cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2128
Views
0
Helpful
3
Replies

L2TP over IPSec RA VPN not working

jpginexi
Level 1
Level 1

I have been trying to get an L2TP over IPSec VPN using pre-shared keys working, but it just keeps failing with the same errors. For some reason it claims that it can't find a valid tunnel group. I am trying to connect using Windows XP VPN. The client is behind a nat, but I have already applied the NAT-T registry fix, but it didn't help.

Error:

Jun 08 2007 21:35:07: %ASA-6-302015: Built inbound UDP connection 129881 for outside:mail.companyname.net/500 (mail.companyname.net/500) to NP Identity Ifc:10.0.0.154/500 (10.0.0.154/500)

Jun 08 2007 21:35:07: %ASA-4-713903: Group = 192.168.29.2, IP = 192.168.29.2, Can't find a valid tunnel group, aborting...!

Jun 08 2007 21:35:07: %ASA-3-713902: Group = 192.168.29.2, IP = 192.168.29.2, Removing peer from peer table failed, no match!

Jun 08 2007 21:35:07: %ASA-4-713903: Group = 192.168.29.2, IP = 192.168.29.2, Error: Unable to remove PeerTblEntry

router# show vers

Cisco Adaptive Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 50

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

This platform has a Base license.

I am attaching the config.

Thanks for your help!

3 Replies 3

jpginexi
Level 1
Level 1

Ok, I was able to get this working by not trying to use user defined tunnel groups.

I modified the DefaultRAGroup and used it instead and was able to connect to a tunnel group. Is this a known issue?

However this only got me past Phase1. Phase2 kept erroring with the error "All IPSec SA proposals found unacceptable!".

To get past this error, I removed pfs and switched to use md5 from sha.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

Those two changes enabled Phase2 to complete successfully and the tunnel was set up.

This is the config that works:

Thank you very much for the info.

To answer your question why only the default RA group is working:

Since the lt2p/ipsec client doesn't specify a group name the default values of the default RA group will be used. This is the reason why you have to use this group.

Question

I also had some problems with l2tp being that the tunnel was ok but I was not able to access resources from the l2tp client to the remote site throught the tunnel.