cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2404
Views
0
Helpful
3
Replies
Highlighted
Beginner

VPN Client : support L2TP/IPSEC and IPSEC simultaneously

Hello,

My purpose is to have a VPN configuration working for L2TP/IPSEC client (Windows 10) and IPSEC client (VPN Cisco client).

I have the following configuration :

 

crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set myset mode transport
crypto ipsec ikev1 transform-set myset2 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
crypto dynamic-map dynmap 20 set ikev1 transform-set myset2
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
l2tp tunnel hello 30
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 vpn-idle-timeout 720
 vpn-tunnel-protocol l2tp-ipsec
 address-pools value vpn-admin
!
group-policy grp-admin internal
group-policy grp-admin attributes
 vpn-idle-timeout 720
 vpn-tunnel-protocol ikev1
 address-pools value vpn-admin
!
username admin password **************
username admin attributes
 vpn-group-policy DefaultRAGroup
 vpn-tunnel-protocol l2tp-ipsec
username reseau password ****************
username reseau attributes
 vpn-group-policy grp-admin
!
tunnel-group DefaultRAGroup general-attributes
 address-pool vpn-admin
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 no authentication ms-chap-v1
 authentication ms-chap-v2
!
tunnel-group grp-admin type remote-access
tunnel-group grp-admin general-attributes
 address-pool vpn-admin
 default-group-policy grp-admin
tunnel-group grp-admin ipsec-attributes
 ikev1 pre-shared-key *****

 

L2TP/IPSEC works well but not Cisco client VPN.

The debug returns the following line :

"Aug 21 06:49:21 [IKEv1]Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Tunnel  Cfg'd: Transport"

-> it means the following configuration using mode transport is used "crypto dynamic-map dynmap 10 set ikev1 transform-set myset".

Why "crypto dynamic-map dynmap 20 set ikev1 transform-set myset2" is not checked too ?

 

If i change priority :

crypto dynamic-map dynmap 5 set ikev1 transform-set myset2

crypto dynamic-map dynmap 10 set ikev1 transform-set myset
L2TP/IPSEC doesn't work and Cisco client VPN works well .

In this case "crypto dynamic-map dynmap 10 set ikev1 transform-set myset" is not checked and L2TP/IPSEC fails.

 

How to fix it ?

ASA version : 9.1(7)16

 

Thanking you in advance.

Fred

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Enthusiast

Hello,

Remove the dynmap 20 and test with this command:

crypto dynamic-map dynmap 10 set ikev1 transform-set myset myset2

This should do the trick.

Gio

View solution in original post

Highlighted
Cisco Employee

HI,

 

Apply the two transform sets in one crypto dynamic map entry:

crypto dynamic-map dynmap 5 set ikev1 transform-set myset2 myset

 

HTH

Moh,

View solution in original post

3 REPLIES 3
Highlighted
Enthusiast

Hello,

Remove the dynmap 20 and test with this command:

crypto dynamic-map dynmap 10 set ikev1 transform-set myset myset2

This should do the trick.

Gio

View solution in original post

Highlighted
Cisco Employee

HI,

 

Apply the two transform sets in one crypto dynamic map entry:

crypto dynamic-map dynmap 5 set ikev1 transform-set myset2 myset

 

HTH

Moh,

View solution in original post

Highlighted

Hello,

 

Thank you Gio and Moh, it works.

 

Fred

Content for Community-Ad