Microsoft L2TP VPN to ASA 5520

Answered Question
Mar 4th, 2009

I am trying to setup an L2TP VPN connection on an XP laptop. On the ASA, I am using the DefaultRAGroup and the DfltGrpPolicy. I have set DefaultRAGroup to use a pre-shared key and set User Authentication to ACS_Radius. Our ACS server is tied to AD. Does anyone know if I can use ACS to authenticate this type of user or do I have to create local accounts on the ASA?

When I attempt to connect from the laptop, I get error 789. On the ASA, I see this:

Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, PHASE 1 COMPLETED

Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, QM FSM error (P2 struct &0xcddc7d28, mess id 0x46986b08)!

Group = DefaultRAGroup, IP = 63.xxx.xxx.xxx, Removing peer from correlator table failed, no match!

Group = DefaultRAGroup, Username = , IP = 63.xxx.xxx.xxx, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch

For one thing, it looks like the laptop isn't sending the username and password. I have tried a lot of different combos on the microsoft side like MSCHAPv2, MSCHAP, both of them or each one individually and matched that setting on the ASA. No matter what, I get that same error. Anybody have any ideas?

I have this problem too.
0 votes
Correct Answer by Ivan Martinon about 7 years 9 months ago

Yeah... I've never trusted guys for configuration, I caught the following errors:

1. L2TP Requires transport mode to be the type of IPSEC traffic used, your config seems to make reference to that yet it is not defined:

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac

crypto ipsec transform-set

TRANS_ESP_3DES_SHA mode transport<-(needed line)

2. This transform set is not attached to the dynamic crypto hence not used:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

It should look like:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA

Lastly it is just to clear up, make sure that your ACS_Radius server is indeed enabled for MS-CHAPv2 authentication from the ASA and the l2tp client, otherwise it will always fail.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Wed, 03/04/2009 - 10:45

You can certainly use radius to authenticate this user coming from this type of connection, either IAS or ACS or any other Radius server, there are several keypoints to consider when setting up this type of connection. For instance unless specified on the Server you might need to have PAP as the authentication protocol under the tunnel group make sure this setup is the same on the L2TP client under the advanced authentication parameters. Please go ahead and post your config to check that is is right?

Correct Answer
Ivan Martinon Thu, 03/05/2009 - 09:40

Yeah... I've never trusted guys for configuration, I caught the following errors:

1. L2TP Requires transport mode to be the type of IPSEC traffic used, your config seems to make reference to that yet it is not defined:

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-md5-hmac

crypto ipsec transform-set

TRANS_ESP_3DES_SHA mode transport<-(needed line)

2. This transform set is not attached to the dynamic crypto hence not used:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

It should look like:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA

Lastly it is just to clear up, make sure that your ACS_Radius server is indeed enabled for MS-CHAPv2 authentication from the ASA and the l2tp client, otherwise it will always fail.

troymaki Thu, 03/05/2009 - 11:30

That solved the connection issue. Thanks for the help. Now, I have another question. In ASDM, under Monitoring, VPN, VPN Stats, Sessions, I can see my connection but it says Encryption is none. In ACS under Microsoft Radius Attributes, I have Encryption Required and Encryption type set to 128 bit. On the MS Client, I have Data Encryption set to Require and the protocol set to CHAPv2.

Here is a 'sho crypto ips sa' from the ASA:

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: x64.x.x.x

local ident (addr/mask/prot/port): (x64.x.x.x/255.255.255.255/17/1701)

remote ident (addr/mask/prot/port): (x63.x.x.x/255.255.255.255/17/0)

current_peer: x63.x.x.x, username: domain\myusername

dynamic allocated peer ip: 10.x.x.52

#pkts encaps: 3748, #pkts encrypt: 3748, #pkts digest: 3748

#pkts decaps: 4809, #pkts decrypt: 4809, #pkts verify: 4809

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 3748, #pkts comp failed: 0, #pkts decomp failed: 0

#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 7

local crypto endpt.: x64.x.x.x/4500, remote crypto endpt.: x63.x.x.x/4500

path mtu 1500, ipsec overhead 66, media mtu 1500

current outbound spi: F8E88351

inbound esp sas:

spi: 0x3330BF91 (858832785)

transform: esp-3des esp-sha-hmac none

in use settings ={RA, Transport, NAT-T-Encaps, }

slot: 0, conn_id: 9916416, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (230321/2829)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xF8E88351 (4175987537)

transform: esp-3des esp-sha-hmac none

in use settings ={RA, Transport, NAT-T-Encaps, }

slot: 0, conn_id: 9916416, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (kB/sec): (229859/2829)

IV size: 8 bytes

replay detection support: Y

Ivan Martinon Thu, 03/05/2009 - 11:42

Good to hear, I'd like to see what you see so please log into your ASA via CLI and get the output of the follwing command:

show vpn-sessiondb detailed remote

troymaki Thu, 03/05/2009 - 11:48

Look at the L2TPOverIPsecOverNAT. That is what I see in the ASDM that shows encryption as None.

lsfw01# sho vpn-sessiondb deta remote

Username : domain\myusername Index : 2423

Assigned IP : 10.x.x.52 Public IP : x63.x.x.x

Protocol : IKE IPsecOverNatT L2TPOverIPsecOverNatT

License : IPsec

Encryption : none 3DES Hashing : MD5 SHA1

Bytes Tx : 532404 Bytes Rx : 416288

Pkts Tx : 998 Pkts Rx : 1249

Pkts Tx Drop : 0 Pkts Rx Drop : 0

Group Policy : DefaultRAGroup Tunnel Group : DefaultRAGroup

Login Time : 13:01:10 CST Thu Mar 5 2009

Duration : 0h:03m:07s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

IKE Tunnels: 1

IPsecOverNatT Tunnels: 1

L2TPOverIPsecOverNatT Tunnels: 1

IKE:

Tunnel ID : 2423.1

UDP Src Port : 4500 UDP Dst Port : 4500

IKE Neg Mode : Main Auth Mode : preSharedKeys

Encryption : 3DES Hashing : MD5

Rekey Int (T): 28800 Seconds Rekey Left(T): 28613 Seconds

D/H Group : 2

Filter Name :

IPsecOverNatT:

Tunnel ID : 2423.2

Local Addr : x64.x.x.x/255.255.255.255/17/1701

Remote Addr : x63.x.x.x/255.255.255.255/17/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Transport

Rekey Int (T): 3600 Seconds Rekey Left(T): 3413 Seconds

Rekey Int (D): 231933 K-Bytes Rekey Left(D): 231414 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Bytes Tx : 532404 Bytes Rx : 416288

Pkts Tx : 998 Pkts Rx : 1249

L2TPOverIPsecOverNatT:

Tunnel ID : 2423.3

Username : domain\myusername

Assigned IP : 10.x.x.52 Public IP : x63.x.x.x

Encryption : none Auth Mode : msCHAPV2

Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Client OS : Microsoft

Client OS Ver: 5.0

Bytes Tx : 504263 Bytes Rx : 380942

Pkts Tx : 993 Pkts Rx : 1241

NAC:

Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds

SQ Int (T) : 0 Seconds EoU Age(T) : 187 Seconds

Hold Left (T): 0 Seconds Posture Token:

Redirect URL :

Ivan Martinon Thu, 03/05/2009 - 13:02

I see what you are saying, honestly I have never noticed that before, since the encryption used by the ipsec along with the hashing use with mschapv2 seems like enough to me. I would not be able to give you an answer as to why this is not shown here. My guesses is that maybe the ACS does not support this type of encryption.

troymaki Thu, 03/05/2009 - 13:11

Sounds good. I appreciate your time and help with this.

Thanks

Tshi M Wed, 09/08/2010 - 06:51

I am having a somewhat problem with my setup. However, in my case, L2TP users are able to connect

but not able to reach the remote LAN (i.e. the network behind the ASA 192.168.24.0 255.255.254.0) while cisco vpn clients can. If I manually entered the static route on the l2tp client, he is able to connect to the 192.168.24.0/23 network...the route command is "route add 192.168.24.0 mask 255.255.254.0 172.16.10.x) x being the last octet of the assigned IP from the remote pool.

object-group network DMZ
network-object 192.168.24.0 255.255.254.0

object-group network RAS_Users
network-object 172.16.10.0 255.255.255.0

access-list RAVPN_Split_Tunnel standard permit 192.168.24.0 255.255.254.0
access-list nonat-traffic extended permit ip object-group DMZ object-group RAS_Users

ip local pool CARTVPN 172.16.10.1-172.16.10.254

nat (inside) 0 access-list nonat-traffic

crypto ipsec transform-set NJ1 esp-3des esp-md5-hmac
crypto ipsec transform-set CART-PPTP esp-3des esp-sha-hmac
crypto ipsec transform-set CART-PPTP mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 20 set transform-set CART-PPTP NJ1

crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel

tunnel-group DefaultRAGroup general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2

group-policy DMZ-RA-VPN-GROUP internal
group-policy DMZ-RA-VPN-GROUP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel

tunnel-group DMZ-RA-VPN-GROUP type remote-access
tunnel-group DMZ-RA-VPN-GROUP general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DMZ-RA-VPN-GROUP
tunnel-group DMZ-RA-VPN-GROUP ipsec-attributes
pre-shared-key *****

Actions

This Discussion