ASA 5505 configuring L2TP over IPSEC

Unanswered Question


We have recently bought an ASA 5505, and I'm currently in the process of configuring it to support Windows L2TP VPN client connections. Unfortunately I just don't seem to be able to get this working. A big part of the problem is that ASA configuratino is completely new to me. I've used the following Cisco documents to try and set this up:

<a href="">Configuring L2TP over IPSEC (Command line)</a>

<a href="">Configuring L2TP over IPSEC (ADSM)</a>

<a href="">L2TP Over IPsec Between Windows 2000/XP PC and PIX/ASA 7.2</a>

However, I recieve the following when trying to connect:

Error 789: The L2TP connection attempt failed because the security layer encountered a pprocessing error during initial negotiations with the computer.

I have attempted debugging on the ASA, however I can't seem to get it to log the UDP 1701 or L2TP session data. If I create a outside dynamic IPSEC rule, the error changes to 'network busy'. This seems to suggest the client is successfully hitting the firewall and begining negotions.. A show run displays the attached config:

I'd be really happy to hear from anybody who has experiance of succesfully configuring an ASA 5505 for use with L2TP, or anybody who has suggestinos on a way forward (and possibly a little help).

Many thanks,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

The security appliance does not establish an L2TP/IPSec tunnel with Windows 2000 if either the Cisco VPN Client Version 3.x or the Cisco VPN 3000 Client Version 2.5 is installed. Disable the Cisco VPN Service for the Cisco VPN Client Version 3.x, or the ANetIKE Service for the Cisco VPN 3000 Client Version 2.5 from the Services panel in Windows 2000 (click Start>Programs>Administrative Tools>Services). Then restart the IPSec Policy Agent Service from the Services panel, and reboot the machine.

Step 1 Specify IPSec to use transport mode rather than tunnel mode with the mode keyword of the crypto ipsec transform-set command:

hostname(config)# crypto ipsec transform-set trans_name mode transport


This Discussion