Solved: Problem authenticating users on L2TP over IPSec tunnel

baskervi · ‎02-27-2016

I have a customer with an older PIX-515e firewall with 7.2(4) firmware, and because of some circumstances, I'm trying to configure L2TP over IPSec. I'm stuck at an "Error 691: The remote connection was deinied because the username and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server." I've setup local authentication for this connection, and I've tried using ms-chap-v2, chap, and pap, and all give the same results. I've confirmed the username and password, but I can't get past this.

On the PIX, I see "AAA user authenticaton Rejected : reason = Invalid password : local database : user = tetstuser". I can still see the unencrypted password on the screen, so I can copy and paste both username and password into the appropriate fields, and I still receive this error.

Does anyone have an idea as to where the problem may lie? Thank you.

Rohan Padwal · ‎02-27-2016

Hello

in the local username pass database append "mschap" so that authentication ms-chap is used.

Eg:

username cisco pass cisco@123 mschap

#Rohan

View solution in original post

Dinesh Moudgil · ‎02-27-2016

Can you please modify the user as stated in the doc I shared and as stated by peer Rohan and share the test results?

Regards,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎02-27-2016

Hi

Please review the following document and this should address your concern:
https://supportforums.cisco.com/document/12375996/configure-l2tp-over-ipsec-using-cisco-asa-84-and-local-authentication

Please let me know if there are any additional concerns.

Regards,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

baskervi · ‎02-27-2016

I appreciate the fast response, but I've seen dozens of similar web pages, but I did go over the document and confirm similar configurations, and I don't see anything wrong. Here's the relevant part of the VPN configuration:

access-list NONAT extended permit ip 10.12.85.0 255.255.255.0 10.12.96.0 255.255.255.0
access-list L2TP-ACL standard permit 10.12.85.0 255.255.255.0

ip local pool VPN-POOL 10.12.96.1-10.12.96.10 mask 255.255.255.0

nat (inside) 0 access-list NONAT

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA mode transport
crypto ipsec security-association lifetime seconds 3600
crypto dynamic-map dyna 20 set transform-set ESP-3DES-SHA
crypto map CRYPTO-MAP 1000 ipsec-isakmp dynamic dyna
crypto map CRYPTO-MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 20

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 4.2.2.2 8.8.8.8
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value L2TP-ACL
default-domain value domain.com

tunnel-group DefaultRAGroup general-attributes
address-pool VPN-POOL
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

I've included snapshots of the client configuration as well. Thanks again.

Dinesh Moudgil · ‎02-27-2016

Thanks for the config. Can you please share the username config as well as complete debug outputs?

Regards,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

baskervi · ‎02-27-2016

Thanks once again. I've attached the debug for the following:

debug aaa authentication enabled at level 1
debug l2tp event enabled at level 50
debug l2tp error enabled at level 50
debug crypto ipsec enabled at level 50
debug crypto engine enabled at level 50
debug crypto isakmp enabled at level 50

username testuser password * encrypted privilege 15
username testuser attributes
vpn-tunnel-protocol l2tp-ipsec

Dinesh Moudgil · ‎02-27-2016

Can you please modify the user as stated in the doc I shared and as stated by peer Rohan and share the test results?

Regards,

Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

baskervi · ‎02-27-2016

That was it. I foolishly presumed that I'd need to enter the hashed or encrypted password - I didn't read the description well. It's working. Thank you greatly!

Rohan Padwal · ‎02-27-2016

Hello

in the local username pass database append "mschap" so that authentication ms-chap is used.

Eg:

username cisco pass cisco@123 mschap

#Rohan

baskervi · ‎02-27-2016

Thanks Rohan. I somehow skipped over your post earlier.