L2TP/IPSEC: IOS<->Android

Answered Question
Jul 2nd, 2010
User Badges:

Hi,


is there a working L2TP/IPSEC VPN solution between Cisco IOS and Android 2.1?


I'm trying to get my mobile online, but the connection is terminated after 10 sek.


Any hints?


Harald



My IOS config:


vpdn enable
!
vpdn-group l2tpvpn
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 1
no l2tp tunnel authentication
!


username user privilege 15 password secret


crypto keyring l2tpvpn
  pre-shared-key address 0.0.0.0 0.0.0.0 key test
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600


crypto isakmp key test address 0.0.0.0 0.0.0.0


crypto ipsec transform-set L2TP-TS esp-3des esp-sha-hmac
!
crypto dynamic-map dynvpn 1
set nat demux
set transform-set L2TP-TS


crypto map CRYPTOMAP 20 ipsec-isakmp dynamic dynvpn



interface Virtual-Template1
ip unnumbered Ethernet0
peer default ip address pool VPN
keepalive 5
ppp authentication ms-chap-v2



interface BVI1
ip address 212.xxx.xxx.xxx 255.255.255.0
ip nat outside
ip virtual-reassembly
ipv6 address autoconfig default
ipv6 enable
crypto map CRYPTOMAP
!
ip local pool VPN 172.17.0.1 172.17.0.10



Some debugs:


IOS#
Jul  2 16:00:01.800 CEST: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul  2 16:00:01.800 CEST: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul  2 16:00:01.800 CEST: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul  2 16:00:01.804 CEST: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul  2 16:00:01.804 CEST: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul  2 16:00:01.808 CEST: ISAKMP:(0:13:HW:2): IPSec policy invalidated proposal
Jul  2 16:00:01.808 CEST: ISAKMP:(0:13:HW:2): phase 2 SA policy not acceptable! (local 212.xxx.xxx.xxx remote 80.xxx.xxx.xxx)
Jul  2 16:00:01.816 CEST: ISAKMP:(0:13:HW:2):deleting node -1463956874 error TRUE reason "QM rejected"
Jul  2 16:00:01.816 CEST: ISAKMP (0:268435469): Unknown Input IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -1463956874: state = IKE_QM_R                                            EADY
Jul  2 16:00:01.820 CEST: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 80.xxx.xxx.xxx


