Re: OS X 10.5.x L2TP/IPSEC VPN Client + ASA 5505

benhanson · ‎03-08-2009

I'm trying to get Apple's l2tp/ipsec client to function with an ASA. I've successfully connected with Cisco's client, with the desired access to the remote subnet, but as soon as I add this command:

crypto ipsec transform-set TUNNEL_ESP_3DES_SHA mode transport

the Cisco client can no longer connect.

Once the transform set is set to transport mode, the apple client can connect, but it can't see any of the remote LAN resources. Heres the config:

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address w.x.y.z 255.255.255.252

!

access-list SPLIT extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0

access-list NONAT extended permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0

ip local pool ra_ip_pool 192.168.150.1-192.168.150.254 mask 255.255.255.0

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 w.x.y.z 1

crypto ipsec transform-set TUNNEL_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TUNNEL_ESP_3DES_SHA mode transport

crypto dynamic-map client-crypto-map 40 set transform-set TUNNEL_ESP_3DES_SHA

crypto map cm-client-ra-vpn 20 ipsec-isakmp dynamic client-crypto-map

crypto map cm-client-ra-vpn interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 3600

client-update enable

dhcpd auto_config outside

!

dhcpd address 192.168.1.2-192.168.1.33 inside

dhcpd enable inside

!

group-policy client_ra_vpn_gp internal

group-policy client_ra_vpn_gp attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT

tunnel-group DefaultRAGroup general-attributes

address-pool ra_ip_pool

default-group-policy client_ra_vpn_gp

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group client_ra_vpn_tg type ipsec-ra

tunnel-group client_ra_vpn_tg general-attributes

address-pool ra_ip_pool

default-group-policy client_ra_vpn_gp

tunnel-group client_ra_vpn_tg ipsec-attributes

pre-shared-key *

tunnel-group client_ra_vpn_tg ppp-attributes

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 2048

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global

JamesLuther · ‎03-08-2009

Hi,

Have yo tried adding both configs with different sequence numbers? ie

crypto ipsec transform-set CISCO_CLIENT esp-3des esp-sha-hmac

crypto ipsec transform-set APPLE_CLIENT esp-3des esp-sha-hmac

crypto ipsec transform-set APPLE_CLIENT mode transport

crypto dynamic-map client-crypto-map 40 set transform-set CISCO_CLIENT

crypto dynamic-map client-crypto-map 50 set transform-set APPLE_CLIENT

Regards

benhanson · ‎03-08-2009

I added the 2nd config, Cisco client still works, apple client doesn't. Just to retest, I added mode transport to CISCO_CLIENT without changing anything else, and sure enough, apple client can connect but no traffic passes.

I then tried simply changing the order in the crypto dynamic-map, and whichever is first in sequence is successful, the other fails. Still no traffic when apple client connects.

Looking at debug messages during Apple client failure, Phase 1 is successful, Phase 2 reports "All IPSec SA proposals found unacceptable"

nicolas.scheffer · ‎05-09-2009

Hi,

I have a similar problem with ASA 5510 running 8.2(1) but same with 8.0.4(31) :

- iPhone using IPSEC works on ASA 5510

- no way to setup the ASA for iPhone and Mac using L2TP over IPSEC

Any ideas ?

Failure is after Phase 1 where i have :

- All IPSec SA proposals found unacceptable!

- QM FSM error (P2 struct &0xd9c86038, mess id 0x9e07a9fa)!

Thnaks for any help!

Regards

Nicolas

nicolas.scheffer · ‎05-09-2009

Hi,

I made some progress!

Now i have a failure after Phase 2 for L2TP when i try from the Mac or iPhone using L2TP but the iPhone using the built-in Cisco IPSec client continu to working.

