07-23-2008 12:56 AM - edited 02-21-2020 03:50 PM
Hello guys,
I have to configure an ASA 5510 as Remote access server for Windows XP machines. I tried to configure it with L2TP and IPSec but didnt work. I was reffered to a correct document by a member of this forum (appriciated) but it seems the XP machines dont like L2TP and they accept PPTP easier. Can anyone reffer me to a document how to configure ASA5510 Remote access with PPTP. I checked the device and didnt see any option for using PPTP instead of L2TP. Thank you guys in advance.
Regards,
rvr
Solved! Go to Solution.
07-23-2008 05:22 AM
!--- Identifies the IPsec encryption and hash algorithms
!--- to be used by the transform set.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
!--- Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,
!--- set the mode to transport.
!--- The default is tunnel mode.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
!--- Specifies the transform sets to use in a dynamic crypto map entry.
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
!--- Requires a given crypto map entry to refer to a pre-existing
!--- dynamic crypto map.
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
!--- Applies a previously defined crypto map set to an outside interface.
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 20
!--- Specifies the IKE Phase I policy parameters.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!--- Creates a tunnel group with the tunnel-group command, and specifies the local
!--- address pool name used to allocate the IP address to the client.
!--- Associate the AAA server group (VPN) with the tunnel group.
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
authentication-server-group vpn
!--- Link the name of the group policy to the default tunnel
!--- group from tunnel group general-attributes mode.
default-group-policy DefaultRAGroup
!--- Use the tunnel-group ipsec-attributes command
!--- in order to enter the ipsec-attribute configuration mode.
!--- Set the pre-shared key.
!--- This key should be the same as the key configured on the Windows machine.
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!--- Configures the PPP authentication protocol with the authentication type
!--- command from tunnel group ppp-attributes mode.
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
07-23-2008 01:27 AM
PPTP is not supported on ASA
07-23-2008 01:47 AM
I configred the ASA and the XP machine following the document but it didnt work.
I enabled crypto ipsec debugging during my tests and it seemed not traffic hit the ASA whe I tried from the XP machine.
I tried yestrerday with PIX501 and at least I got traffic on the PIX, error was:
IPSEC(validate_transform_proposal): proxy identities not supported.
The section that says I have to configure IP security policy on the XP machine to match the one on the ASA is not that clear for me.
regards,
07-23-2008 01:56 AM
debug crypto isakmp 255
debug crypto ipsec 255
07-23-2008 03:21 AM
07-23-2008 03:24 AM
Jul 23 11:14:27 [IKEv1]: IP = 212.36.10.183, No crypto map bound to interf
dropping pkt
it should be the answer...
Bound crypto map to the interface.
07-23-2008 04:40 AM
Do I really need a crypto map for Remote access? I have noticed that no IPSec rule was created when I followed the document for Remote access configuration. Do I have to have IPSec rule??
regards
07-23-2008 05:22 AM
!--- Identifies the IPsec encryption and hash algorithms
!--- to be used by the transform set.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
!--- Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,
!--- set the mode to transport.
!--- The default is tunnel mode.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
!--- Specifies the transform sets to use in a dynamic crypto map entry.
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
!--- Requires a given crypto map entry to refer to a pre-existing
!--- dynamic crypto map.
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
!--- Applies a previously defined crypto map set to an outside interface.
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 20
!--- Specifies the IKE Phase I policy parameters.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!--- Creates a tunnel group with the tunnel-group command, and specifies the local
!--- address pool name used to allocate the IP address to the client.
!--- Associate the AAA server group (VPN) with the tunnel group.
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
authentication-server-group vpn
!--- Link the name of the group policy to the default tunnel
!--- group from tunnel group general-attributes mode.
default-group-policy DefaultRAGroup
!--- Use the tunnel-group ipsec-attributes command
!--- in order to enter the ipsec-attribute configuration mode.
!--- Set the pre-shared key.
!--- This key should be the same as the key configured on the Windows machine.
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!--- Configures the PPP authentication protocol with the authentication type
!--- command from tunnel group ppp-attributes mode.
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
07-23-2008 05:54 AM
Thank you. It is resolved.
regards,
rvr
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: