Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7465
Views
15
Helpful
17
Replies

Sample config for Windows XP L2TP/IPsec to IOS VPN router

falain
Level 1
Level 1

‎06-04-2004 07:29 AM - edited ‎02-21-2020 01:11 PM

I am looking for a VPN config sample using :

Windows XP Pro l2tp/IPsec native vpn client connected to an IOS VPN router (12.3(7)T) along with Cisco easyvpn hardware or software clients.

Authentification is done through certificates.

I didnt' find any IOS samples like this in cisco's web, only PIx ones.

I successfully enrolled XP client with CA server, but I can't establish IPsec SAs.

Do I have to set isakmp profiles ?

Can L2tp/aaa authentication be local ?

Thanks for help

Labels:
0 Helpful
17 Replies 17

Shawn Lebbon
Level 1
Level 1
In response to thomasmcleod

‎08-06-2004 12:24 PM

Ok, well without the no-xauth the debug in phase2 QM negotiations gets XAUTH errors, and windows sends back an unknown protocol error (unencrypted), which the cisco interprets as a bad responce and attempts to re-establish phase 1 of the connection.

As for the VPDN stuff, I never had that setup right either I suspect...I'll try adding that no tunnel authentication bit Monday, as it's the end of my day here...

Right now I have:

vpdn-group 1

! Default L2TP VPDN group

accept-dialin

protocol l2tp

virtual-template 10

and

interface Virtual-Template10

ip unnumbered FastEthernet0

no ip route-cache

peer default ip address pool IPPOOL

ppp authentication ms-chap ms-chap-v2 chap pap

!

ip local pool IPPOOL 172.16.10.1 172.16.10.20

I've also attached the text file of the whole damn config. There's a few bits left over from other stuff I've tried...which I don't think is interfering, but I'll clean it out a bit more Monday.

Preview file
3 KB
0 Helpful

Shawn Lebbon
Level 1
Level 1
In response to thomasmcleod

‎08-09-2004 05:33 AM

That was the final piece!!!

the 'no l2tp tunnel authentication' did it!

Thank you SO MUCH for all your help!

I'm going to get a sample config of this setup written up, and post it around all those other forums and sites which were unsure how to set this up...

Thanks again!

0 Helpful

falain
Level 1
Level 1
In response to Shawn Lebbon

‎08-16-2004 12:22 AM

You know,I already tested all this stuff by myself since noone answered for quite 2 months.

everybody there speaks preshared key, and it works easily.

But who has tried with native WXP l2tp/ipsec config based on certificates ??

I tried it and I can't explain why IOS12.3(7)T is unable to match Isakmp identity with OU field contained in cert.

This is my only pb.

I posted a topic on this pb but no answers.

I thing I 'll move to 12.3(8)T since I can choose the

cert field I want.

0 Helpful
Customers Also Viewed These Support Documents