06-30-2008 06:25 AM - edited 02-21-2020 03:47 PM
Hi!
Does anybody have working configuration for L2TP/IPSec between Windows 2003 and IOS router (12.4(11)T4)?
I set it up, IKE works well, IPSec tunnel is established, L2TP start negotiating the vpdn session, but everything stops at ms-chap authentication: it seems the router doesn't see the replay from Windows (Windows ppp.log indicates it does send Configure-Ack). Eventually the connection times out with Error=734.
un 30 18:27:51.763 MSD: AAA/BIND(00000017): Bind i/f
Jun 30 18:27:51.767 MSD: AAA/BIND(00000017): Bind i/f Virtual-Template2
Jun 30 18:27:51.767 MSD: ppp20 PPP: Send Message[Dynamic Bind Response]
Jun 30 18:27:51.767 MSD: ppp20 PPP: Using vpn set call direction
Jun 30 18:27:51.767 MSD: ppp20 PPP: Treating connection as a callin
Jun 30 18:27:51.767 MSD: ppp20 PPP: Session handle[CB00001A] Session id[20]
Jun 30 18:27:51.767 MSD: ppp20 PPP: Phase is ESTABLISHING, Passive Open
Jun 30 18:27:51.767 MSD: ppp20 LCP: State is Listen
Jun 30 18:27:53.775 MSD: ppp20 LCP: Timeout: State Listen
Jun 30 18:27:53.775 MSD: ppp20 PPP: Authorization required
Jun 30 18:27:53.775 MSD: ppp20 LCP: O CONFREQ [Listen] id 1 len 15
Jun 30 18:27:53.775 MSD: ppp20 LCP: AuthProto MS-CHAP (0x0305C22380)
Jun 30 18:27:53.775 MSD: ppp20 LCP: MagicNumber 0x19756369 (0x050619756369)
Jun 30 18:27:55.791 MSD: ppp20 LCP: Timeout: State REQsent
Jun 30 18:27:55.791 MSD: ppp20 LCP: O CONFREQ [REQsent] id 2 len 15
Jun 30 18:27:55.791 MSD: ppp20 LCP: AuthProto MS-CHAP (0x0305C22380)
Jun 30 18:27:55.791 MSD: ppp20 LCP: MagicNumber 0x19756369 (0x050619756369)
Jun 30 18:27:57.807 MSD: ppp20 LCP: Timeout: State REQsent
...
The relevant parts of the config:
aaa new-model
!
aaa authentication ppp L2TP local
aaa authorization network L2TP local
!
vpdn enable
vpdn logging
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
l2tp security crypto-profile L2TP-PROF
no l2tp tunnel authentication
l2tp tunnel password 7
!
username l2tp password xxx
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
!
crypto ipsec transform-set l2tp-tr1 esp-3des esp-sha-hmac
mode transport require
crypto ipsec transform-set l2tp-tr2 esp-3des esp-md5-hmac
mode transport require
!
crypto map L2TP-MAP 10 ipsec-isakmp profile L2TP-PROF
set transform-set l2tp-tr1 l2tp-tr2
!
interface FastEthernet0/0
ip address 10.3.1.1 255.255.255.0
crypto map L2TP-MAP
!
interface FastEthernet0/1
ip address 172.16.1.1 255.255.255.0
!
interface Virtual-Template2
ip unnumbered FastEthernet0/1
peer default ip address pool VPNPOOL
ppp authentication ms-chap ms-chap-v2 callin L2TP
ppp authorization L2TP
!
ip local pool VPNPOOL 172.16.11.1 172.16.11.254
ip route 0.0.0.0 0.0.0.0 10.3.1.30
!
...
07-01-2008 05:41 AM
It appears to be a bug in IOS 12.4(11)T. 12.4(19b) mainline works well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide