Hello
I've configured on ASA L2TP/Ipsec connections from windows. Pahse 1 and 2 are successfull, tunnel is created but immediately after that deletet. Tested from windows XP and windows 7. I use DefaultRAGroup for that (can not use any group which is not default - windows limitation). Here is my config:
group-policy DfltGrpPolicy attributes
wins-server value 10.1.1.1
dns-server value 10.1.1.1
vpn-idle-timeout 300
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
user-authentication enable
nem enable
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization
tunnel-group DefaultRAGroup general-attributes
address-pool asa-admins
authentication-server-group CSACS
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy
crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_AES_SHA TRANS_ESP_DES_SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
And here are some logs:
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-715027: Group = DefaultRAGroup, IP = 193.193.193.193, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 10
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-710005: UDP request discarded from 193.193.193.193/4204 to outside:outside-interface/4500
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0xAEA59455) between outside-interface and 193.193.193.193 (user= DefaultRAGroup) has been created.
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-715007: Group = DefaultRAGroup, IP = 193.193.193.193, IKE got a KEY_ADD msg for SA: SPI = 0xaea59455
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x9D3B8BDE) between outside-interface and 193.193.193.193 (user= DefaultRAGroup) has been created.
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-715077: Group = DefaultRAGroup, IP = 193.193.193.193, Pitcher: received KEY_UPDATE, spi 0x9d3b8bde
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, Starting P2 rekey timer: 3060 seconds.
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-5-713120: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid=00000001)
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193> mask <0xFFFFFFFF> port <4204>
Feb 17 13:27:08 vpnasa1 Feb 17 2010 13:27:08 vpnasa1 : %ASA-7-710005: UDP request discarded from 193.193.193.193/4204 to outside:outside-interface/1701
Feb 17 13:27:08 vpnasa1 Feb 17 2010 13:27:08 vpnasa1 : %ASA-6-302016: Teardown UDP connection 56281479 for outside:193.193.193.193/4204 to identity:outside-interface/1701 duration 0:01:07 bytes 431
Feb 17 13:27:10 vpnasa1 Feb 17 2010 13:27:10 vpnasa1 : %ASA-6-302015: Built inbound UDP connection 56282536 for outside:193.193.193.193/4204 (193.193.193.193/4204) to identity:outside-interface/1701 (outside-interface/1701)
Feb 17 13:27:10 vpnasa1 Feb 17 2010 13:27:10 vpnasa1 : %ASA-6-603106: L2TP Tunnel created, tunnel_id is 50, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id is 1, client_dynamic_ip is 0.0.0.0 username is user1
Feb 17 13:27:10 vpnasa1 Feb 17 2010 13:27:10 vpnasa1 : %ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 50, remote_peer_ip = 193.193.193.193
Feb 17 13:27:10 vpnasa1 Feb 17 2010 13:27:10 vpnasa1 : %ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 193.193.193.193, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:03s, Bytes xmt: 795, Bytes rcv: 1204, Reason: L2TP initiated
What's wrong ?
Thanx
