Windows 2003 site-to-site L2TP to ASA 5510

Unanswered Question
Jan 28th, 2009


I've setup site-to-site ASA 5510 using L2TP, I've also setup RRAS on windows 2003, and run Demand Dial Interface Wizard to setup L2TP connect to ASA.

What stucks me is "Dial Out Credentials" page on this Wizard.

If I leave all the fields blank it can not proceed futher, so I add imaginary user here. But, on the ASA side there is no user account to add while running IPSec site-to-site wizard. So with this imaginary user account on the Windows side and no user account on the ASA side, I try to connect them (from Windows machine). Looking at the ASDM Log Viewer, I notice that both Phases are completed succefully, but then the message "IP=xxxx.xxxx.xxxx.xxxx, Received encrypted packet with no matching SA, dropping", appears on Log Viewer, and on Windows 2k3 side I get a message "An error occurred during connection of the interface. The local computer does not support the required data encryption type".

I google for L2TP ASA RRAS, but found nothing really of my case.

Has someone ever get this work? If so, what else should I pay attention at?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Wed, 01/28/2009 - 06:00

I am confused here, are you setting a Remote Access L2TP VPN Client, if that is the case your setup on the ASA cannot be Lan to Lan (site-to-site) rather remote access, what does your asa config looks like? When using L2tp over IPSEC (which is what the ASA supports) you must have a user/password

nkaretnikov Wed, 01/28/2009 - 06:19

I am seting up site-to-site VPN between ASA and Windows 2003 Server (RRAS). What I cannot figure out is how I should configure username on the ASA side?

Ivan Martinon Wed, 01/28/2009 - 06:29

The only site to site protocol the ASA supports against a windows server is IPSEC not L2TP, Site to site allows you to encrypt the whole network behind each server. Remote Access on the other hand, is used for connecting Workstations PC's to the vpn server (asa) using a single vpn connection. Are you sure you have the right concept of what you want to configure?

nkaretnikov Wed, 01/28/2009 - 06:36

Thank you! I must have been wrong thinking L2TP allows me encrypt the whole network behind Windows 2003 Server. So, could you please point me to LAN0-RRAS-ASA-LAN1 configuration using IPSec?

Ivan Martinon Wed, 01/28/2009 - 06:41

Unfortunately to my understanding we don't have a direct link to configure a Windows 2003 server with a lan to lan against a cisco ASA, so you would need to check 2 links or look on the MS Knowledgebase for the vpn setup of the windows 2003, I got you one link that shows the configuration on a Windows 2000 though, hope it heslps:


This Discussion