IOS#
Jul  2 16:00:32.695 CEST: L2X: Parse  AVP 0, len 8, flag 0x8000 (M)
Jul  2 16:00:32.695 CEST: L2X: Parse SCCRQ
Jul  2 16:00:32.695 CEST: L2X: Parse  AVP 2, len 8, flag 0x8000 (M)
Jul  2 16:00:32.699 CEST: L2X: Protocol Version 1
Jul  2 16:00:32.699 CEST: L2X: Parse  AVP 7, len 15, flag 0x8000 (M)
Jul  2 16:00:32.699 CEST: L2X: Hostname anonymous
Jul  2 16:00:32.699 CEST: L2X: Parse  AVP 3, len 10, flag 0x8000 (M)
Jul  2 16:00:32.699 CEST: L2X: Framing Cap 0x3
Jul  2 16:00:32.703 CEST: L2X: Parse  AVP 9, len 8, flag 0x8000 (M)
Jul  2 16:00:32.703 CEST: L2X: Assigned Tunnel ID 3545
Jul  2 16:00:32.703 CEST: L2X: Parse  AVP 10, len 8, flag 0x8000 (M)
Jul  2 16:00:32.703 CEST: L2X: Rx Window Size 1
Jul  2 16:00:32.703 CEST: L2X: No missing AVPs in SCCRQ
Jul  2 16:00:32.703 CEST: L2X: I SCCRQ, flg TLS, ver 2, len 69, tnl 0, ns 0, nr 0
contiguous pak, size 69
         C8 02 00 45 00 00 00 00 00 00 00 00 80 08 00 00
         00 00 00 01 80 08 00 00 00 02 01 00 80 0F 00 00
         00 07 61 6E 6F 6E 79 6D 6F 75 73 80 0A 00 00 00
         03 00 00 00 03 80 08 00 00 00 09 0D D9 80 08 00
         00 00 0A 00 01
Jul  2 16:00:32.707 CEST: L2TP: I SCCRQ from anonymous tnl 3545
Jul  2 16:00:32.711 CEST:  Tnl 55994 L2TP: Tunnel Authorization started for host anonymous
Jul  2 16:00:32.711 CEST:  Tnl 55994 L2TP: New tunnel created for remote anonymous, address 80.xxx.xxx.xxx
Jul  2 16:00:32.715 CEST: L2X: Tunnel author reply L2X info not found
Jul  2 16:00:32.715 CEST:  Tnl 55994 L2TP: O SCCRP  to anonymous tnlid 3545
Jul  2 16:00:32.715 CEST:  Tnl 55994 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
Jul  2 16:00:32.715 CEST:  Tnl 55994 L2TP: Parse SCCRP
Jul  2 16:00:32.719 CEST:  Tnl 55994 L2TP: Parse  AVP 2, len 8, flag 0x8000 (M)
Jul  2 16:00:32.719 CEST:  Tnl 55994 L2TP: Protocol Version 1
Jul  2 16:00:32.719 CEST:  Tnl 55994 L2TP: Parse  AVP 6, len 8, flag 0x0
Jul  2 16:00:32.719 CEST:  Tnl 55994 L2TP: Firmware Ver 0x1120
Jul  2 16:00:32.719 CEST:  Tnl 55994 L2TP: Parse  AVP 7, len 9, flag 0x8000 (M)
Jul  2 16:00:32.719 CEST:  Tnl 55994 L2TP: Hostname IOS
Jul  2 16:00:32.723 CEST:  Tnl 55994 L2TP: Parse  AVP 8, len 25, flag 0x0
Jul  2 16:00:32.723 CEST:  Tnl 55994 L2TP: Vendor Name Cisco Systems, Inc.
Jul  2 16:00:32.727 CEST:  Tnl 55994 L2TP: Parse  AVP 10, len 8, flag 0x8000 (M)
Jul  2 16:00:32.727 CEST:  Tnl 55994 L2TP: Rx Window Size 300
Jul  2 16:00:32.727 CEST:  Tnl 55994 L2TP: Parse  AVP 9, len 8, flag 0x8000 (M)
Jul  2 16:00:32.727 CEST:  Tnl 55994 L2TP: Assigned Tunnel ID 55994
Jul  2 16:00:32.727 CEST:  Tnl 55994 L2TP: Parse  AVP 3, len 10, flag 0x8000 (M)
Jul  2 16:00:32.727 CEST:  Tnl 55994 L2TP: Framing Cap 0x0
Jul  2 16:00:32.731 CEST:  Tnl 55994 L2TP: Parse  AVP 4, len 10, flag 0x8000 (M)
Jul  2 16:00:32.731 CEST:  Tnl 55994 L2TP: Bearer Cap 0x0
Jul  2 16:00:32.731 CEST:  Tnl 55994 L2TP: O SCCRP, flg TLS, ver 2, len 106, tnl 3545, ns 0, nr 1
         C8 02 00 6A 0D D9 00 00 00 00 00 01 80 08 00 00
         00 00 00 02 80 08 00 00 00 02 01 00 00 08 00 00
         00 06 11 20 80 09 00 00 00 07 49 4F 53 00 19 00
         00 00 08 43 69 73 63 6F 20 53 79 73 74 65 6D 73
         2C 20 49 6E 63 2E 80 ...
Jul  2 16:00:32.735 CEST:  Tnl 55994 L2TP: Control channel retransmit delay set to 1 seconds
Jul  2 16:00:32.735 CEST:  Tnl 55994 L2TP: Tunnel state change from idle to wait-ctl-reply
Jul  2 16:00:32.887 CEST:  Tnl 55994 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
Jul  2 16:00:32.887 CEST:  Tnl 55994 L2TP: Parse SCCCN
Jul  2 16:00:32.887 CEST:  Tnl 55994 L2TP: No missing AVPs in SCCCN
