Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
0
Replies

L2TP IPSec tunnel from WinXP to IOS router

Difan Zhao
Level 5
Level 5

‎01-06-2020 05:01 PM - edited ‎02-21-2020 09:49 PM

Hi there,

I have a requirement to build a VPN tunnel to a network on a Windows XP box. There is no option to use a newer Windows because the app only works on the Windows PC. I can't find any VPN client that would still support the XP so I researched and tried this L2TP IPSec thing. First of all, it works fine on my Windows 10 box. Here is my config

aaa authentication ppp VPDN_AUTH local
!
vpdn enable
!
vpdn-group L2TP
 ! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
 username test password 0 test
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 14
!
crypto isakmp key cisco123 address 0.0.0.0         no-xauth
!
!
crypto ipsec transform-set L2TP-transform-XP esp-3des esp-md5-hmac
 mode transport
!
crypto dynamic-map L2TP-map 10
 set nat demux
 set transform-set L2TP-transform-XP
 set pfs group14
!
!
crypto map L2TP 10 ipsec-isakmp dynamic L2TP-map
!
interface GigabitEthernet0/0/0
 ip address <public Internet IP>
 negotiation auto
 crypto map L2TP
!
ip route 0.0.0.0 0.0.0.0 <gw>

On the Windows XP, it just says no response. On the IOS router (2921), when I compare the debug between a working Win10 with it, the difference is that right after the ISAKMP/IPSec stuff, there are L2TP activity (with the debug l2tp all) for the Win10, but nothing for the WinXP. Here is the last few lines of the debug isakmp and IPsec. I also verified that there is isakmp and ipsec SA both established. 

*Jan  6 23:10:52.894: ISAKMP-ERROR: (0):Failed to find peer index node to update peer_info_list
*Jan  6 23:10:52.894: ISAKMP: (1034):Received IPSec Install callback... proceeding with the negotiation
*Jan  6 23:10:52.894: ISAKMP: (1034):Successfully installed IPSEC SA (SPI:0x9BD9B713) on GigabitEthernet0/0/0
*Jan  6 23:10:52.895: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 69.58.16.68:64916 f_vrf:  Internet     Id: 192.168.237.188
*Jan  6 23:10:52.895: ISAKMP-PAK: (1034):sending packet to 69.58.16.68 my_port 4500 peer_port 64916 (R) QM_IDLE
*Jan  6 23:10:52.895: ISAKMP: (1034):Sending an IKE IPv4 Packet.
*Jan  6 23:10:52.895: ISAKMP: (1034):Node 1, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
*Jan  6 23:10:52.896: ISAKMP: (1034):Old State = IKE_QM_IPSEC_INSTALL_AWAIT  New State = IKE_QM_R_QM2
*Jan  6 23:10:52.901: ISAKMP-PAK: (1034):received packet from 69.58.16.68 dport 4500 sport 64916 Internet (R) QM_IDLE
*Jan  6 23:10:52.901: ISAKMP: (1034):deleting node 1 error FALSE reason "QM done (await)"
*Jan  6 23:10:52.901: ISAKMP: (1034):Node 1, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
L2TP#
*Jan  6 23:10:52.901: ISAKMP: (1034):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Jan  6 23:10:52.901: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jan  6 23:10:52.901: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
<<< For the Win10, the L2TP messages would start >>>

Any ideas where it went wrong? Thanks!

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents