Problems getting L2TP over IPSec on IOS

Unanswered Question
May 21st, 2010

Hi,

     We would like to enable remote Windows XP clients to connect corporate network without installing VPN Client. We are trying to achieve this by using L2TP/IPSec provided by Microsoft Dial-Up Networking. We want IPSec (3DES) to be authenticated by certificates and PPP clients authenticated by RADIUS (AD) using MS-CHAP.

     We have 39xx router with Security license as production router, however currently we performing investigation in lab environment with Cisco IOS Software, C890 Software (C890-UNIVERSALK9-M), Version 12.4(22)YB, RELEASE SOFTWARE (fc2) (License Level: advipservices   Type: Permanent). The rest of environment includes 2 AD controllers (used for RADIUS) and OpenSSL CA.

     So far we have succeeded at establishing unsecured (with "ProhibitIpSec = 1" registry fix on client side) PPP connections over L2TP tunnels using MS-CHAP authentication in AD. After enabling IPSec ("ProhibitIpSec = 0") on the client L2TP tunnel failed to establish over existing ISAKMP SA.

Here's config we trying to get to work:

Current configuration : 18419 bytes

!

! Last configuration change at 06:48:25 UTC Fri May 21 2010 by me

!

aaa group server radius COMPANY
server IP1 auth-port 1645 acct-port 1646
server IP2 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login RADIUS-COMPANY group COMPANY
aaa authentication ppp RADIUS-COMPANY group COMPANY local
aaa authorization network LOCAL-AUTHORIZATION local
!
!
aaa session-id common
!
crypto pki trustpoint OPENSSL
enrollment terminal pem
usage ike
serial-number
revocation-check none
rsakeypair OPENSSL 1024
match certificate OPENSSL-CA
authorization username subjectname commonname
!
!
crypto pki certificate map OPENSSL-CA 10
subject-name co o = my company
!
crypto pki certificate chain OPENSSL
certificate 0...C
  30820234 ...
  ... B13D150E
        quit
certificate ca 0...6
  30820288 ...
  ... 059497B8
        quit
!
!
ip cef
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP-VPN
accept-dialin
  protocol l2tp
  virtual-template 1
source-ip 10.22.254.254
no l2tp tunnel authentication
!
!
crypto isakmp policy 1
encr 3des
group 2
lifetime 3600
!
crypto isakmp client configuration group COMPANY-EMPLOYEES
dns IP3
domain mycompany.com
acl VPN-ROUTES
include-local-lan
!
crypto isakmp profile COMPANY-EMPLOYEES-VPN
   match identity group COMPANY-EMPLOYEES
   client authentication list RADIUS-COMPANY
   isakmp authorization list LOCAL-AUTHORIZATION
   client configuration address respond
!
!
crypto ipsec transform-set L2TP-IPSEC-TRANSFORM esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile L2TP-IPSEC
set transform-set L2TP-IPSEC-TRANSFORM
!
!
crypto dynamic-map VPN-DYNAMIC 10
set nat demux
set transform-set L2TP-IPSEC-TRANSFORM
!
!
crypto map VPN 10 ipsec-isakmp dynamic VPN-DYNAMIC
!
!
interface Loopback0
ip address 12.0.0.8 255.255.255.255
!
!
interface Virtual-Template1
ip unnumbered Loopback0
peer default ip address pool L2TP-IP-POOL
ppp mtu adaptive
ppp authentication ms-chap ms-chap-v2 eap RADIUS-COMPANY
!
interface GigabitEthernet0
ip address 10.22.254.254 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
ip local pool L2TP-IP-POOL 10.200.0.2 10.200.0.254
!
ip access-list extended VPN-ROUTES
permit ip any 10.100.100.0 0.0.0.255
!
radius-server host IP1 auth-port 1645 acct-port 1646 key 7 1...7
radius-server host IP2 auth-port 1645 acct-port 1646 key 7 0...C
end
Debug params:
General OS:
  AAA Authentication debugging is on
  AAA Authorization debugging is on
  AAA Local debugs debugging is on
  AAA Radius debugs debugging is on
L2TP:
  L2TP packet events debugging is on
  L2TP packet errors debugging is on
  L2TP errors debugging is on
  L2TP events debugging is on
  L2TP L2TUN socket API debugging is on
PPP:
  PPP authentication debugging is on
  PPP protocol negotiation debugging is on
  PPP packet display debugging is on
  PPP forwarding events debugging is on
VPN:
  L2TP/PPTP protocol events debugging is on
  L2TP/PPTP data packet debugging is on
  L2TP/PPTP control packet debugging is on
  L2TP/PPTP protocol errors debugging is on
  VPDN call event debugging is on
  VPDN call FSM debugging is on
  VPDN message debugging is on
  VPDN events debugging is on
  VPDN errors debugging is on
  VPDN packet debugging is on
  VPDN group select details debugging is on

Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto IPSEC debugging is on
Here's what we get in the output, when trying to establish L2TP over IPSec (full log in attachment):
[skip]
034919: May 21 09:13:36.528 UTC: ISAKMP:(2035):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
034920: May 21 09:13:36.528 UTC: IPSEC(key_engine): got a queue event with 1 KMI message(s)
034921: May 21 09:13:36.528 UTC: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
034922: May 21 09:13:36.528 UTC: IPSEC(key_engine_enable_outbound): enable SA with spi 2585178204/50
034923: May 21 09:13:36.532 UTC: IPSEC(update_current_outbound_sa): updated peer IP4 current outbound sa to SPI 9A16B05C
034924: May 21 09:13:36.532 UTC: L2X:Punting to L2TP control message queue
034925: May 21 09:13:36.532 UTC: L2X:PROCESS From tunnel: Received 149 byte pak
034926: May 21 09:13:36.532 UTC: L2X:PROCESS From tunnel: Pak consumed
034927: May 21 09:13:36.532 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 2, len 8, flag 0x8000 (M)
034928: May 21 09:13:36.532 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 3, len 10, flag 0x8000 (M)
034929: May 21 09:13:36.532 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 4, len 10, flag 0x8000 (M)
034930: May 21 09:13:36.532 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 6, len 8, flag 0x0
034931: May 21 09:13:36.532 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 7, len 34, flag 0x8000 (M)
034932: May 21 09:13:36.532 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 8, len 15, flag 0x0
034933: May 21 09:13:36.532 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 9, len 8, flag 0x8000 (M)
034934: May 21 09:13:36.532 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 10, len 8, flag 0x8000 (M)
034935: May 21 09:13:36.532 UTC: L2TP       _____:________: No missing AVPs in SCCRQ
034936: May 21 09:13:36.532 UTC: L2TP       _____:________:
034937: May 21 09:13:36.532 UTC: L2TP       _____:________: I SCCRQ, flg TLS, ver 2, len 121
034938: May 21 09:13:36.532 UTC: L2TP       _____:________:   tnl 0, ns 0, nr 0
034939: May 21 09:13:36.532 UTC: L2TP       _____:________:  IETF v2:
034940: May 21 09:13:36.532 UTC: L2TP       _____:________:   Protocol Version  1, Revision 0
034941: May 21 09:13:36.532 UTC: L2TP       _____:________:   Framing Cap       sync(0x1)
034942: May 21 09:13:36.532 UTC: L2TP       _____:________:   Bearer Cap        none(0x0)
034943: May 21 09:13:36.532 UTC: L2TP       _____:________:   Firmware Ver      0x500
034944: May 21 09:13:36.532 UTC: L2TP       _____:________:   Hostname          "workstation-8.office.mycompany.com"
034945: May 21 09:13:36.532 UTC: L2TP       _____:________:   Vendor Name
034946: May 21 09:13:36.532 UTC: L2TP       _____:________:     "Microsoft"
034947: May 21 09:13:36.532 UTC: L2TP       _____:________:   Assigned Tunnel I 1
034948: May 21 09:13:36.532 UTC: L2TP       _____:________:   Rx Window Size    8
034949: May 21 09:13:36.536 UTC: L2TP       _____:________:
contiguous pak, size 121
         C8 02 00 79 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00
         00 03 00 00 00 01 80 0A 00 00 00 04 00 00 00 00
         00 08 00 00 00 06 05 00 80 22 00 00 00 07 77 6F
         72 6B 73 74 61 74 69 6F 6E 2D 38 2E 6F 66 66 69
         63 65 2E 63 74 63 6F 2E 6C 76 00 0F 00 00 00 08
         4D 69 63 72 6F 73 6F 66 74 80 08 00 00 00 09 00
         01 80 08 00 00 00 0A 00 08
034950: May 21 09:13:36.536 UTC: L2X  tnl   01055:________: Create logical tunnel
034951: May 21 09:13:36.536 UTC: L2TP tnl   01055:________: Create tunnel
034952: May 21 09:13:36.536 UTC: L2TP tnl   01055:________:     version set to V2
034953: May 21 09:13:36.536 UTC: L2TP tnl   01055:________:     remote ip set to IP4
034954: May 21 09:13:36.536 UTC: L2TP tnl   01055:________:     local ip set to 10.22.254.254
034955: May 21 09:13:36.536 UTC: L2TP tnl   01055:0000D7D2: FSM-CC ev Rx-SCCRQ
034956: May 21 09:13:36.536 UTC: L2TP tnl   01055:0000D7D2: FSM-CC    Idle->Proc-SCCRQ
034957: May 21 09:13:36.536 UTC: L2TP tnl   01055:0000D7D2: FSM-CC do Rx-SCCRQ
034958: May 21 09:13:36.536 UTC: AAA/AUTHOR (0x0): Pick method list 'local-list'
034959: May 21 09:13:36.536 UTC: L2X        _____:________: Tunnel author started for workstation-8.office.mycompany.com
034960: May 21 09:13:36.536 UTC: AAA/LOCAL/AUTHEN: starting
034961: May 21 09:13:36.536 UTC: AAA/LOCAL/AUTHEN(0): authorizing 0#10.22.254.254#workstation-8.office.mycompany.com for service
034962: May 21 09:13:36.536 UTC: VPDN: local aaa authorization: vpn_key = 0#10.22.254.254#workstation-8.office.mycompany.com
034963: May 21 09:13:36.536 UTC: VPDN: Extract keys from string: hostname = workstation-8.office.mycompany.com, ip_tableid = 0, ip_addrses_string = 10.22.254.254
034964: May 21 09:13:36.536 UTC: VPDN: Group-Select: hostname = workstation-8.office.mycompany.com, tableid = 0, source_ip = 10.22.254.254
034965: May 21 09:13:36.536 UTC: VPDN: Group-Select: direction = unknown, protocol = l2tp
034966: May 21 09:13:36.536 UTC: VPDN: Group-Select: group_name = L2TP-VPN, weight = 6
034967: May 21 09:13:36.536 UTC: L2X        _____:________: Tunnel author found
034968: May 21 09:13:36.536 UTC: L2TP tnl   01055:0000D7D2: Author reply, data source: "L2TP-VPN"
034969: May 21 09:13:36.536 UTC: L2X        _____:________: class [AAA author, group "L2TP-VPN"]
034970: May 21 09:13:36.536 UTC: L2X        _____:________:   created
034971: May 21 09:13:36.536 UTC: L2X        _____:________: class [AAA author, group "L2TP-VPN"]
034972: May 21 09:13:36.536 UTC: L2X        _____:________:   App locked 0->1
034973: May 21 09:13:36.540 UTC: L2X        _____:________: class [AAA author, group "L2TP-VPN"]
034974: May 21 09:13:36.540 UTC: L2X        _____:________:   Protocol locked 0->1
034975: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:     class name AAA author, group "L2TP-VPN"
034976: May 21 09:13:36.540 UTC: L2X        _____:________: class [AAA author, group "L2TP-VPN"]
034977: May 21 09:13:36.540 UTC: L2X        _____:________:   App unlocked 1->0
034978: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:     peer cap sync set
034979: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: FSM-CC ev SCCRQ-OK
034980: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: FSM-CC    Proc-SCCRQ->Wt-SCCCN
034981: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: FSM-CC do Tx-SCCRP
034982: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: Open sock 10.22.254.254:1701->IP4:1701
034983: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: FSM-CC ev Sock-Ready
034984: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: FSM-CC    in Wt-SCCCN
034985: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: FSM-CC do Ignore-Sock-Up
034986: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: Auth glob Overall Ignored, 153
034987: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: Control connection authentication skipped/passed.
034988: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:
034989: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: O SCCRP to workstation-8.office.mycompany.com tnl 1
034990: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:  IETF v2:
034991: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   Protocol Version  1, Revision 0
034992: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   Framing Cap       none(0x0)
034993: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   Firmware Ver      0x1130
034994: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   Hostname          "testlab-gw"
034995: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   Vendor Name
034996: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:     "Cisco Systems, Inc."
034997: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   Assigned Tunnel I 55250
034998: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   Rx Window Size    512
034999: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:  Cisco v2:
035000: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   PPPoE Relay Forward Capable
035001: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   PPPoE Relay Response Capable
035002: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:
035003: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2: O SCCRP, flg TLS, ver 2, len 115
035004: May 21 09:13:36.540 UTC: L2TP tnl   01055:0000D7D2:   tnl 1, ns 0, nr 1
         C8 02 00 73 00 01 00 00 00 00 00 01 80 08 00 00
         00 00 00 02 80 08 00 00 00 02 01 00 80 0A 00 00
         00 03 00 00 00 00 00 08 00 00 00 06 11 30 80 10
         00 00 00 07 74 65 73 74 6C 61 62 2D 67 77 00 19
         00 00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D
         73 2C 20 49 6E 63 2E 80 08 00 00 00 09 D7 D2 80
         08 00 00 00 0A 02 00 00 06 00 09 00 6E 00 06 00
         09 00 6F
035005: May 21 09:13:36.544 UTC: L2TP tnl   01055:0000D7D2: Control channel retransmit set to 1 sec
035006: May 21 09:13:37.520 UTC: L2X:Punting to L2TP control message queue
035007: May 21 09:13:37.520 UTC: L2X:PROCESS From tunnel: Received 149 byte pak
035008: May 21 09:13:37.520 UTC: L2X:PROCESS From tunnel: Pak consumed
035009: May 21 09:13:37.520 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 2, len 8, flag 0x8000 (M)
035010: May 21 09:13:37.520 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 3, len 10, flag 0x8000 (M)
035011: May 21 09:13:37.520 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 4, len 10, flag 0x8000 (M)
035012: May 21 09:13:37.524 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 6, len 8, flag 0x0
035013: May 21 09:13:37.524 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 7, len 34, flag 0x8000 (M)
035014: May 21 09:13:37.524 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 8, len 15, flag 0x0
035015: May 21 09:13:37.524 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 9, len 8, flag 0x8000 (M)
035016: May 21 09:13:37.524 UTC: L2TP       _____:________: L2TP: Parse IETF AVP 10, len 8, flag 0x8000 (M)
035017: May 21 09:13:37.524 UTC: L2TP       _____:________: No missing AVPs in SCCRQ
035018: May 21 09:13:37.524 UTC: L2TP       _____:________:
035019: May 21 09:13:37.524 UTC: L2TP       _____:________: I SCCRQ, flg TLS, ver 2, len 121
035020: May 21 09:13:37.524 UTC: L2TP       _____:________:   tnl 0, ns 0, nr 0
035021: May 21 09:13:37.524 UTC: L2TP       _____:________:  IETF v2:
035022: May 21 09:13:37.524 UTC: L2TP       _____:________:   Protocol Version  1, Revision 0
035023: May 21 09:13:37.524 UTC: L2TP       _____:________:   Framing Cap       sync(0x1)
035024: May 21 09:13:37.524 UTC: L2TP       _____:________:   Bearer Cap        none(0x0)
035025: May 21 09:13:37.524 UTC: L2TP       _____:________:   Firmware Ver      0x500
035026: May 21 09:13:37.524 UTC: L2TP       _____:________:   Hostname          "workstation-8.office.mycompany.com"
035027: May 21 09:13:37.524 UTC: L2TP       _____:________:   Vendor Name
035028: May 21 09:13:37.524 UTC: L2TP       _____:________:     "Microsoft"
035029: May 21 09:13:37.524 UTC: L2TP       _____:________:   Assigned Tunnel I 1
035030: May 21 09:13:37.524 UTC: L2TP       _____:________:   Rx Window Size    8
035031: May 21 09:13:37.524 UTC: L2TP       _____:________:
contiguous pak, size 121
         C8 02 00 79 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 80 0A 00 00
         00 03 00 00 00 01 80 0A 00 00 00 04 00 00 00 00
         00 08 00 00 00 06 05 00 80 22 00 00 00 07 77 6F
         72 6B 73 74 61 74 69 6F 6E 2D 38 2E 6F 66 66 69
         63 65 2E 63 74 63 6F 2E 6C 76 00 0F 00 00 00 08
         4D 69 63 72 6F 73 6F 66 74 80 08 00 00 00 09 00
         01 80 08 00 00 00 0A 00 08
035032: May 21 09:13:37.524 UTC: L2TP tnl   01055:0000D7D2: Tunnel exists, must be a duplicate SCCRQ
035033: May 21 09:13:37.524 UTC: L2TP       _____:________: SCCRQ: processing failed
035034: May 21 09:13:37.524 UTC: L2TP       _____:________: SCCRQ: dropping packet
[skip]
Looks like here IOS is waiting for SCCCN from the client, but timed out at this point. Any help would be appreciated.
Following guides has been used during investigation:
I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content