Here is some debugs regarding the L2TP Access :

May 10 09:32:14 IKEv1: IP = 82.246.31.188, IKE_DECODE RECEIVED Message (msgid=dcaebe4c) with payloads : HDR + HASH (8) + NONE (0) total length : 52

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, processing hash payload

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, loading all IPSEC SAs

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, Generating Quick Mode Key!

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, NP encrypt rule look up for crypto map outside_dyn_map 1 matching ACL Unknown: returned cs_id=d9cd7b18; rule=00000000

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, Generating Quick Mode Key!

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, NP encrypt rule look up for crypto map outside_dyn_map 1 matching ACL Unknown: returned cs_id=d9cd7b18; rule=00000000

May 10 09:32:14 IKEv1: Group = DefaultRAGroup, IP = 82.246.31.188, Security negotiation complete for User () Responder, Inbound SPI = 0xfa085ca6, Outbound SPI = 0x0e1fc739

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, IKE got a KEY_ADD msg for SA: SPI = 0x0e1fc739

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, Pitcher: received KEY_UPDATE, spi 0xfa085ca6

May 10 09:32:14 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, Starting P2 rekey timer: 3420 seconds.

May 10 09:32:14 IKEv1: Group = DefaultRAGroup, IP = 82.246.31.188, PHASE 2 COMPLETED (msgid=dcaebe4c)

May 10 09:32:14 IKEv1: IKEQM_Active() Add L2TP classification rules: ip <82.246.31.188> mask <0xFFFFFFFF> port <36755>

L2TP LOWERLAYER: l2tp_add_classification_rules()...ip <82.246.31.188> mask <255.255.255.255> port <36755>

L2TP LOWERLAYER: l2tp_add_fw_rule(): If 1, peer IP 82.246.31.188, peer port 36755

L2TP LOWERLAYER: np_classify_add_static(PERMIT) vpif_num<1> np_rule_id <0xd77b18c0>

L2TP LOWERLAYER: l2tp_add_punt_rule(): If 1, peer IP 82.246.31.188, peer port 36755

L2TP LOWERLAYER: np_classify_add_static(PUNT) vpif_num<1> np_rule_id <0xd7b50c50>

L2TP LOWERLAYER: l2tp_punt_service_callback() ch:<0xd5a95140>, flow:<0x27321bf2> inVpifNum<1:outside> outVpifNum<0:NP Identity Ifc>

L2TP PACKET: vPifNum:<1> proto saddr<82.246.31.188> daddr<91.199.0.68> sport<36755> dport<1701>

L2TP PACKET:

dest_ip <82.246.31.188>, dest_port <36755>, ipsec_ident<0x9a000>, vPifNum <1:outside>, channel: <0xd5a95180>

L2TP LOWERLAYER: PUNT CONSUMED!

L2TP LOWERLAYER: l2tp_punt_service_callback() ch:<0xd5a95140>, flow:<0x27321bf2> inVpifNum<1:outside> outVpifNum<0:NP Identity Ifc>

L2TP PACKET: vPifNum:<1> proto saddr<82.246.31.188> daddr<91.199.0.68> sport<36755> dport<1701>

.........

May 10 09:32:16 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, IKE SA MM:8c279c79 rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 1

May 10 09:32:16 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, sending delete/delete with reason message

May 10 09:32:16 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, constructing blank hash payload

May 10 09:32:16 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, constructing IPSec delete payload

May 10 09:32:16 IKEv1 DEBUG: Group = DefaultRAGroup, IP = 82.246.31.188, constructing qm hash payload

May 10 09:32:16 IKEv1: IP = 82.246.31.188, IKE_DECODE SENDING Message (msgid=ac044337) with payloads : HDR + HASH (8) + DELETE (12) + NONE

I read somewhere on the Cisco Site that L2TP must use default Group and Policy which is not possible for me. If it's correct i don't know how to solve this!

Regards

Nicolas

nicolas.scheffer · ‎05-11-2009

It works!!!

You just need to disable all ms-chap-vx and enable pap only under ppp-attributes

Regards

Nicolas