Remote access VPN over UDP transport

Answered Question
Jan 20th, 2010
Hi folks,

I have a Cisco ASA-5505 running 8.2(1), and I'm trying to configure it for remote access VPN
connections using L2TP over IPsec.  It completes Phase 1 with no problem.  Then it picks up
the correct dynamic crypto-map, but fails to negotiate an IPsec SA:

Jan 20 18:29:38 [IKEv1]: Group = DefaultRAGroup, IP = x, PHASE 1 COMPLETED
Jan 20 18:29:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x, processing IPSec SA payload
Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, IKE Remote Peer configured for crypto map: x-VPN
Jan 20 18:29:39 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: Transport
Jan 20 18:29:39 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: Transport
Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, All IPSec SA proposals found unacceptable!

So the problem seems to be that the VPN client is requesting UDP transport, but the ASA will not accept it.

Please would someone have a look at these snippets of config and tell me if there's something
I've missed?

crypto isakmp policy 119
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400

crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport

crypto dynamic-map x-VPN 10 set transform-set TRANSPORT_ESP_3DES_SHA
crypto dynamic-map x-VPN 10 set nat-t-disable

crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 172.20.0.1
 dns-server value 172.20.0.1
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 ipsec-udp enable
 default-domain value x.local

tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group x
 default-group-policy DefaultRAGroup

Thanks,

Philip
I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 12 months ago

Missing transform-set.

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
philipplant Wed, 01/20/2010 - 11:24
Missed that from my config snips above, added now.  Any other thoughts please?

Thanks,

Philip
philipplant Wed, 01/20/2010 - 11:34

Oh.  It was that nat-t-disable option that was screwing things up, it didn't need to be there :-)

Still, job done - and thanks for the reply.

Philip

Actions

This Discussion