L2TP/IPSEC VPN to ASA

Unanswered Question
Sep 3rd, 2008
User Badges:

Hi,


I have configured my ASA, which is already setup for site to site VPN's and Client access VPN using the Cisco Client, for L2TP/IPSEC VPN access. However, I am unable to connect from a Windows client. Below is my config and I've attached a copy of the debug. Please could you help.


crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set CLIENT_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set CLIENT_ESP_3DES_MD5 mode transport


crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-3DES-SHA

crypto dynamic-map vpnmap_dynmap 50 set transform-set CLIENT_ESP_3DES_MD5


crypto map vpnmap 65535 ipsec-isakmp dynamic vpnmap_dynmap


crypto map vpnmap interface outside2

crypto isakmp identity address

crypto isakmp enable outside2


crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 40

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 80

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30



group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value X.X.X.X


tunnel-group DefaultRAGroup general-attributes

authentication-server-group RADIUSAUTH

default-group-policy DefaultRAGroup

dhcp-server DHCP_SERVER


tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication (outside2) none


tunnel-group DefaultRAGroup ppp-attributes

no authentication ms-chap-v1

authentication ms-chap-v2



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marwan ALshawi Wed, 09/03/2008 - 05:11
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

what i suggest you is to have a look at the following nice example that configure l2tp/ipsec on asa with win pc it will guid u step-by-step and check it with ur config as well


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml


good luck


if helpful Rate

alraycisco Wed, 09/03/2008 - 07:36
User Badges:

Having gone through the config the only changes I made to my config were:


To add 'vpn-tunnel-protocol l2tp-ipsec' in group-policy DfltGrpPolicy attributes


and to remove 'isakmp ikev1-user-authentication (outside2) none' this now results in 'Tunnel Rejected: Conflicting protocols specified by

tunnel-group and group-policy' in the debugs.

Actions

This Discussion