08-22-2017 09:12 AM - edited 03-12-2019 04:29 AM
Hello,
My purpose is to have a VPN configuration working for L2TP/IPSEC client (Windows 10) and IPSEC client (VPN Cisco client).
I have the following configuration :
crypto ipsec ikev1 transform-set myset esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set myset mode transport
crypto ipsec ikev1 transform-set myset2 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
crypto dynamic-map dynmap 20 set ikev1 transform-set myset2
crypto map mymap 1 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
l2tp tunnel hello 30
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-idle-timeout 720
vpn-tunnel-protocol l2tp-ipsec
address-pools value vpn-admin
!
group-policy grp-admin internal
group-policy grp-admin attributes
vpn-idle-timeout 720
vpn-tunnel-protocol ikev1
address-pools value vpn-admin
!
username admin password **************
username admin attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol l2tp-ipsec
username reseau password ****************
username reseau attributes
vpn-group-policy grp-admin
!
tunnel-group DefaultRAGroup general-attributes
address-pool vpn-admin
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
no authentication ms-chap-v1
authentication ms-chap-v2
!
tunnel-group grp-admin type remote-access
tunnel-group grp-admin general-attributes
address-pool vpn-admin
default-group-policy grp-admin
tunnel-group grp-admin ipsec-attributes
ikev1 pre-shared-key *****
L2TP/IPSEC works well but not Cisco client VPN.
The debug returns the following line :
"Aug 21 06:49:21 [IKEv1]Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: Tunnel Cfg'd: Transport"
-> it means the following configuration using mode transport is used "crypto dynamic-map dynmap 10 set ikev1 transform-set myset".
Why "crypto dynamic-map dynmap 20 set ikev1 transform-set myset2" is not checked too ?
If i change priority :
crypto dynamic-map dynmap 5 set ikev1 transform-set myset2
crypto dynamic-map dynmap 10 set ikev1 transform-set myset
L2TP/IPSEC doesn't work and Cisco client VPN works well .
In this case "crypto dynamic-map dynmap 10 set ikev1 transform-set myset" is not checked and L2TP/IPSEC fails.
How to fix it ?
ASA version : 9.1(7)16
Thanking you in advance.
Fred
Solved! Go to Solution.
08-30-2017 10:52 AM
08-30-2017 11:43 PM
HI,
Apply the two transform sets in one crypto dynamic map entry:
crypto dynamic-map dynmap 5 set ikev1 transform-set myset2 myset
HTH
Moh,
08-30-2017 10:52 AM
08-30-2017 11:43 PM
HI,
Apply the two transform sets in one crypto dynamic map entry:
crypto dynamic-map dynmap 5 set ikev1 transform-set myset2 myset
HTH
Moh,
09-11-2017 12:45 AM
Hello,
Thank you Gio and Moh, it works.
Fred
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide