L2TP/IPSec on Cisco IOS 15

bogdan.sass · ‎12-16-2013

I am trying to configure an L2TP/IPSec remote access VPN on a Cisco 2901. I'm using what is pretty much a copy/paste of a config that is working just fine on an older router (a 2811). However, it seems I'm missing something - I can see the IPSec negotiating properly, but the L2TP tunnel simply does not trigger after that (there is no L2TP-related output).

See below for the final lines of the debug (I didn't post the entire debug to save space, but I can do that if you believe it is necessary).Notice that the phase 2 SAs come up, and then... there's only silence

The other end of the connection is a laptop with Win7 x64, on which I get error 809 ("The connection could not be established because the remote server is not responding").

The router (2901) is running IOS 15.4(1)T. As far as I know, there is no packet filtering between the client and the server. And with very little documentation on Cisco's website regarding L2TP on IOS, I'm at a loss.

Can anyone point me in the right direction?

Thank you!

lab#sh deb

L2TP:

L2TP packet events debugging is on

L2TP packet errors debugging is on

L2TP errors debugging is on

L2TP events debugging is on

L2TP L2TUN socket API debugging is on

L2TP application debugs debugging is on

VPN:

L2TP/PPTP control packet debugging is on

VPDN call event debugging is on

VPDN events debugging is on

Cryptographic Subsystem:

Crypto ISAKMP debugging is on

Crypto IPSEC debugging is on

Dec 16 16:31:59.628 EET: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.1.120.100:0, remote= 192.168.13.232:0,

local_proxy= 10.1.120.100/255.255.255.255/17/1701,

remote_proxy= 192.168.13.232/255.255.255.255/17/1701,

protocol= ESP, transform= NONE (Transport),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0

Dec 16 16:32:00.264 EET: (ipsec_process_proposal)Map Accepted: CM_DYN_L2TP_IPSEC, 10

Dec 16 16:32:00.264 EET: ISAKMP:(1019): processing NONCE payload. message ID = 1

Dec 16 16:32:00.264 EET: ISAKMP:(1019): processing ID payload. message ID = 1

Dec 16 16:32:00.264 EET: ISAKMP:(1019):QM Responder gets spi

Dec 16 16:32:00.264 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Dec 16 16:32:00.264 EET: ISAKMP:(1019):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE

Dec 16 16:32:00.264 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI

Dec 16 16:32:00.264 EET: ISAKMP:(1019):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT

Dec 16 16:32:00.268 EET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 16 16:32:00.268 EET: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CM_DYN_L2TP_IPSEC, 10

Dec 16 16:32:00.268 EET: IPSEC(create_sa): sa created,

(sa) sa_dest= 10.1.120.100, sa_proto= 50,

sa_spi= 0xE4F4E622(3841254946),

sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2063

sa_lifetime(k/sec)= (250000/3600),

(identity) local= 10.1.120.100:0, remote= 192.168.13.232:0,

local_proxy= 10.1.120.100/255.255.255.255/17/1701,

remote_proxy= 192.168.13.232/255.255.255.255/17/1701

Dec 16 16:32:00.268 EET: IPSEC(create_sa): sa created,

(sa) sa_dest= 192.168.13.232, sa_proto= 50,

sa_spi= 0xA3E0AD04(2749410564),

sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2064

sa_lifetime(k/sec)= (250000/3600),

(identity) local= 10.1.120.100:0, remote= 192.168.13.232:0,

local_proxy= 10.1.120.100/255.255.255.255/17/1701,

remote_proxy= 192.168.13.232/255.255.255.255/17/1701

Dec 16 16:32:00.268 EET: ISAKMP: Failed to find peer index node to update peer_info_list

Dec 16 16:32:00.268 EET: ISAKMP:(1019):Received IPSec Install callback... proceeding with the negotiation

Dec 16 16:32:00.276 EET: ISAKMP:(1019): sending packet to 192.168.13.232 my_port 500 peer_port 500 (R) QM_IDLE

Dec 16 16:32:00.276 EET: ISAKMP:(1019):Sending an IKE IPv4 Packet.

Dec 16 16:32:00.280 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE

Dec 16 16:32:00.280 EET: ISAKMP:(1019):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2

Dec 16 16:32:00.284 EET: ISAKMP (1019): received packet from 192.168.13.232 dport 500 sport 500 Global (R) QM_IDLE

Dec 16 16:32:00.284 EET: ISAKMP:(1019):deleting node 1 error FALSE reason "QM done (await)"

Dec 16 16:32:00.284 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

Dec 16 16:32:00.284 EET: ISAKMP:(1019):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE

virt-gw.lab#

Dec 16 16:32:00.284 EET: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 16 16:32:00.284 EET: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP

Dec 16 16:32:00.284 EET: IPSEC: Expand action denied, notify RP

Matthew Millman · ‎12-20-2013

I've just hit this too. I had config that was working fine on IOS15 (on a 1941) about a year ago, I come to try it again now and...

nada. Nothing. IPSEC comes up just fine but as for anything above it, no debug output whatsoever and I also see the same 809 error from Windows.

Will let you know if I figure it out...

Matthew Millman · ‎12-20-2013

Okay almost as quickly as I've asked it, i've answered it (in my case):

I had this:

crypto dynamic-map l2tp-map 10

set nat demux

set transform-set ts-main

So I changed it to:

crypto dynamic-map l2tp-map 10

set transform-set ts-main

As there was no NAT involved in my setup any more, having the "set nat demux" statement in there broke it.

andrew.butterworth · ‎01-10-2014

Thanks Matthew that solved my issue.

Edgardo Rodriguez · ‎02-06-2014

Thanks for sharing this with us, it helped me!