the L2TP vpn client I am using does not connect and times out. The second is that the PPTP client I use does connect, but cannot ping any resources on the network.

The config on the PIX is below:

Building configuration...

: Saved

:

PIX Version 6.3(3)

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password tdkuTUSh53d2MT6B encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname attdslpix2

domain-name mycompany.com

clock timezone EST -5

clock summer-time EDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

access-list inside_outbound_nat0_acl permit ip any 172.26.5.192 255.255.255.248

access-list outside_access_in permit udp any any eq 4500

access-list outside_access_in permit udp any any eq isakmp

access-list outside_access_in permit icmp any any

access-list splittunnel permit ip 172.26.0.0 255.255.0.0 172.26.0.0 255.255.0.0

access-list TLC_splitTunnelAcl permit ip 172.26.0.0 255.255.0.0 any

pager lines 24

logging on

logging standby

mtu outside 1500

mtu inside 1500

ip address outside 70.x.x.x 255.255.255.248

ip address inside 172.26.0.249 255.255.0.0

ip verify reverse-path interface outside

ip audit info action alarm

ip audit attack action alarm

ip local pool pptp-client-ip 172.26.5.195-172.26.5.199

ip local pool l2tp-client-ip 172.26.7.100-172.26.7.199

pdm location 172.26.5.192 255.255.255.248 outside

pdm logging alerts 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

route outside 0.0.0.0 0.0.0.0 70.x.x.y 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 172.26.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map l2tp 30 set transform-set TRANS_ESP_3DES_SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map map1 30 ipsec-isakmp dynamic l2tp

crypto map map1 interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp nat-traversal 20

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

vpngroup TLC address-pool pptp-client-ip

vpngroup TLC dns-server 172.26.0.250 172.26.0.251

vpngroup TLC split-tunnel splittunnel

vpngroup TLC idle-time 1800

vpngroup TLC password ********

telnet 172.26.0.0 255.255.0.0 inside

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

management-access inside

console timeout 0

vpdn group PPTP-VPDN-GROUP accept dialin pptp

vpdn group PPTP-VPDN-GROUP ppp authentication chap

vpdn group PPTP-VPDN-GROUP ppp authentication mschap

vpdn group PPTP-VPDN-GROUP ppp encryption mppe auto required

vpdn group PPTP-VPDN-GROUP client configuration address local pptp-client-ip

vpdn group PPTP-VPDN-GROUP client configuration dns 172.26.0.250 172.26.0.251

vpdn group PPTP-VPDN-GROUP pptp echo 60

vpdn group PPTP-VPDN-GROUP client authentication local

vpdn group L2TP-VPDN-GROUP accept dialin l2tp

vpdn group L2TP-VPDN-GROUP ppp authentication pap

vpdn group L2TP-VPDN-GROUP client configuration address local l2tp-client-ip

vpdn group L2TP-VPDN-GROUP client configuration dns 172.26.0.250 172.26.0.251

vpdn group L2TP-VPDN-GROUP client configuration wins 172.26.0.250 172.26.0.251

vpdn group L2TP-VPDN-GROUP client authentication local

vpdn group L2TP-VPDN-GROUP l2tp tunnel hello 60

vpdn username user1 password *********

vpdn username user2 password *********

vpdn enable outside

vpdn enable inside

dhcpd address 172.26.5.100-172.26.5.130 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

terminal width 80

Cryptochecksum:007a9f1d72e4f1d3bb75c4e68525eb30

: end

[OK]

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-09-2011 07:01 PM

For the IP Pools, please configure subnet which is unique, ie: is not  part of your internal subnet. Currently your internal subnet is  172.26.0.0/16, and the

IP Pool subnet is in the same major subnet as your internal subnet.

Please change it to other unique subnet, eg: 192.168.5.0/24 for example.

Once you change that accordingly, you would need to change the following 2 ACL too accordingly to the new pool subnet:

access-list splittunnel permit ip 172.26.0.0 255.255.0.0 172.26.0.0 255.255.0.0

access-list inside_outbound_nat0_acl permit ip any 172.26.5.192 255.255.255.248

For example, if you change the pool to 192.168.5.0/24:

access-list splittunnel permit ip 172.26.0.0 255.255.0.0 192.168.5.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip 172.26.0.0 255.255.0.0 192.168.5.0 255.255.255.0

PPTP user should be able to access the internal resources after the above changes.

For the L2TP over IPSec, please kindly advise where it's failing by  running debugs (as we need to determine whether it's failing on IPSec  Phase 1 (ISAKMP), or IPSec Phase 2 (IPSec) or L2TP since it's L2TP over  IPsec, the IPSec tunnel needs to be up first before L2TP connection):

debug cry isa

debug cry ipsec

Also "show cry isa sa" and "show cry ipsec sa".

0 Helpful

bachma0507
Level 1
Level 1
In response to Jennifer Halim

‎04-13-2011 09:56 AM

I am now using an ASA 5505 and not the PIX 501 for L2TP vpn client access. The ASA 5505 works fine. Thanks.

0 Helpful
Customers Also Viewed These Support Documents