Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2035
Views
0
Helpful
3
Replies

L2TP over IPSec RA VPN not working

jpginexi
Level 1
Level 1

‎06-08-2007 02:28 PM - edited ‎02-21-2020 03:05 PM

I have been trying to get an L2TP over IPSec VPN using pre-shared keys working, but it just keeps failing with the same errors. For some reason it claims that it can't find a valid tunnel group. I am trying to connect using Windows XP VPN. The client is behind a nat, but I have already applied the NAT-T registry fix, but it didn't help.

Error:

Jun 08 2007 21:35:07: %ASA-6-302015: Built inbound UDP connection 129881 for outside:mail.companyname.net/500 (mail.companyname.net/500) to NP Identity Ifc:10.0.0.154/500 (10.0.0.154/500)

Jun 08 2007 21:35:07: %ASA-4-713903: Group = 192.168.29.2, IP = 192.168.29.2, Can't find a valid tunnel group, aborting...!

Jun 08 2007 21:35:07: %ASA-3-713902: Group = 192.168.29.2, IP = 192.168.29.2, Removing peer from peer table failed, no match!

Jun 08 2007 21:35:07: %ASA-4-713903: Group = 192.168.29.2, IP = 192.168.29.2, Error: Unable to remove PeerTblEntry

router# show vers

Cisco Adaptive Security Appliance Software Version 7.2(2)

Device Manager Version 5.2(2)

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 50

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

VPN Peers : 10

WebVPN Peers : 2

Dual ISPs : Disabled

VLAN Trunk Ports : 0

This platform has a Base license.

I am attaching the config.

Thanks for your help!

Labels:
0 Helpful
3 Replies 3

jpginexi
Level 1
Level 1

‎06-13-2007 11:32 AM

Ok, I was able to get this working by not trying to use user defined tunnel groups.

I modified the DefaultRAGroup and used it instead and was able to connect to a tunnel group. Is this a known issue?

However this only got me past Phase1. Phase2 kept erroring with the error "All IPSec SA proposals found unacceptable!".

To get past this error, I removed pfs and switched to use md5 from sha.

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

Those two changes enabled Phase2 to complete successfully and the tunnel was set up.

0 Helpful

jpginexi
Level 1
Level 1
In response to jpginexi

‎06-13-2007 11:52 AM

This is the config that works:

Preview file
7 KB
0 Helpful

l.jankok
Level 1
Level 1
In response to jpginexi

‎08-04-2007 01:48 AM

Thank you very much for the info.

To answer your question why only the default RA group is working:

Since the lt2p/ipsec client doesn't specify a group name the default values of the default RA group will be used. This is the reason why you have to use this group.

Question

I also had some problems with l2tp being that the tunnel was ok but I was not able to access resources from the l2tp client to the remote site throught the tunnel.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents