L2TP Over IPSec on ASA

Jack Dixon · ‎09-25-2009

Am unable to establish tunnel to ASA from Microsoft client using L2TP-Over-IPSec. ASA log shows port 1701 being discarded on Outside interface - even though ACL is there to permit.

Yudong Wu · ‎09-25-2009

It looks like your client is using L2TP directly instead of using L2tp-over-IPsec. On asa, you can check the ipsec status by "show crypto isa sa" and "show crypto ipsec sa". If there is no any output, it indicates that your client did not initiate IPSec at all. You need check your client's configuration.

Jack Dixon · ‎09-25-2009

Yes, I am not getting any output from either of those two show commands, which made me realize that the client was not getting anywhere! However, when I look at the Real-Time ASA log, it shows that the ASA Outside interface is discarding the packets coming from the client on UDP port 1701. That would suggest that the client is initiating the IPSec tunnel, but it isn't being processed by the ASA. The XP client screen indicates that I have "L2TP IPSec VPN" selected. Is there another way to verify that the client is really sending L2TP-Over-IPSec?

Thanks,

jack

Yudong Wu · ‎09-25-2009

You can enable "debug crypto isakmp" to see if there is any output when client initiate the l2tp-over-ipsec connection.

Since it's L2tp-over-Ipsec, IPSEc must be up first.

Here is the sample config and debug output for your ref.

http://www.cisco.com/en/US/partner/products/ps6120/products_configuration_example09186a00807213a7.shtml