12-16-2013 06:42 AM - edited 02-21-2020 07:23 PM
I am trying to configure an L2TP/IPSec remote access VPN on a Cisco 2901. I'm using what is pretty much a copy/paste of a config that is working just fine on an older router (a 2811). However, it seems I'm missing something - I can see the IPSec negotiating properly, but the L2TP tunnel simply does not trigger after that (there is no L2TP-related output).
See below for the final lines of the debug (I didn't post the entire debug to save space, but I can do that if you believe it is necessary).Notice that the phase 2 SAs come up, and then... there's only silence
The other end of the connection is a laptop with Win7 x64, on which I get error 809 ("The connection could not be established because the remote server is not responding").
The router (2901) is running IOS 15.4(1)T. As far as I know, there is no packet filtering between the client and the server. And with very little documentation on Cisco's website regarding L2TP on IOS, I'm at a loss.
Can anyone point me in the right direction?
Thank you!
lab#sh deb
L2TP:
L2TP packet events debugging is on
L2TP packet errors debugging is on
L2TP errors debugging is on
L2TP events debugging is on
L2TP L2TUN socket API debugging is on
L2TP application debugs debugging is on
VPN:
L2TP/PPTP control packet debugging is on
VPDN call event debugging is on
VPDN events debugging is on
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
Dec 16 16:31:59.628 EET: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.1.120.100:0, remote= 192.168.13.232:0,
local_proxy= 10.1.120.100/255.255.255.255/17/1701,
remote_proxy= 192.168.13.232/255.255.255.255/17/1701,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Dec 16 16:32:00.264 EET: (ipsec_process_proposal)Map Accepted: CM_DYN_L2TP_IPSEC, 10
Dec 16 16:32:00.264 EET: ISAKMP:(1019): processing NONCE payload. message ID = 1
Dec 16 16:32:00.264 EET: ISAKMP:(1019): processing ID payload. message ID = 1
Dec 16 16:32:00.264 EET: ISAKMP:(1019): processing ID payload. message ID = 1
Dec 16 16:32:00.264 EET: ISAKMP:(1019):QM Responder gets spi
Dec 16 16:32:00.264 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Dec 16 16:32:00.264 EET: ISAKMP:(1019):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
Dec 16 16:32:00.264 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Dec 16 16:32:00.264 EET: ISAKMP:(1019):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
Dec 16 16:32:00.268 EET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 16 16:32:00.268 EET: IPSEC(crypto_ipsec_create_ipsec_sas): Map found CM_DYN_L2TP_IPSEC, 10
Dec 16 16:32:00.268 EET: IPSEC(create_sa): sa created,
(sa) sa_dest= 10.1.120.100, sa_proto= 50,
sa_spi= 0xE4F4E622(3841254946),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2063
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 10.1.120.100:0, remote= 192.168.13.232:0,
local_proxy= 10.1.120.100/255.255.255.255/17/1701,
remote_proxy= 192.168.13.232/255.255.255.255/17/1701
Dec 16 16:32:00.268 EET: IPSEC(create_sa): sa created,
(sa) sa_dest= 192.168.13.232, sa_proto= 50,
sa_spi= 0xA3E0AD04(2749410564),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2064
sa_lifetime(k/sec)= (250000/3600),
(identity) local= 10.1.120.100:0, remote= 192.168.13.232:0,
local_proxy= 10.1.120.100/255.255.255.255/17/1701,
remote_proxy= 192.168.13.232/255.255.255.255/17/1701
Dec 16 16:32:00.268 EET: ISAKMP: Failed to find peer index node to update peer_info_list
Dec 16 16:32:00.268 EET: ISAKMP:(1019):Received IPSec Install callback... proceeding with the negotiation
Dec 16 16:32:00.276 EET: ISAKMP:(1019): sending packet to 192.168.13.232 my_port 500 peer_port 500 (R) QM_IDLE
Dec 16 16:32:00.276 EET: ISAKMP:(1019):Sending an IKE IPv4 Packet.
Dec 16 16:32:00.280 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
Dec 16 16:32:00.280 EET: ISAKMP:(1019):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
Dec 16 16:32:00.284 EET: ISAKMP (1019): received packet from 192.168.13.232 dport 500 sport 500 Global (R) QM_IDLE
Dec 16 16:32:00.284 EET: ISAKMP:(1019):deleting node 1 error FALSE reason "QM done (await)"
Dec 16 16:32:00.284 EET: ISAKMP:(1019):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Dec 16 16:32:00.284 EET: ISAKMP:(1019):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
virt-gw.lab#
Dec 16 16:32:00.284 EET: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Dec 16 16:32:00.284 EET: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
Dec 16 16:32:00.284 EET: IPSEC: Expand action denied, notify RP
12-20-2013 08:46 AM
I've just hit this too. I had config that was working fine on IOS15 (on a 1941) about a year ago, I come to try it again now and...
nada. Nothing. IPSEC comes up just fine but as for anything above it, no debug output whatsoever and I also see the same 809 error from Windows.
Will let you know if I figure it out...
12-20-2013 08:59 AM
Okay almost as quickly as I've asked it, i've answered it (in my case):
I had this:
crypto dynamic-map l2tp-map 10
set nat demux
set transform-set ts-main
So I changed it to:
crypto dynamic-map l2tp-map 10
set transform-set ts-main
As there was no NAT involved in my setup any more, having the "set nat demux" statement in there broke it.
01-10-2014 08:49 AM
Thanks Matthew that solved my issue.
02-06-2014 08:18 AM
Thanks for sharing this with us, it helped me!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide