01-20-2010 10:56 AM - edited 03-11-2019 09:59 AM
Hi folks, I have a Cisco ASA-5505 running 8.2(1), and I'm trying to configure it for remote access VPN connections using L2TP over IPsec. It completes Phase 1 with no problem. Then it picks up the correct dynamic crypto-map, but fails to negotiate an IPsec SA: Jan 20 18:29:38 [IKEv1]: Group = DefaultRAGroup, IP = x, PHASE 1 COMPLETED Jan 20 18:29:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x, processing IPSec SA payload Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, IKE Remote Peer configured for crypto map: x-VPN Jan 20 18:29:39 [IKEv1]: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Transport Cfg'd: Transport Jan 20 18:29:39 [IKEv1]: Phase 2 failure: Mismatched attribute types for class Encapsulation Mode: Rcv'd: UDP Transport Cfg'd: Transport Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, All IPSec SA proposals found unacceptable! So the problem seems to be that the VPN client is requesting UDP transport, but the ASA will not accept it. Please would someone have a look at these snippets of config and tell me if there's something I've missed? crypto isakmp policy 119 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport crypto dynamic-map x-VPN 10 set transform-set TRANSPORT_ESP_3DES_SHA crypto dynamic-map x-VPN 10 set nat-t-disable crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN group-policy DefaultRAGroup internal group-policy DefaultRAGroup attributes wins-server value 172.20.0.1 dns-server value 172.20.0.1 vpn-tunnel-protocol IPSec l2tp-ipsec ipsec-udp enable default-domain value x.local tunnel-group DefaultRAGroup general-attributes address-pool clientVPNpool authentication-server-group x default-group-policy DefaultRAGroup Thanks, Philip
Solved! Go to Solution.
01-20-2010 11:18 AM
01-20-2010 11:18 AM
Missing transform-set.
-KS
01-20-2010 11:24 AM
Missed that from my config snips above, added now. Any other thoughts please? Thanks, Philip
01-20-2010 11:34 AM
Oh. It was that nat-t-disable option that was screwing things up, it didn't need to be there :-)
Still, job done - and thanks for the reply.
Philip
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: