I am trying to setup an L2TP VPN connection on an XP laptop. On the ASA, I am using the DefaultRAGroup and the DfltGrpPolicy. I have set DefaultRAGroup to use a pre-shared key and set User Authentication to ACS_Radius. Our ACS server is tied to AD. Does anyone know if I can use ACS to authenticate this type of user or do I have to create local accounts on the ASA?
When I attempt to connect from the laptop, I get error 789. On the ASA, I see this:
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, PHASE 1 COMPLETED
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, QM FSM error (P2 struct &0xcddc7d28, mess id 0x46986b08)!
Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, Removing peer from correlator table failed, no match!
Group = DefaultRAGroup, Username = , IP = 63.xxx.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
For one thing, it looks like the laptop isn't sending the username and password. I have tried a lot of different combos on the microsoft side like MSCHAPv2, MSCHAP, both of them or each one individually and matched that setting on the ASA. No matter what, I get that same error. Anybody have any ideas?
Yeah... I've never trusted guys for configuration, I caught the following errors:
1. L2TP Requires transport mode to be the type of IPSEC traffic used, your config seems to make reference to that yet it is not defined:
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac
crypto ipsec transform-set
TRANS_ESP_3DES_SHA mode transport<-(needed line)
2. This transform set is not attached to the dynamic crypto hence not used:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
It should look like:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
Lastly it is just to clear up, make sure that your ACS_Radius server is indeed enabled for MS-CHAPv2 authentication from the ASA and the l2tp client, otherwise it will always fail.