Solved: L2TP/IPSec windows to ASA

mlopacinski · ‎02-17-2010

Hello

I've configured on ASA L2TP/Ipsec connections from windows. Pahse 1 and 2 are successfull, tunnel is created but immediately after that deletet. Tested from windows XP and windows 7. I use DefaultRAGroup for that (can not use any group which is not default - windows limitation). Here is my config:

group-policy DfltGrpPolicy attributes
wins-server value 10.1.1.1
dns-server value 10.1.1.1
vpn-idle-timeout 300
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
user-authentication enable
nem enable
nac-settings value DfltGrpPolicy-nac-framework-create
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
customization value DfltCustomization

tunnel-group DefaultRAGroup general-attributes
address-pool asa-admins
authentication-server-group CSACS
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
authentication pap
authentication ms-chap-v2
authentication eap-proxy

crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_AES_SHA TRANS_ESP_DES_SHA ESP-AES-256-SHA ESP-AES-256-MD5 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-3DES-MD5 ESP-3DES-SHA ESP-DES-MD5 ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

And here are some logs:

Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-715027: Group = DefaultRAGroup, IP = 193.193.193.193, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 10

Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-710005: UDP request discarded from 193.193.193.193/4204 to outside:outside-interface/4500
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-6-602303: IPSEC: An outbound remote access SA (SPI= 0xAEA59455) between outside-interface and 193.193.193.193 (user= DefaultRAGroup) has been created.
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-715007: Group = DefaultRAGroup, IP = 193.193.193.193, IKE got a KEY_ADD msg for SA: SPI = 0xaea59455
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-6-602303: IPSEC: An inbound remote access SA (SPI= 0x9D3B8BDE) between outside-interface and 193.193.193.193 (user= DefaultRAGroup) has been created.
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-715077: Group = DefaultRAGroup, IP = 193.193.193.193, Pitcher: received KEY_UPDATE, spi 0x9d3b8bde
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, Starting P2 rekey timer: 3060 seconds.
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-5-713120: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid=00000001)
Feb 17 13:27:07 vpnasa1 Feb 17 2010 13:27:07 vpnasa1 : %ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193> mask <0xFFFFFFFF> port <4204>
Feb 17 13:27:08 vpnasa1 Feb 17 2010 13:27:08 vpnasa1 : %ASA-7-710005: UDP request discarded from 193.193.193.193/4204 to outside:outside-interface/1701
Feb 17 13:27:08 vpnasa1 Feb 17 2010 13:27:08 vpnasa1 : %ASA-6-302016: Teardown UDP connection 56281479 for outside:193.193.193.193/4204 to identity:outside-interface/1701 duration 0:01:07 bytes 431
Feb 17 13:27:10 vpnasa1 Feb 17 2010 13:27:10 vpnasa1 : %ASA-6-302015: Built inbound UDP connection 56282536 for outside:193.193.193.193/4204 (193.193.193.193/4204) to identity:outside-interface/1701 (outside-interface/1701)
Feb 17 13:27:10 vpnasa1 Feb 17 2010 13:27:10 vpnasa1 : %ASA-6-603106: L2TP Tunnel created, tunnel_id is 50, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id is 1, client_dynamic_ip is 0.0.0.0 username is user1
Feb 17 13:27:10 vpnasa1 Feb 17 2010 13:27:10 vpnasa1 : %ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 50, remote_peer_ip = 193.193.193.193

Feb 17 13:27:10 vpnasa1 Feb 17 2010 13:27:10 vpnasa1 : %ASA-4-113019: Group = DefaultRAGroup, Username = , IP = 193.193.193.193, Session disconnected. Session Type: IPsecOverNatT, Duration: 0h:00m:03s, Bytes xmt: 795, Bytes rcv: 1204, Reason: L2TP initiated

What's wrong ?

Thanx

Ivan Martinon · ‎02-19-2010

Please go ahead and enable the following command:

crypto isakmp nat-traversal

Try again.

View solution in original post

andrew.prince · ‎02-17-2010

Firstly compare your config with the below config example:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

See if there is anything missing!

mlopacinski · ‎02-17-2010

problems

mlopacinski · ‎02-17-2010

Hello

There is no missing commands. I think it's a bug. When i switched to:

tunnel-group DefaultRAGroup general-attributes
no authentication-server-group ACS

So - when i've enabled local authentication insted of ACS thru radius - ASA was able to bring UP tunnel, i've received IP address, but incorrect mask (/32 insted of /24) and i was not able to ping anything. When i've tried to ping logs shows:

Feb 17 14:41:52 asa1 Feb 17 2010 14:41:52 asa1 : %ASA-4-402115: IPSEC: Received a packet from 193.193.193.193 to outside-interface containing UDP data instead of UDP data.

But when i try to use ACS:

tunnel-group DefaultRAGroup general-attributes
authentication-server-group ACS

(ACS is used in many other tunnel groups and works fine) - then ASA do not bring UP tunnel, it does not even send any traffic to ACS (sniffed), in logs it shows:

Feb 17 11:11:48 asa1 Feb 17 2010 11:11:48 asa1 : %ASA-5-713120: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 2 COMPLETED (msgid=00000001)
Feb 17 11:11:48 asa1 Feb 17 2010 11:11:48 asa1 : %ASA-7-713906: IKEQM_Active() Add L2TP classification rules: ip <193.193.193.193> mask <0xFFFFFFFF> port <56892>
Feb 17 11:11:49 asa1 Feb 17 2010 11:11:49 asa1 : %ASA-6-302015: Built inbound UDP connection 56148802 for outside:193.193.193.193/56892 (193.193.193.193/56892) to identity:outside-interface/1701 (outside-interface/1701)
Feb 17 11:11:50 asa1 Feb 17 2010 11:11:50 asa1 : %ASA-6-603106: L2TP Tunnel created, tunnel_id is 15, remote_peer_ip is 193.193.193.193 ppp_virtual_interface_id is 1, client_dynamic_ip is 0.0.0.0 username is user1
Feb 17 11:11:50 asa1 Feb 17 2010 11:11:50 asa1 : %ASA-6-603107: L2TP Tunnel deleted, tunnel_id = 15, remote_peer_ip = 193.193.193.193

Why ?

andrew.prince · ‎02-18-2010

post your config for review - removing sensitive information.

mlopacinski · ‎02-18-2010

Attaching config.

basically i have tunnel-group: DefaultRAGroup which uses DfltGrpPolicy.

right now i use authentication-server-group CSACS.

It seems ASA is very unstable with L2TP. I did not change configuration, but today it does not matter if i use local or CACS athnetication. It always shows:

Feb 18 08:45:26 asa1 Feb 18 2010 08:45:26 asa1 : %ASA-7-713906: Group = DefaultRAGroup, IP = 193.193.193.193, peer is not authenticated by xauth - drop connection.

Yesterday with local authentication it was able to bring tunnel UP, give IP address, but i could not ping anything:(

andrew.prince · ‎02-18-2010

What is wrong with the below config?

access-list inside_nat0_outbound extended permit ip any 172.28.255.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.25.9.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.28.66.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.25.14.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.25.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.28.18.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.28.17.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.30.32.0 255.255.240.0

access-list inside_nat0_outbound extended permit ip any 172.28.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.28.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.28.252.192 255.255.255.192

access-list inside_nat0_outbound extended permit ip any 10.40.197.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 10.40.196.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.28.252.0 255.255.255.0

!

nat (inside) 0 access-list inside_nat0_outbound

!

ip local pool vpnasa-admins 172.25.251.20-172.25.251.254 mask 255.255.255.0

ip local pool vpnasa-other 172.28.252.1-172.28.252.99 mask 255.255.255.0

ip local pool vpnasa-test 172.25.246.10-172.25.246.240 mask 255.255.255.0

ip local pool vpnasa-xxxx 172.25.252.1-172.25.252.254 mask 255.255.255.0

mlopacinski · ‎02-18-2010

Ok, i've corrected that ACL so that all vpn pools are not NAT'ted. Added:

access-list inside_nat0_outbound extended permit ip any 172.25.252.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.25.246.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip any 172.25.251.0 255.255.255.0

But it's not the source of the problem. Errors are still the same.

Thanx

andrew.prince · ‎02-18-2010

Actually it fixes the previous issue of being able to connect and not able to ping anything.

You now have a new issue - seems related to authentication, configure the below and test again using a locally configured uid/pwd.

tunnel-group DefaultRAGroup general-attributes

no authentication-server-group CSACS <>

mlopacinski · ‎02-18-2010

You are right. Now new problems have emerged. I've already did this test, it does not matter if it's local or CSACS, error the same:

Feb 18 11:57:04 vpnasa1 Feb 18 2010 11:57:04 vpnasa1 : %ASA-7-713906: Group = DefaultRAGroup, IP = 193.193.193.193, peer is not authenticated by xauth - drop connection

of course apprioprate users exists locally and on CSACS (i could login using cisco vpn client).

Thanx

andrew.prince · ‎02-18-2010

Do anyother of the RVPN's work?

That error sounds like the IKE issue, input the below at the cli

debug crypto isakmp 50

debug crypto ipsec 50

Then test again - and post the output of the debug.

mlopacinski · ‎02-18-2010

Yes, IPSec Remote Access works fine (it's in other tunnel-group - not default one).

Here are the logs for L2TP/IPsec remote access:

Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-5-713119: Group = DefaultRAGroup, IP = 193.193.193.193, PHASE 1 COMPLETED
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-713121: IP = 193.42.230.60, Keep-alive type for this connection: None
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-715080: Group = DefaultRAGroup, IP = 193.193.193.193, Starting P1 rekey timer: 21600 seconds.
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-720041: (VPN-Secondary) Sending New Phase 1 SA message (type RA, remote addr 193.42.230.60, my cookie 1D9F6DD0, his cookie 2A192503) to standby unit
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-714003: IP = 193.42.230.60, IKE Responder starting QM: msg id = 00000001
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-713236: IP = 193.42.230.60, IKE_DECODE RECEIVED Message (msgid=1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 404
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-715047: Group = DefaultRAGroup, IP = 193.193.193.193, processing hash payload
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-715047: Group = DefaultRAGroup, IP = 193.193.193.193, processing SA payload
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-715047: Group = DefaultRAGroup, IP = 193.193.193.193, processing nonce payload
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-715047: Group = DefaultRAGroup, IP = 193.193.193.193, processing ID payload
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-714011: Group = DefaultRAGroup, IP = 193.193.193.193, ID_IPV4_ADDR ID received 10.200.12.87
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-713025: Group = DefaultRAGroup, IP = 193.193.193.193, Received remote Proxy Host data in ID Payload: Address 10.200.12.87, Protocol 17, Port 1701
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-715047: Group = DefaultRAGroup, IP = 193.193.193.193, processing ID payload
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-714011: Group = DefaultRAGroup, IP = 193.193.193.193, ID_IPV4_ADDR ID received 193.42.228.48
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-713024: Group = DefaultRAGroup, IP = 193.193.193.193, Received local Proxy Host data in ID Payload: Address 193.42.228.48, Protocol 17, Port 1701
Feb 18 13:18:47 vpnasa1 Feb 18 2010 13:18:47 vpnasa1 : %ASA-7-713906: Group = DefaultRAGroup, IP = 193.193.193.193, peer is not authenticated by xauth - drop connection.

Phase1 is completed - so it seems it's not isakmp problem. It's xauth problem - but why ? I have locally/remotely defined appriopriate user.

Debug does not show really nothing more, isakmp is ok, ipsec debug does not show nothing related to this connecion (because it fails in phase 1.5 - xauth?)

Thanx

Ivan Martinon · ‎02-18-2010

Quick question for you, this l2tp ipsec client configured on your windows is the default one correct? If that is the case then it most likely is using MSCHAP v2 to authenticate to your radius server, and if that is the case, you need to make sure that your radius is defined for that, as well your ASA needs to be configured accordingly.

FIrst go ahead and edit the l2tp/ipsec vpn connection on your windows box click on properties and go to the security tab, once in there select the "advanced" radio button and click on settings, another window will appear once in there, deselect all boxes and leave just the following option "Unencrypted password (PAP)"

Apply your settings and try to connect again, see the ASA requires password management defined under the tunnel group to enable mschap v2, and if you have enabled pap, mschap v1 and v2, what will be chosen by the windows box is the most secure one, which is mschap v2, if your radius does not have this enabled then authentication might not work.

To test if authentication is the one failing go ahead and enable the following debugs when you are trying to connect and send them over:

debug aaa common 50

debug aaa radius

HTH

Ivan

mlopacinski · ‎02-18-2010

Hello

I've earlier checked all the options: on client(windows) pap, chap, mschapv2, eap, and all enabled. Also on ASA all metchods (including mschapv2, mschapv1), also on CSACS i have enabled all methods. 2 days ago CSACS received some communication when ASA worked (at least it's been able to bring up tunnel) - but from that time - ASA do not work. I did not changed anything in configuration. Today - upgraded to version 8.2.2. Problem remains. No matter what options i set, i always get the same error: (no matters if local or CSACS authentication)

Feb 19 07:34:33 asa1 Feb 19 2010 07:34:33 asa1 : %ASA-7-713906: Group = DefaultRAGroup, IP = 193.193.193.193, peer is not authenticated by xauth - drop connection

Debugging do not shows much info, only debug aaa common 50 show some interesting data:

Back End response:
------------------
Tunnel Group Policy Status: 1 (ACCEPT)

AAA FSM: In AAA_NextFunction
AAA_NextFunction: i_fsm_state = IFSM_TUNN_GRP_POLICY, auth_status = ACCEPT
AAA_NextFunction: New i_fsm_state = IFSM_DONE,
AAA FSM: In AAA_ProcessFinal
AAA FSM: In AAA_Callback
user attributes:
1 User-Name(1) 14 "DefaultRAGroup"
2 User-Password(2) 0 0xB4FA69D3 ** Unresolved Attribute **

Ivan Martinon · ‎02-19-2010

Please go ahead and enable the following command:

crypto isakmp nat-traversal

Try again.