cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8069
Views
0
Helpful
23
Replies

L2TP over IPsec with ms client doesn`t work

thorstenn
Level 4
Level 4

Hi i`ve a problem with initiating a l2tp session over ipsec from a windows client.

Here the tunnel i`ve created:

ciscoasa(config)# crypto ipsec transform-set l2tp_transform esp-3des
ciscoasa(config)# crypto ipsec transform-set l2tp_transform mode transport
ciscoasa(config)# group-policy l2tp_policy internal
ciscoasa(config)# group-policy l2tp_policy attributes
ciscoasa(config-group-policy)# vpn-tunnel-protocol l2tp-ipsec
ciscoasa(config-group-policy)# tunnel-group l2tp_tunnel type ipsec-ra
ciscoasa(config)# tunnel-group l2tp_tunnel general-attributes
ciscoasa(config-tunnel-general)# default-group-policy l2tp_policy
ciscoasa(config-tunnel-general)# authentication-server-group LOCAL
ciscoasa(config-tunnel-general)# address-pool testpool
ciscoasa(config)# tunnel-group l2tp_tunnel ppp-attributes
ciscoasa(config-ppp)# authentication ms-chap-v2
ciscoasa(config)# l2tp tunnel hello 100

ciscoasa(config)# tunnel-group l2tp_tunnel ipsec-attributes

ciscoasa(config-tunnel-ipsec)# pre-shared-key XXXXXXXX

I`ve created a new user and assigned the "l2tp_policy".

Here is the log if the user tried to connect via ms client mit l2tp over ipsec:


5|Mar 18 2010|13:56:12|713904|||||IP = 10.10.10.50, Received encrypted packet with no matching SA, dropping
5|Mar 18 2010|13:55:56|713904|||||IP = 10.10.10.50, Received encrypted packet with no matching SA, dropping
6|Mar 18 2010|13:55:48|713905|||||Group = DefaultL2LGroup, IP = 10.10.10.50, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2010|13:55:48|713201|||||Group = DefaultL2LGroup, IP = 10.10.10.50, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Mar 18 2010|13:55:44|713905|||||Group = DefaultL2LGroup, IP = 10.10.10.50, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2010|13:55:44|713201|||||Group = DefaultL2LGroup, IP = 10.10.10.50, Duplicate Phase 1 packet detected.  Retransmitting last packet.
6|Mar 18 2010|13:55:42|713905|||||Group = DefaultL2LGroup, IP = 10.10.10.50, P1 Retransmit msg dispatched to MM FSM
5|Mar 18 2010|13:55:42|713201|||||Group = DefaultL2LGroup, IP = 10.10.10.50, Duplicate Phase 1 packet detected.  Retransmitting last packet.
4|Mar 18 2010|13:55:41|713903|||||Group = DefaultL2LGroup, IP = 10.10.10.50, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting
6|Mar 18 2010|13:55:41|713905|||||Group = DefaultRAGroup, IP = 10.10.10.50, WARNING, had problems decrypting packet, probably due to mismatched pre-shared key.  Switching user to tunnel-group: DefaultL2LGroup
5|Mar 18 2010|13:55:41|713904|||||Group = DefaultRAGroup, IP = 10.10.10.50, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|13:55:41|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
6|Mar 18 2010|13:55:41|302015|10.10.10.50|500|10.10.10.1|500|Built inbound UDP connection 247 for outside:10.10.10.50/500 (10.10.10.50/500) to identity:10.10.10.1/500 (10.10.10.1/500)

Why the connection use DefaultRAGroup and not l2tp_tunnel i`ve created? I thing i missed some important thing.

23 Replies 23

thorstenn
Level 4
Level 4

Ok phase completed succesfuly but phase 2 has a problem:

4|Mar 18 2010|15:48:52|113019|||||Group = DefaultRAGroup, Username = , IP = 10.10.10.50, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
5|Mar 18 2010|15:48:52|713259|||||Group = DefaultRAGroup, IP = 10.10.10.50, Session is being torn down. Reason: Phase 2 Mismatch
3|Mar 18 2010|15:48:52|713902|||||Group = DefaultRAGroup, IP = 10.10.10.50, Removing peer from correlator table failed, no match!
3|Mar 18 2010|15:48:52|713902|||||Group = DefaultRAGroup, IP = 10.10.10.50, QM FSM error (P2 struct &0x744062b0, mess id 0xe11cb94c)!
5|Mar 18 2010|15:48:52|713904|||||Group = DefaultRAGroup, IP = 10.10.10.50, All IPSec SA proposals found unacceptable!
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
5|Mar 18 2010|15:48:52|713257|||||Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: Transport  Cfg'd: Tunnel
3|Mar 18 2010|15:48:52|713122|||||IP = 10.10.10.50, Keep-alives configured on but peer does not support keep-alives (type = None)
5|Mar 18 2010|15:48:52|713119|||||Group = DefaultRAGroup, IP = 10.10.10.50, PHASE 1 COMPLETED
6|Mar 18 2010|15:48:52|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = DefaultRAGroup
6|Mar 18 2010|15:48:52|713172|||||Group = DefaultRAGroup, IP = 10.10.10.50, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 2  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 1
5|Mar 18 2010|15:48:52|713257|||||Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2

Any suggestions ?

I have and still have the same problem. There are some good advice here.

https://supportforums.cisco.com/message/3025667;jsessionid=3B3CC0AEAABEEF18F6620BD0E528E093.node0

That would get you thru phase 1 and 2. Unfortunatly I'm still not getting it to work properly even so but at least I'm a little closer now than I was last week.

/Måns

Seems to be mismatched on ipsec encapsulation mode, ie: configured as tunnel mode, but client sends transport mode.

Can you please share the latest configuration. Thanks.

It`s now working for me but i can only connect with one user. If i try to connect with another user with the same policy in the log i see this:

AAA user authentication Rejected : reason = Invalid password : local database: user = testing2

But the user exist and i have reset the password many times. Why user "testing" working and user "testing2" not? Need urgent help. i`m running out of time.

which configuration from the config you need? I`ll post you quickly.

Thanks and regards

Delete the entire user "Testing2" and recreate it. Then try again.

If that doesnt work check to see if the user is in the right place, has the right level of access etc.

HTH,

Stan

1) sh run all tunnel-group

2) sh run all group-policy

3) Once you are connected with 1 user, grab: "show vpn-sessiondb remote filter name testing"

4) Assuming it's local database: sh run username

Thanks.

With the Users its working now. I forgot to set nt-encrypted by creating the user.

But I have more VPN Policys with diffrent ip ranges. At the moment i`m only able to connect to one cpnnection profile. If i want to test another profile its not working. See attached logs.

I have one transformset, is that right?

See all logs you want attched. Also crypto.

and here

Ok, strange. If i create with ASDM wizard a new l2pt tunnel with a new policy and a new user. Than the connection working fine. But the connection i created before did not work anymore.

Only the the new connection i have created is working and the other connections show me the "Duplicate Phase 1 packet detected.  Retransmitting last packet." message.

What ist this ?

Don't think you can configure different tunnel-group for different L2TP over IPSec groups as you can't specify the group name on the L2TP over IPSec client to connect to a particular group, therefore, you will always be connecting to the default group: DefaultRAGroup.

As you can see from the "sh vpn-sessiondb remote filter name Cust10003_1" that you have obtained, the tunnel-group that it falls into is "DefaultRAGroup", and when you created it through asdm wizard, it asked you to create a group-policy, therefore it is assigned to group-policy "Cust10003_tunnel" (the last one that you created).

If you look back at the tunnel-group configuration that you have before you created the l2tp over ipsec via the asdm wizard, the default group-policy assignment for default tunnel-group "DefaultRAGroup" is set to default group-policy "DfltGrpPolicy"

As per the following sample configuration, you can only use the default tunnel-group for L2TP over IPSec VPN:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

Ok, i have now assigned one connection profile for l2tp connections and assigned different group policys with other ip pools to the users and thats working.

If i now want to use the cisco vpn client do i need to create another connection profile or how is the right way?

With Cisco IPSec VPN Client, you can be specific with the tunnel-group and group-policy because the client uses group name to connect and the group name is the tunnel-group that you create on the ASA.

ok now the asa is live. Everything is working fine only l2tp did not work. Phase1 completed and then i got this:

Group = DefaultRAGroup, IP = , Session is being torn down. Reason: crypto map policy not found

I can`t find the issue :-( Cisco VPN Client working fine. IPSEC tunnel also only l2tp.... help

Within the crypto map configuration, do you have 2 dynamic map configured? One with tunnel mode for the IPSEC client, and another one with transport mode for the L2TP over IPSEC?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: