07-23-2008 12:56 AM - edited 02-21-2020 03:50 PM
Hello guys,
I have to configure an ASA 5510 as Remote access server for Windows XP machines. I tried to configure it with L2TP and IPSec but didnt work. I was reffered to a correct document by a member of this forum (appriciated) but it seems the XP machines dont like L2TP and they accept PPTP easier. Can anyone reffer me to a document how to configure ASA5510 Remote access with PPTP. I checked the device and didnt see any option for using PPTP instead of L2TP. Thank you guys in advance.
Regards,
rvr
Solved! Go to Solution.
07-23-2008 05:22 AM
!--- Identifies the IPsec encryption and hash algorithms
!--- to be used by the transform set.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
!--- Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,
!--- set the mode to transport.
!--- The default is tunnel mode.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
!--- Specifies the transform sets to use in a dynamic crypto map entry.
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
!--- Requires a given crypto map entry to refer to a pre-existing
!--- dynamic crypto map.
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
!--- Applies a previously defined crypto map set to an outside interface.
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 20
!--- Specifies the IKE Phase I policy parameters.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!--- Creates a tunnel group with the tunnel-group command, and specifies the local
!--- address pool name used to allocate the IP address to the client.
!--- Associate the AAA server group (VPN) with the tunnel group.
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
authentication-server-group vpn
!--- Link the name of the group policy to the default tunnel
!--- group from tunnel group general-attributes mode.
default-group-policy DefaultRAGroup
!--- Use the tunnel-group ipsec-attributes command
!--- in order to enter the ipsec-attribute configuration mode.
!--- Set the pre-shared key.
!--- This key should be the same as the key configured on the Windows machine.
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!--- Configures the PPP authentication protocol with the authentication type
!--- command from tunnel group ppp-attributes mode.
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
07-23-2008 01:27 AM
PPTP is not supported on ASA
07-23-2008 01:47 AM
I configred the ASA and the XP machine following the document but it didnt work.
I enabled crypto ipsec debugging during my tests and it seemed not traffic hit the ASA whe I tried from the XP machine.
I tried yestrerday with PIX501 and at least I got traffic on the PIX, error was:
IPSEC(validate_transform_proposal): proxy identities not supported.
The section that says I have to configure IP security policy on the XP machine to match the one on the ASA is not that clear for me.
regards,
07-23-2008 01:56 AM
debug crypto isakmp 255
debug crypto ipsec 255
07-23-2008 03:21 AM
07-23-2008 03:24 AM
Jul 23 11:14:27 [IKEv1]: IP = 212.36.10.183, No crypto map bound to interf
dropping pkt
it should be the answer...
Bound crypto map to the interface.
07-23-2008 04:40 AM
Do I really need a crypto map for Remote access? I have noticed that no IPSec rule was created when I followed the document for Remote access configuration. Do I have to have IPSec rule??
regards
07-23-2008 05:22 AM
!--- Identifies the IPsec encryption and hash algorithms
!--- to be used by the transform set.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
!--- Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,
!--- set the mode to transport.
!--- The default is tunnel mode.
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
!--- Specifies the transform sets to use in a dynamic crypto map entry.
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
!--- Requires a given crypto map entry to refer to a pre-existing
!--- dynamic crypto map.
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
!--- Applies a previously defined crypto map set to an outside interface.
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp nat-traversal 20
!--- Specifies the IKE Phase I policy parameters.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
!--- Creates a tunnel group with the tunnel-group command, and specifies the local
!--- address pool name used to allocate the IP address to the client.
!--- Associate the AAA server group (VPN) with the tunnel group.
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
authentication-server-group vpn
!--- Link the name of the group policy to the default tunnel
!--- group from tunnel group general-attributes mode.
default-group-policy DefaultRAGroup
!--- Use the tunnel-group ipsec-attributes command
!--- in order to enter the ipsec-attribute configuration mode.
!--- Set the pre-shared key.
!--- This key should be the same as the key configured on the Windows machine.
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
!--- Configures the PPP authentication protocol with the authentication type
!--- command from tunnel group ppp-attributes mode.
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
07-23-2008 05:54 AM
Thank you. It is resolved.
regards,
rvr
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide