06-04-2004 07:29 AM - edited 02-21-2020 01:11 PM
I am looking for a VPN config sample using :
Windows XP Pro l2tp/IPsec native vpn client connected to an IOS VPN router (12.3(7)T) along with Cisco easyvpn hardware or software clients.
Authentification is done through certificates.
I didnt' find any IOS samples like this in cisco's web, only PIx ones.
I successfully enrolled XP client with CA server, but I can't establish IPsec SAs.
Do I have to set isakmp profiles ?
Can L2tp/aaa authentication be local ?
Thanks for help
06-10-2004 08:54 AM
See if the document 'Configuring L2TP Client Inititiated Tunnelling with Windows 2000 PC' helps. It is available at http://www.cisco.com/en/US/tech/tk801/tk703/technologies_configuration_example09186a00800946f5.shtml
06-11-2004 05:46 AM
Thanks for help
I would prefer a tip about L2TP over IPsec with an IOS gateway.
06-23-2004 11:39 AM
That document does not focus on the router config. We need a doc that talks about the router config.
08-02-2004 12:42 PM
Did you ever figure this out?
We have a very similar need for this sort of example config. We want to do almost the exact same thing.
Anyone out there know?
If we figure it out here, I'll post back to let you know.
08-02-2004 03:42 PM
I did configure it out before I went on vacation a few weeks ago but it was running very very slowly, something like 1200 baud over a 56k dialup. Unfortunitely, I lost that test setup and will need to recreate it, which I am in the process of doing.
08-02-2004 02:52 PM
This can be done but cisco has not posted sample configs. You have to do a bit of experimenting, I'm afraid. You do need isakmp profiles, crypto maps and ipsec transform sets.
08-03-2004 09:29 AM
I've actaully done quite a lot of experimenting. I have all those things, and still I keep running into trouble. I'm sure it's something stupid; but it'd be nice to know what the problem is.
It completes Phase 1 negotiations, but then fails before phase 2 is complete. The debug output on the cisco shows only "%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from %WinIPAddress% was not encrypted and it should've been." On the windows side it just 'times out' about 30 seconds after the cisco gives up.
I can post some configs when I dig them up. Any help you can provide would be great!
08-03-2004 09:50 AM
Here's some relevant parts of a config that failed. I've also tried a bunch of variations in it, but overall this is the basic way I was moving...Maybe something stands out as blatently wrong or missing?
There may be a few other lines I did try that aren't present, this is the closest config that I could find to the one that worked about 1/2 way...
hostname TESTCISCOROUTER
!
username CVPN password 0 VPNPASS
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
!
!
ip domain name testdomain.com
ip name-server 192.168.5.253
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key TESTKEY1 address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local IPPOOL
!
crypto ipsec transform-set TRANS ah-sha-hmac esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map DYNMAP 10
set security-association lifetime kilobytes 250000
set transform-set TRANS
match address 115
!
!
crypto map CRYPTOMAP client configuration address respond
crypto map CRYPTOMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
interface Ethernet0
ip address 192.168.2.1 255.255.255.0
half-duplex
crypto map CRYPTOMAP
!
interface FastEthernet0
ip address 192.168.5.70 255.255.0.0
speed auto
full-duplex
!
!
ip local pool IPPOOL 192.168.10.10 192.168.10.30
!
!
access-list 115 permit ip any any
08-03-2004 11:52 AM
Sounds like XP is not configuring the necessary temparary IPSec filters. Open the IP Security Montitor snap-in for MMC and look to see a filter is there during negotiation. If not, check your IPSec policy settings. (use the IPSec Policy snap-in or the Group Policy snap-in for the appropriate GPO).
You can use a packet sniffer like MS NetMon to see what IPSec policies the Cisco is proposing.
The following policies should work for Windows XP:
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map testmap 10
set transform-set 3DES-MD5
!
crypto map testmap 10 ipsec-isakmp dynamic testmap
!
08-04-2004 01:13 PM
Thanks, I'll take a look at it closer on the windows side.
Should this work "out of the box" on a default windows system (aside from settings set in the VPN properties window?) There's no registry hacks or anything that are needed right? Since the idea is to EASE deployment, by not requiring a client install or anything on the user's machines...
08-04-2004 04:09 PM
It _should_ work right out-of-box. It might not work if your network has non-default IPSec policies implemented through group policy or non-default local policies.
08-05-2004 11:46 AM
I've now tried it on a few other winXP machines, and none of them seem to work either. There's SOMETHING wrong, I'm just not sure WHAT. What else should I look for, or look at. I've got no problem digging through hidden logs and registry settings, I just need to know what to dig through.
I haven't messed with the ipsec policies at all...
I don't know even what I'd put in them if I were to set some up. I see the default ones there however.
There was an old Microsoft knowledgebase article about modifying one of the policies, but I can't find it now...something about switching the addresses?
Do you know a good place to look for info about the this setup? This has been like a 3-month side-project now, and we're getting no-where.
Sorry to keep bugging you about this, but you're the only person I've found who has any clue about this. If you have any idea where we can go to get further help, please let me know.
08-06-2004 09:29 AM
Ok, I just figured out that the "no-xauth" option is required at the end of the shared key I put in.
With that shared key, it now successfully complete's Phase 1 & 2 negotiations!
But it still doesn't finish. It simply hangs after Phase 2 QM completes, at the QM_IDLE state. Nothing assigns Windows an IP address or other info, and no user/pass is authenticated. Any ideas on the settings needed for that? As it is now, windows just waits 10 seconds after it's established, and then disconnects the session.
08-06-2004 11:24 AM
You need to setup an ip address pool in the cisco. The cisco won't forward DHCP requests.
I'm not sure about the no-xauth option, but make sure that you are not authenticating the tunnel itself. Do this with the "no l2tp tunnel authentication" option in vpdn-group config:
vpdn enable
!
vpdn-group 1
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide