Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
930
Views
0
Helpful
1
Replies

L2TP-IPSEC VPN Tunnel works only for one User

ciscocase
Level 1
Level 1

ā€Ž10-25-2018 03:22 AM - edited ā€Ž03-12-2019 05:31 AM

Hello,


i have some trouble with a L2tp/IpSec  VPN. I configured the L2tp/IpSec VPN using ASDM-Wizzard and createt a user tester during this prozess. I configured the Win10 Client an it is working. After that I added more Users. But none of them work, but the user tester. Here some Logs:

FIrst working User tester:

Oct 24 15:14:45 172.16.1.46 %ASA-6-713172: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end   IS   behind a NAT device
Oct 24 15:14:45 172.16.1.46 %ASA-6-713905: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Floating NAT-T from 1xx.xx.xxx.xx port 500 to 1xx.xx.xxx.xx port 4500
Oct 24 15:14:45 172.16.1.46 %ASA-5-713119: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, PHASE 1 COMPLETED
Oct 24 15:14:45 172.16.1.46 %ASA-3-713122: IP = 1xx.xx.xxx.xx, Keep-alives configured on but peer does not support keep-alives (type = None)
Oct 24 15:14:45 172.16.1.46 %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x4B3CD91E) between 172.16.1.46 and 1xx.xx.xxx.xx (user= DefaultRAGroup) has been created.
Oct 24 15:14:45 172.16.1.46 %ASA-5-713049: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Security negotiation complete for User ()  Responder, Inbound SPI = 0xeecf4cfc, Outbound SPI = 0x4b3cd91e
Oct 24 15:14:45 172.16.1.46 %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0xEECF4CFC) between 172.16.1.46 and 1xx.xx.xxx.xx (user= DefaultRAGroup) has been created.
Oct 24 15:14:45 172.16.1.46 %ASA-5-713120: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, PHASE 2 COMPLETED (msgid=00000001)
Oct 24 15:14:46 172.16.1.46 %ASA-6-302016: Teardown UDP connection 13521077 for outside:1xx.xx.xxx.xx/1701 to identity:172.16.1.46/1701 duration 0:01:12 bytes 673
Oct 24 15:14:48 172.16.1.46 %ASA-6-302015: Built inbound UDP connection 13521364 for outside:1xx.xx.xxx.xx/1701 (1xx.xx.xxx.xx/1701) to identity:172.16.1.46/1701 (172.16.1.46/1701)
Oct 24 15:14:48 172.16.1.46 %ASA-6-734001: DAP: User tester, Addr 1xx.xx.xxx.xx, Connection L2TP: The following DAP records were selected for this connection: DfltAccessPolicy
Oct 24 15:14:48 172.16.1.46 %ASA-6-603106: L2TP Tunnel created, tunnel_id is 78, remote_peer_ip is 1xx.xx.xxx.xx, ppp_virtual_interface_id is 1, client_dynamic_ip is 10.10.10.1, username is *****
Oct 24 15:15:28 172.16.1.46 %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x6AE50BB4) between 172.16.1.46 and 1xx.xx.xxx.xx (user= tester) has been created.
Oct 24 15:15:28 172.16.1.46 %ASA-5-713049: Group = DefaultRAGroup, Username = tester, IP = 1xx.xx.xxx.xx, Security negotiation complete for User (tester)  Responder, Inbound SPI = 0x49f1afc7, Outbound SPI = 0x6ae50bb4
Oct 24 15:15:28 172.16.1.46 %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x49F1AFC7) between 172.16.1.46 and 1xx.xx.xxx.xx (user= tester) has been created.
Oct 24 15:15:28 172.16.1.46 %ASA-5-713120: Group = DefaultRAGroup, Username = tester, IP = 1xx.xx.xxx.xx, PHASE 2 COMPLETED (msgid=00000002)


Now a other user

Oct 24 15:13:32 172.16.1.46 %ASA-6-302015: Built inbound UDP connection 13521075 for outside:1xx.xx.xxx.xx/500 (1xx.xx.xxx.xx/500) to identity:172.16.1.46/500 (172.16.1.46/500)
Oct 24 15:13:32 172.16.1.46 %ASA-6-302015: Built inbound UDP connection 13521076 for outside:1xx.xx.xxx.xx/4500 (1xx.xx.xxx.xx/4500) to identity:172.16.1.46/4500 (172.16.1.46/4500)
Oct 24 15:13:32 172.16.1.46 %ASA-6-713172: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end   IS   behind a NAT device
Oct 24 15:13:32 172.16.1.46 %ASA-6-713905: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Floating NAT-T from 1xx.xx.xxx.xx port 500 to 1xx.xx.xxx.xx port 4500
Oct 24 15:13:32 172.16.1.46 %ASA-5-713119: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, PHASE 1 COMPLETED
Oct 24 15:13:32 172.16.1.46 %ASA-3-713122: IP = 1xx.xx.xxx.xx, Keep-alives configured on but peer does not support keep-alives (type = None)
Oct 24 15:13:32 172.16.1.46 %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0x7C5D13DA) between 172.16.1.46 and 1xx.xx.xxx.xx (user= DefaultRAGroup) has been created.
Oct 24 15:13:32 172.16.1.46 %ASA-5-713049: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Security negotiation complete for User ()  Responder, Inbound SPI = 0x5f98391a, Outbound SPI = 0x7c5d13da
Oct 24 15:13:32 172.16.1.46 %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x5F98391A) between 172.16.1.46 and 1xx.xx.xxx.xx (user= DefaultRAGroup) has been created.
Oct 24 15:13:32 172.16.1.46 %ASA-5-713120: Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, PHASE 2 COMPLETED (msgid=00000001)
Oct 24 15:13:33 172.16.1.46 %ASA-6-302015: Built inbound UDP connection 13521077 for outside:1xx.xx.xxx.xx/1701 (1xx.xx.xxx.xx/1701) to identity:172.16.1.46/1701 (172.16.1.46/1701)
Oct 24 15:13:33 172.16.1.46 %ASA-6-734001: DAP: User libravpn, Addr 1xx.xx.xxx.xx, Connection L2TP: The following DAP records were selected for this connection: DfltAccessPolicy
Oct 24 15:13:34 172.16.1.46 %ASA-6-603106: L2TP Tunnel created, tunnel_id is 77, remote_peer_ip is 1xx.xx.xxx.xx, ppp_virtual_interface_id is 1, client_dynamic_ip is 0.0.0.0, username is *****
Oct 24 15:13:34 172.16.1.46 %ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 77, remote_peer_ip = 1xx.xx.xxx.xx
Oct 24 15:13:34 172.16.1.46 %ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x7C5D13DA) between 172.16.1.46 and 1xx.xx.xxx.xx (user= libravpn) has been deleted.
Oct 24 15:13:34 172.16.1.46 %ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0x5F98391A) between 1xx.xx.xxx.xx and 172.16.1.46 (user= libravpn) has been deleted.
Oct 24 15:13:34 172.16.1.46 %ASA-5-713259: Group = DefaultRAGroup, Username = libravpn, IP = 1xx.xx.xxx.xx, Session is being torn down. Reason: User Requested
Oct 24 15:13:34 172.16.1.46 %ASA-4-113019: Group = DefaultRAGroup, Username = libravpn, IP = 1xx.xx.xxx.xx, Session disconnected. Session Type: L2TPOverIPsecOverNatT, Duration: 0h:00m:02s, Bytes xmt: 1261, Bytes rcv: 3244, Reason: User Requested


The other user does not get any IP from the asa. But the debug-log on the asa shows that instaed:

IPSEC: Completed inbound decrypt rule, SPI 0x0241B996
    Rule ID: 0x00007f8104cca8e0
IPSEC: New inbound permit rule, SPI 0x0241B996
    Src addr: 1xx.xx.xxx.xx
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.46
    Dst mask: 255.255.255.255
    Src ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Dst ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound permit rule, SPI 0x0241B996
    Rule ID: 0x00007f81041b3050
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Oct 24 15:35:52 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Pitcher: received KEY_UPDATE, spi 0x241b996
Oct 24 15:35:52 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Starting P2 rekey timer: 3060 seconds.
Oct 24 15:35:52 [IKEv1]Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, PHASE 2 COMPLETED (msgid=00000001)
Oct 24 15:35:52 [IKEv1]IKEQM_Active() Add L2TP classification rules: ip <1xx.xx.xxx.xx> mask <0xFFFFFFFF> port <0>
Oct 24 15:35:53 [IKEv1 DEBUG]Group = DefaultRAGroup, Username = libravpn, IP = 1xx.xx.xxx.xx, IKE SA MM:c3a2dd7a rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 1
Oct 24 15:35:53 [IKEv1]Group = DefaultRAGroup, Username = libravpn, IP = 1xx.xx.xxx.xx, Remove from IKEv1 Tunnel Table succeeded for SA with logicalId 118972416
Oct 24 15:35:53 [IKEv1]Group = DefaultRAGroup, Username = libravpn, IP = 1xx.xx.xxx.xx, Remove from IKEv1 MIB Table succeeded for SA with logical ID 118972416


For the usr tester the debugs look alike, but he gets an IP from the Pool:

IPSEC: New inbound permit rule, SPI 0x96282B2A
    Src addr: 1xx.xx.xxx.xx
    Src mask: 255.255.255.255
    Dst addr: 172.16.1.46
    Dst mask: 255.255.255.255
    Src ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Dst ports
      Upper: 4500
      Lower: 4500
      Op   : equal
    Protocol: 17
    Use protocol: true
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound permit rule, SPI 0x96282B2A
    Rule ID: 0x00007f8104d1a740
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
IPSEC INFO: Destroying an IPSec timer of type SA Purge Timer
Oct 24 15:38:37 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Pitcher: received KEY_UPDATE, spi 0x96282b2a
Oct 24 15:38:37 [IKEv1 DEBUG]Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, Starting P2 rekey timer: 3060 seconds.
Oct 24 15:38:37 [IKEv1]Group = DefaultRAGroup, IP = 1xx.xx.xxx.xx, PHASE 2 COMPLETED (msgid=00000001)
Oct 24 15:38:37 [IKEv1]IKEQM_Active() Add L2TP classification rules: ip <1xx.xx.xxx.xx> mask <0xFFFFFFFF> port <0>
Oct 24 15:38:38 [IKEv1]Group = DefaultRAGroup, Username = tester, IP = 1xx.xx.xxx.xx, Adding static route for client address: 10.10.10.1


Any ideas?

Regards Torsten

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Shakti Kumar
Cisco Employee
Cisco Employee

ā€Ž10-30-2018 09:06 PM

Hi ciscocase,

Can you share the output of "sh run username". It seems that the kind of user that you have created is a problem.

an example of how a user should be created is below

username test password test mschap


Thanks
Shakti
0 Helpful
Customers Also Viewed These Support Documents