L2TP issue with ASA

Answered Question
Oct 8th, 2008

Hi.i want to connect from xp client to PIX via L2TP IPsec connection but i cant.this is my network.

PIX:

outside = 15.15.15.1 /24

inside = 10.10.10.1/24

XP client = 15.15.15.2 (connected to ASA outside interface)

PIX config:

!!!!!!!!

PIX Version 7.2(3)

!

hostname pixfirewall

enable password xxx

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 15.x.x.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

access-list tr1 extended permit ip 10.10.10.0 255.255.255.0 17.17.17.0 255.255.

55.0

access-list tr2 extended permit ip 10.10.10.0 255.255.255.0 17.17.17.0 255.255.

55.0

access-list l2tp extended permit udp any any eq 1701

pager lines 24

mtu outside 1500

mtu inside 1500

ip local pool vpn 17.17.17.2-17.17.17.10

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list tr1

access-group l2tp in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ipsec esp-3des esp-md5-hmac

crypto dynamic-map dy 1 set transform-set ipsec

crypto map cry 1 ipsec-isakmp dynamic dy

crypto map cry interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

!

!

group-policy sevan internal

group-policy sevan attributes

vpn-tunnel-protocol l2tp-ipsec

username sevan password xxx

username sevan attributes

vpn-tunnel-protocol l2tp-ipsec

tunnel-group sevan type ipsec-ra

tunnel-group sevan general-attributes

address-pool vpn

default-group-policy sevan

tunnel-group sevan ipsec-attributes

pre-shared-key *

tunnel-group sevan ppp-attributes

no authentication chap

authentication ms-chap-v2

prompt hostname context

Cryptochecksum:xxx

: end

in the Xp client i have configured vpn connection correctly according examples that i found in Cisco documents.

when i try to connect from xp client nothing happens i turn debuging on and i get this errors:

Oct 07 12:04:51 [IKEv1]: Group = 15.15.15.2, IP = 15.15.15.2, Can't

find a valid tunnel group, aborting...!

Oct 07 12:04:51 [IKEv1]: Group = 15.15.15.2, IP = 15.15.15.2, Removing peer from

peer table failed, no match!

Oct 07 12:04:51 [IKEv1]: Group = 15.15.15.2, IP = 15.15.15.2, Error: Unable to r

emove PeerTblEntry

Oct 07 12:04:52 [IKEv1]: IP = 15.15.15.2, Header invalid, missing SA payload! (n

ext payload = 4)

Oct 07 12:04:54 [IKEv1]: IP = 15.15.15.2, Header invalid, missing SA payload! (n

ext payload = 4)

Oct 07 12:04:58 [IKEv1]: IP = 15.15.15.2, Header invalid, missing SA payload! (n

ext payload = 4)

Oct 07 12:05:06 [IKEv1]: IP = 15.15.15.2, Header invalid, missing SA payload! (n

ext payload = 4)

please help me to find the problem! thanks

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 1 month ago

I would advise something similar. But instead of doing "no vpn-tunnel-protocol l2tp-ipsec", you can also put the command

"vpn-tunnel-protocol l2tp-ipsec" in both the concerned group-policy and the DefaultRAGroup tunnel-group. Just make sure you don't break any of your other VPNs. See this for more details:

http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=001767

Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mike_guy29 Wed, 10/08/2008 - 07:43

Hi,

Having just had a brief look over this I can see on thing I believe is wrong and would explain why you are getting those errors.

Your tunnel group entry is set as "tunnel-group sevan" but it will be trying to match the tunnel group by IP address. Configure it so that it says "tunnel-group 15.15.15.2 ....." and then config as before.

See if that works.

blackhat2020 Sun, 10/12/2008 - 05:18

thanks HAPPS!

i did what you said! i mean now im using default policy-group and default tunnel group and this is my new configuration except the remote host witch now he is trying to connect to asa from interface inside not outside with ip address 10.10.10.2!

hostname ASA

domain-name default.domain.invalid

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

ip address 15.15.15.1 255.255.255.0

!

interface Ethernet1

nameif inside

security-level 100

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool vpn-pool 17.17.17.2-17.17.17.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image flash:/asdm-522.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:0

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:

timeout uauth 0:05:00 absolute

http server enable

http 10.10.10.2 255.255.255.255 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto dynamic-map inside_dyn_map 20 set pfs

crypto dynamic-map inside_dyn_map 20 set transform-set TRANS_ESP_3DES_SHA

crypto map inside_map 65535 ipsec-isakmp dynamic inside_dyn_map

crypto map inside_map interface inside

crypto isakmp enable inside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

!

!

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol l2tp-ipsec

username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15

username sevan password aJ14Sk3KwgO9M8m92qRtjw== nt-encrypted privilege 15

username sevan attributes

vpn-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

address-pool vpn-pool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

prompt hostname context

Cryptochecksum:9e6c4bc1952087f9f7a18075a6461617

: end

now again i cant connect over l2tp from my client but now i get another debug message when i try to connect

ASA(config)# Oct 12 16:42:33 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, T

unnel Rejected: Conflicting protocols specified by tunnel-group and group-policy

Oct 12 16:42:33 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Removing peer

from peer table failed, no match!

Oct 12 16:42:33 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Error: Unable

to remove PeerTblEntry

Oct 12 16:42:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Tunnel Rejecte

d: Conflicting protocols specified by tunnel-group and group-policy

Oct 12 16:42:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Removing peer

from peer table failed, no match!

Oct 12 16:42:36 [IKEv1]: Group = DefaultRAGroup, IP = 10.10.10.2, Error: Unable

to remove PeerTblEntry

Erik Ingeberg Sun, 10/12/2008 - 09:37

I had a similar issue once, I think I had the same debug output as you. I solved it by resetting the vpn tunnel protocol in DefaultRAGroup to default value. I don't know why this worked, but it did...

Try typing this:

group-policy DefaultRAGroup attributes

no vpn-tunnel-protocol l2tp-ipsec

Correct Answer
Farrukh Haroon Sun, 10/12/2008 - 12:41

I would advise something similar. But instead of doing "no vpn-tunnel-protocol l2tp-ipsec", you can also put the command

"vpn-tunnel-protocol l2tp-ipsec" in both the concerned group-policy and the DefaultRAGroup tunnel-group. Just make sure you don't break any of your other VPNs. See this for more details:

http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=001767

Regards

Farrukh

Actions

This Discussion