L2TP over IPsec on a router with Microsoft Windows XP client

charisfilip · ‎09-15-2005

I have a problem with the connection of XP client to VPN router.The router's configuration is that :

aaa new-model

aaa authentication login default group radius local enable

aaa authentication login local local

aaa authentication ppp dsl local

vpdn enable

vpdn-group securedsl

Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 2

crypto isakmp policy 1

authentication pre-share

crypto isakmp key cisco123 address ****

!

crypto ipsec transform-set test ah-md5-hmac esp-des

!

crypto map testmap 10 ipsec-isakmp

set peer ****

set transform-set test

match address 101

!

interface Ethernet0/0

crypto map testmap

interface Virtual-Template2

ip unnumbered Loopback254

no keepalive

peer default ip address pool dsl

ppp encrypt mppe auto

ppp authentication chap ms-chap

!

ip local pool dsl **** ****

access-list 101 permit ip host **** host ****

and the logs that I have are in attachment.

Does anybody knows where is the problem?

bogdahnt · ‎09-20-2005

The log indicates that your phase 2 ipsec proposals are not matching the proposals offered from your XP client (from your log "phase 2 SA not acceptable!"). Try to play around in the router config with the command "crypto ipsec transform-set test ? ? ?" to find out which is matching your criterias. I don't know in the moment what parameter for this command should work with the Windows XP client - just try out (beginning with the simplest parameters). Best regards - Thomas.

charisfilip · ‎10-03-2005

I tried every option of the command.I always have the same logs.Other opinions?