03-04-2009 09:20 AM
I am trying to setup an L2TP VPN connection on an XP laptop. On the ASA, I am using the DefaultRAGroup and the DfltGrpPolicy. I have set DefaultRAGroup to use a pre-shared key and set User Authentication to ACS_Radius. Our ACS server is tied to AD. Does anyone know if I can use ACS to authenticate this type of user or do I have to create local accounts on the ASA?
When I attempt to connect from the laptop, I get error 789. On the ASA, I see this:
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, PHASE 1 COMPLETED
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, QM FSM error (P2 struct &0xcddc7d28, mess id 0x46986b08)!
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, Removing peer from correlator table failed, no match!
Group = DefaultRAGroup, Username = , IP = 63.xxx.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
For one thing, it looks like the laptop isn't sending the username and password. I have tried a lot of different combos on the microsoft side like MSCHAPv2, MSCHAP, both of them or each one individually and matched that setting on the ASA. No matter what, I get that same error. Anybody have any ideas?
Solved! Go to Solution.
03-05-2009 09:40 AM
Yeah... I've never trusted guys for configuration, I caught the following errors:
1. L2TP Requires transport mode to be the type of IPSEC traffic used, your config seems to make reference to that yet it is not defined:
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set
TRANS_ESP_3DES_SHA mode transport<-(needed line)
2. This transform set is not attached to the dynamic crypto hence not used:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
It should look like:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
Lastly it is just to clear up, make sure that your ACS_Radius server is indeed enabled for MS-CHAPv2 authentication from the ASA and the l2tp client, otherwise it will always fail.
03-04-2009 10:45 AM
You can certainly use radius to authenticate this user coming from this type of connection, either IAS or ACS or any other Radius server, there are several keypoints to consider when setting up this type of connection. For instance unless specified on the Server you might need to have PAP as the authentication protocol under the tunnel group make sure this setup is the same on the L2TP client under the advanced authentication parameters. Please go ahead and post your config to check that is is right?
03-05-2009 09:26 AM
03-05-2009 09:40 AM
Yeah... I've never trusted guys for configuration, I caught the following errors:
1. L2TP Requires transport mode to be the type of IPSEC traffic used, your config seems to make reference to that yet it is not defined:
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set
TRANS_ESP_3DES_SHA mode transport<-(needed line)
2. This transform set is not attached to the dynamic crypto hence not used:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
It should look like:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
Lastly it is just to clear up, make sure that your ACS_Radius server is indeed enabled for MS-CHAPv2 authentication from the ASA and the l2tp client, otherwise it will always fail.
03-05-2009 11:30 AM
That solved the connection issue. Thanks for the help. Now, I have another question. In ASDM, under Monitoring, VPN, VPN Stats, Sessions, I can see my connection but it says Encryption is none. In ACS under Microsoft Radius Attributes, I have Encryption Required and Encryption type set to 128 bit. On the MS Client, I have Data Encryption set to Require and the protocol set to CHAPv2.
Here is a 'sho crypto ips sa' from the ASA:
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x64.x.x.x
local ident (addr/mask/prot/port): (x64.x.x.x/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (x63.x.x.x/255.255.255.255/17/0)
current_peer: x63.x.x.x, username: domain\myusername
dynamic allocated peer ip: 10.x.x.52
#pkts encaps: 3748, #pkts encrypt: 3748, #pkts digest: 3748
#pkts decaps: 4809, #pkts decrypt: 4809, #pkts verify: 4809
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3748, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 7
local crypto endpt.: x64.x.x.x/4500, remote crypto endpt.: x63.x.x.x/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: F8E88351
inbound esp sas:
spi: 0x3330BF91 (858832785)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Transport, NAT-T-Encaps, }
slot: 0, conn_id: 9916416, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (230321/2829)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF8E88351 (4175987537)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Transport, NAT-T-Encaps, }
slot: 0, conn_id: 9916416, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (229859/2829)
IV size: 8 bytes
replay detection support: Y
03-05-2009 11:42 AM
Good to hear, I'd like to see what you see so please log into your ASA via CLI and get the output of the follwing command:
show vpn-sessiondb detailed remote
03-05-2009 11:48 AM
Look at the L2TPOverIPsecOverNAT. That is what I see in the ASDM that shows encryption as None.
lsfw01# sho vpn-sessiondb deta remote
Username : domain\myusername Index : 2423
Assigned IP : 10.x.x.52 Public IP : x63.x.x.x
Protocol : IKE IPsecOverNatT L2TPOverIPsecOverNatT
License : IPsec
Encryption : none 3DES Hashing : MD5 SHA1
Bytes Tx : 532404 Bytes Rx : 416288
Pkts Tx : 998 Pkts Rx : 1249
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : DefaultRAGroup Tunnel Group : DefaultRAGroup
Login Time : 13:01:10 CST Thu Mar 5 2009
Duration : 0h:03m:07s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKE Tunnels: 1
IPsecOverNatT Tunnels: 1
L2TPOverIPsecOverNatT Tunnels: 1
IKE:
Tunnel ID : 2423.1
UDP Src Port : 4500 UDP Dst Port : 4500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : 3DES Hashing : MD5
Rekey Int (T): 28800 Seconds Rekey Left(T): 28613 Seconds
D/H Group : 2
Filter Name :
IPsecOverNatT:
Tunnel ID : 2423.2
Local Addr : x64.x.x.x/255.255.255.255/17/1701
Remote Addr : x63.x.x.x/255.255.255.255/17/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Transport
Rekey Int (T): 3600 Seconds Rekey Left(T): 3413 Seconds
Rekey Int (D): 231933 K-Bytes Rekey Left(D): 231414 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 532404 Bytes Rx : 416288
Pkts Tx : 998 Pkts Rx : 1249
L2TPOverIPsecOverNatT:
Tunnel ID : 2423.3
Username : domain\myusername
Assigned IP : 10.x.x.52 Public IP : x63.x.x.x
Encryption : none Auth Mode : msCHAPV2
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Client OS : Microsoft
Client OS Ver: 5.0
Bytes Tx : 504263 Bytes Rx : 380942
Pkts Tx : 993 Pkts Rx : 1241
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 187 Seconds
Hold Left (T): 0 Seconds Posture Token:
Redirect URL :
03-05-2009 01:02 PM
I see what you are saying, honestly I have never noticed that before, since the encryption used by the ipsec along with the hashing use with mschapv2 seems like enough to me. I would not be able to give you an answer as to why this is not shown here. My guesses is that maybe the ACS does not support this type of encryption.
03-05-2009 01:11 PM
Sounds good. I appreciate your time and help with this.
Thanks
09-08-2010 06:51 AM
I am having a somewhat problem with my setup. However, in my case, L2TP users are able to connect
but not able to reach the remote LAN (i.e. the network behind the ASA 192.168.24.0 255.255.254.0) while cisco vpn clients can. If I manually entered the static route on the l2tp client, he is able to connect to the 192.168.24.0/23 network...the route command is "route add 192.168.24.0 mask 255.255.254.0 172.16.10.x) x being the last octet of the assigned IP from the remote pool.
object-group network DMZ
network-object 192.168.24.0 255.255.254.0
object-group network RAS_Users
network-object 172.16.10.0 255.255.255.0
access-list RAVPN_Split_Tunnel standard permit 192.168.24.0 255.255.254.0
access-list nonat-traffic extended permit ip object-group DMZ object-group RAS_Users
ip local pool CARTVPN 172.16.10.1-172.16.10.254
nat (inside) 0 access-list nonat-traffic
crypto ipsec transform-set NJ1 esp-3des esp-md5-hmac
crypto ipsec transform-set CART-PPTP esp-3des esp-sha-hmac
crypto ipsec transform-set CART-PPTP mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 20 set transform-set CART-PPTP NJ1
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel
tunnel-group DefaultRAGroup general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
group-policy DMZ-RA-VPN-GROUP internal
group-policy DMZ-RA-VPN-GROUP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel
tunnel-group DMZ-RA-VPN-GROUP type remote-access
tunnel-group DMZ-RA-VPN-GROUP general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DMZ-RA-VPN-GROUP
tunnel-group DMZ-RA-VPN-GROUP ipsec-attributes
pre-shared-key *****
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide