06-08-2007 02:28 PM - edited 02-21-2020 03:05 PM
I have been trying to get an L2TP over IPSec VPN using pre-shared keys working, but it just keeps failing with the same errors. For some reason it claims that it can't find a valid tunnel group. I am trying to connect using Windows XP VPN. The client is behind a nat, but I have already applied the NAT-T registry fix, but it didn't help.
Error:
Jun 08 2007 21:35:07: %ASA-6-302015: Built inbound UDP connection 129881 for outside:mail.companyname.net/500 (mail.companyname.net/500) to NP Identity Ifc:10.0.0.154/500 (10.0.0.154/500)
Jun 08 2007 21:35:07: %ASA-4-713903: Group = 192.168.29.2, IP = 192.168.29.2, Can't find a valid tunnel group, aborting...!
Jun 08 2007 21:35:07: %ASA-3-713902: Group = 192.168.29.2, IP = 192.168.29.2, Removing peer from peer table failed, no match!
Jun 08 2007 21:35:07: %ASA-4-713903: Group = 192.168.29.2, IP = 192.168.29.2, Error: Unable to remove PeerTblEntry
router# show vers
Cisco Adaptive Security Appliance Software Version 7.2(2)
Device Manager Version 5.2(2)
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
This platform has a Base license.
I am attaching the config.
Thanks for your help!
06-13-2007 11:32 AM
Ok, I was able to get this working by not trying to use user defined tunnel groups.
I modified the DefaultRAGroup and used it instead and was able to connect to a tunnel group. Is this a known issue?
However this only got me past Phase1. Phase2 kept erroring with the error "All IPSec SA proposals found unacceptable!".
To get past this error, I removed pfs and switched to use md5 from sha.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
Those two changes enabled Phase2 to complete successfully and the tunnel was set up.
06-13-2007 11:52 AM
08-04-2007 01:48 AM
Thank you very much for the info.
To answer your question why only the default RA group is working:
Since the lt2p/ipsec client doesn't specify a group name the default values of the default RA group will be used. This is the reason why you have to use this group.
Question
I also had some problems with l2tp being that the tunnel was ok but I was not able to access resources from the l2tp client to the remote site throught the tunnel.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: