06-04-2004 07:29 AM - edited 02-21-2020 01:11 PM
I am looking for a VPN config sample using :
Windows XP Pro l2tp/IPsec native vpn client connected to an IOS VPN router (12.3(7)T) along with Cisco easyvpn hardware or software clients.
Authentification is done through certificates.
I didnt' find any IOS samples like this in cisco's web, only PIx ones.
I successfully enrolled XP client with CA server, but I can't establish IPsec SAs.
Do I have to set isakmp profiles ?
Can L2tp/aaa authentication be local ?
Thanks for help
08-06-2004 12:24 PM
Ok, well without the no-xauth the debug in phase2 QM negotiations gets XAUTH errors, and windows sends back an unknown protocol error (unencrypted), which the cisco interprets as a bad responce and attempts to re-establish phase 1 of the connection.
As for the VPDN stuff, I never had that setup right either I suspect...I'll try adding that no tunnel authentication bit Monday, as it's the end of my day here...
Right now I have:
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 10
and
interface Virtual-Template10
ip unnumbered FastEthernet0
no ip route-cache
peer default ip address pool IPPOOL
ppp authentication ms-chap ms-chap-v2 chap pap
!
ip local pool IPPOOL 172.16.10.1 172.16.10.20
I've also attached the text file of the whole damn config. There's a few bits left over from other stuff I've tried...which I don't think is interfering, but I'll clean it out a bit more Monday.
08-09-2004 05:33 AM
That was the final piece!!!
the 'no l2tp tunnel authentication' did it!
Thank you SO MUCH for all your help!
I'm going to get a sample config of this setup written up, and post it around all those other forums and sites which were unsure how to set this up...
Thanks again!
08-16-2004 12:22 AM
You know,I already tested all this stuff by myself since noone answered for quite 2 months.
everybody there speaks preshared key, and it works easily.
But who has tried with native WXP l2tp/ipsec config based on certificates ??
I tried it and I can't explain why IOS12.3(7)T is unable to match Isakmp identity with OU field contained in cert.
This is my only pb.
I posted a topic on this pb but no answers.
I thing I 'll move to 12.3(8)T since I can choose the
cert field I want.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide