Thanks for help

I would prefer a tip about L2TP over IPsec with an IOS gateway.

That document does not focus on the router config. We need a doc that talks about the router config.

I did configure it out before I went on vacation a few weeks ago but it was running very very slowly, something like 1200 baud over a 56k dialup. Unfortunitely, I lost that test setup and will need to recreate it, which I am in the process of doing.

I've actaully done quite a lot of experimenting. I have all those things, and still I keep running into trouble. I'm sure it's something stupid; but it'd be nice to know what the problem is.

It completes Phase 1 negotiations, but then fails before phase 2 is complete. The debug output on the cisco shows only "%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from %WinIPAddress% was not encrypted and it should've been." On the windows side it just 'times out' about 30 seconds after the cisco gives up.

I can post some configs when I dig them up. Any help you can provide would be great!

Here's some relevant parts of a config that failed. I've also tried a bunch of variations in it, but overall this is the basic way I was moving...Maybe something stands out as blatently wrong or missing?

There may be a few other lines I did try that aren't present, this is the closest config that I could find to the one that worked about 1/2 way...

hostname TESTCISCOROUTER

!

username CVPN password 0 VPNPASS

aaa new-model

!

!

aaa authentication login default local

aaa authentication ppp default local

aaa authorization exec default local

aaa session-id common

ip subnet-zero

!

!

ip domain name testdomain.com

ip name-server 192.168.5.253

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key TESTKEY1 address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local IPPOOL

!

crypto ipsec transform-set TRANS ah-sha-hmac esp-3des esp-sha-hmac

mode transport

!

crypto dynamic-map DYNMAP 10

set security-association lifetime kilobytes 250000

set transform-set TRANS

match address 115

!

!

crypto map CRYPTOMAP client configuration address respond

crypto map CRYPTOMAP 10 ipsec-isakmp dynamic DYNMAP

!

!

interface Ethernet0

ip address 192.168.2.1 255.255.255.0

half-duplex

crypto map CRYPTOMAP

!

interface FastEthernet0

ip address 192.168.5.70 255.255.0.0

speed auto

full-duplex

!

!

ip local pool IPPOOL 192.168.10.10 192.168.10.30

!

!

access-list 115 permit ip any any

Sounds like XP is not configuring the necessary temparary IPSec filters. Open the IP Security Montitor snap-in for MMC and look to see a filter is there during negotiation. If not, check your IPSec policy settings. (use the IPSec Policy snap-in or the Group Policy snap-in for the appropriate GPO).

You can use a packet sniffer like MS NetMon to see what IPSec policies the Cisco is proposing.

The following policies should work for Windows XP:

!

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

mode transport

!

crypto dynamic-map testmap 10

set transform-set 3DES-MD5

!

crypto map testmap 10 ipsec-isakmp dynamic testmap

!

Thanks, I'll take a look at it closer on the windows side.

Should this work "out of the box" on a default windows system (aside from settings set in the VPN properties window?) There's no registry hacks or anything that are needed right? Since the idea is to EASE deployment, by not requiring a client install or anything on the user's machines...

It _should_ work right out-of-box. It might not work if your network has non-default IPSec policies implemented through group policy or non-default local policies.

I've now tried it on a few other winXP machines, and none of them seem to work either. There's SOMETHING wrong, I'm just not sure WHAT. What else should I look for, or look at. I've got no problem digging through hidden logs and registry settings, I just need to know what to dig through.

I haven't messed with the ipsec policies at all...

I don't know even what I'd put in them if I were to set some up. I see the default ones there however.

There was an old Microsoft knowledgebase article about modifying one of the policies, but I can't find it now...something about switching the addresses?

Do you know a good place to look for info about the this setup? This has been like a 3-month side-project now, and we're getting no-where.

Sorry to keep bugging you about this, but you're the only person I've found who has any clue about this. If you have any idea where we can go to get further help, please let me know.

Ok, I just figured out that the "no-xauth" option is required at the end of the shared key I put in.

With that shared key, it now successfully complete's Phase 1 & 2 negotiations!

But it still doesn't finish. It simply hangs after Phase 2 QM completes, at the QM_IDLE state. Nothing assigns Windows an IP address or other info, and no user/pass is authenticated. Any ideas on the settings needed for that? As it is now, windows just waits 10 seconds after it's established, and then disconnects the session.

You need to setup an ip address pool in the cisco. The cisco won't forward DHCP requests.

I'm not sure about the no-xauth option, but make sure that you are not authenticating the tunnel itself. Do this with the "no l2tp tunnel authentication" option in vpdn-group config:

vpdn enable

!

vpdn-group 1

accept-dialin

protocol l2tp

virtual-template 1

no l2tp tunnel authentication

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key address 0.0.0.0 0.0.0.0