Solved: Windows L2TP client + AES128 - Connection but no traffic.

TRENT WAITE · ‎07-12-2024

A few days back I had asked a question here regarding use of Windows L2TP client and ASA. Someone kindly responded pointing me to using Powershell to change the encryption Windows would use (as 3DES is depreciated on v9.18). I created a test VPN connection to this FPR1010 ASA at our office using Powershell to edit:

Set-VpnConnectionIPsecConfiguration -ConnectionName L2TP -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES128 -DHGroup Group14 -EncryptionMethod AES128 -IntegrityCheckMethod SHA1 -PfsGroup PFS2048 -Force

I can connect, I can see both P1 & P2 complete. vpn-session shows:

Session Type: IKEv1 IPsec

Username     : sam                   Index        : 43
Assigned IP  : 192.168.1.252          Public IP    : 192.168.101.20
Protocol     : IKEv1 IPsec L2TPOverIPsec
License      : Other VPN
Encryption   : IKEv1: (1)AES128  IPsec: (1)AES128  L2TPOverIPsec: (1)none
Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1  L2TPOverIPsec: (1)none
Bytes Tx     : 32558                  Bytes Rx     : 1105720
Group Policy : DefaultRAGroup         Tunnel Group : DefaultRAGroup
Login Time   : 20:57:43 UTC Thu Jul 11 2024
Duration     : 15h:33m:45s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : c0a801010002b00066904747
Security Grp : none

Frustrating thing is this. While it shows both TX & RX (show ipsec sa shows this as well) I actually do not get any traffic. I can not ping the ASA, I can not SSH to it and I do have 'management access inside' and now 'ssh 0.0.0.0 0.0.0.0 inside' set. Playing around with this and trying different things if I actually create an ACL and attach it to 'SYSTEM_DEFAULT_CRYPTO_MAP 65535' I could get a ping response, but nothing else. What is frustrating me is the initial configuration I put in was a copy/paste from another FPR1010 ASA which does have a working L2TP remote access VPN (older v9.14 working with Windows client).

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network obj-192.168.1.0
 subnet 192.168.1.0 255.255.255.0
object network L2TP-Pool
 subnet 192.168.1.0 255.255.255.0
access-list 101 extended permit ip interface inside any4 
access-list REMOTE_RA extended permit ip any4 192.168.1.0 255.255.255.0 
access-list DefaultRAGroup_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0 
!
nat (inside,outside) source static any any destination static L2TP-Pool L2TP-Pool no-proxy-arp route-lookup
!
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_AES128_SHA TRANS_ESP_AES192_SHA ESP-AES-128-SHA-TRANS ESP-AES-128-MD5-TRANS ESP-AES-192-SHA-TRANS ESP-AES-192-MD5-TRANS ESP-AES-256-SHA-TRANS ESP-AES-256-MD5-TRANS
crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
!
management-access inside
!
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client 
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value icontrolservices.com
group-policy DfltGrpPolicy attributes
 dns-server value 8.8.8.8 8.8.4.4
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client 
 webvpn
  anyconnect ssl compression deflate
  anyconnect modules value dart,vpngina
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup general-attributes
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 15 retry 2
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2

I want to say I must have missed something, but for the life of me I can not see it. I have another ASA sitting in my office (v9.14) that I threw in the basic L2TP RA config I usually copy/paste and having no problems connecting to that from the same Windows PC. Difference here is that connection "L2TP2" uses the Windows default configuration of 3DES/SHA and "L2TP" uses AES.

Any ideas on what I missed or misconfigured?

TRENT WAITE · ‎07-15-2024

It turned out to be something as small & stupid as a device was given the IP address 192.168.1.252, same IP that the user account was assigned. All equipment on these network was suppose to be ~1 to ~100, and nothing from 200~254, and I was told ~252 was free and available to test with. The above config does work, and I can access remote devices.

View solution in original post

MHM Cisco World · ‎07-14-2024

normally we use Anyconnect SSL to access ASA from Outside
here you use l2tp/ipsec it work for traffic pass through FW but not traffic direct to FW
the issue is with SSL ASA know the path to Outside client

here with L2tp since the client show as IP connect to IN not to OUT the ASA can not route traffic back correctly
to know if I am right or not
do capture in IN interface and see if the packet come from Outside client is route via IN not return to client
MHM

TRENT WAITE · ‎07-15-2024

It turned out to be something as small & stupid as a device was given the IP address 192.168.1.252, same IP that the user account was assigned. All equipment on these network was suppose to be ~1 to ~100, and nothing from 200~254, and I was told ~252 was free and available to test with. The above config does work, and I can access remote devices.