Jul  2 16:00:32.887 CEST:  Tnl 55994 L2TP: I SCCCN, flg TLS, ver 2, len 20, tnl 55994, ns 1, nr 1
contiguous pak, size 20
         C8 02 00 14 DA BA 00 00 00 01 00 01 80 08 00 00
         00 00 00 03
Jul  2 16:00:32.891 CEST:  Tnl 55994 L2TP: O ZLB ctrl ack, flg TLS, ver 2, len 12, tnl 3545, ns 1, nr 2
         C8 02 00 0C 0D D9 00 00 00 01 00 02
Jul  2 16:00:32.891 CEST:  Tnl 55994 L2TP: I SCCCN from anonymous tnl 3545
Jul  2 16:00:32.895 CEST:  Tnl 55994 L2TP: Tunnel state change from wait-ctl-reply to established
Jul  2 16:00:32.895 CEST:  Tnl 55994 L2TP: SM State established
Jul  2 16:00:33.091 CEST:  Tnl 55994 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
Jul  2 16:00:33.091 CEST:  Tnl 55994 L2TP: Parse ICRQ
Jul  2 16:00:33.091 CEST:  Tnl 55994 L2TP: Parse  AVP 14, len 8, flag 0x8000 (M)
Jul  2 16:00:33.091 CEST:  Tnl 55994 L2TP: Assigned Call ID 43765
Jul  2 16:00:33.091 CEST:  Tnl 55994 L2TP: Parse  AVP 15, len 10, flag 0x8000 (M)
Jul  2 16:00:33.091 CEST:  Tnl 55994 L2TP: Serial Number 1986235932
Jul  2 16:00:33.091 CEST:  Tnl 55994 L2TP: No missing AVPs in ICRQ
Jul  2 16:00:33.095 CEST:  Tnl 55994 L2TP: I ICRQ, flg TLS, ver 2, len 38, tnl 55994, ns 2, nr 1
contiguous pak, size 38
         C8 02 00 26 DA BA 00 00 00 02 00 01 80 08 00 00
         00 00 00 0A 80 08 00 00 00 0E AA F5 80 0A 00 00
         00 0F 76 63 8E 1C
Jul  2 16:00:33.095 CEST:  Tnl 55994 L2TP: I ICRQ from anonymous tnl 3545
Jul  2 16:00:33.099 CEST:  Tnl/Sn 55994/18 L2TP: Session state change from idle to wait-connect
Jul  2 16:00:33.099 CEST:  Tnl/Sn 55994/18 L2TP: Accepted ICRQ, new session created
Jul  2 16:00:33.099 CEST: uid:25 Tnl/Sn 55994/18 L2TP: O ICRP to anonymous 3545/43765
Jul  2 16:00:33.099 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
Jul  2 16:00:33.103 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Parse ICRP
Jul  2 16:00:33.103 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Parse  AVP 14, len 8, flag 0x8000 (M)
Jul  2 16:00:33.103 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Assigned Call ID 18
Jul  2 16:00:33.103 CEST: uid:25 Tnl/Sn 55994/18 L2TP: O ICRP, flg TLS, ver 2, len 28, tnl 3545, lsid 18, rsid 43765, ns 1, nr 3
         C8 02 00 1C 0D D9 AA F5 00 01 00 03 80 08 00 00
         00 00 00 0B 80 08 00 00 00 0E 00 12
Jul  2 16:00:33.107 CEST:  Tnl 55994 L2TP: Control channel retransmit delay set to 1 seconds
Jul  2 16:00:33.259 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
Jul  2 16:00:33.259 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Parse ICCN
Jul  2 16:00:33.259 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Parse  AVP 24, len 10, flag 0x8000 (M)
Jul  2 16:00:33.259 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Connect Speed 100000000
Jul  2 16:00:33.259 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Parse  AVP 19, len 10, flag 0x8000 (M)
Jul  2 16:00:33.259 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Framing Type 3
Jul  2 16:00:33.263 CEST: uid:25 Tnl/Sn 55994/18 L2TP: No missing AVPs in ICCN
Jul  2 16:00:33.263 CEST: uid:25 Tnl/Sn 55994/18 L2TP: I ICCN, flg TLS, ver 2, len 40, tnl 55994, lsid 18, rsid 43765, ns 3, nr 2
contiguous pak, size 40
         C8 02 00 28 DA BA 00 12 00 03 00 02 80 08 00 00
         00 00 00 0C 80 0A 00 00 00 18 05 F5 E1 00 80 0A
         00 00 00 13 00 00 00 03
Jul  2 16:00:33.263 CEST: uid:25 Tnl/Sn 55994/18 L2TP: O ZLB ctrl ack, flg TLS, ver 2, len 12, tnl 3545, lsid 18, rsid 43765, ns 2, nr 4
         C8 02 00 0C 0D D9 00 00 00 02 00 04
Jul  2 16:00:33.267 CEST: uid:25 Tnl/Sn 55994/18 L2TP: I ICCN from anonymous tnl 3545, cl 43765
Jul  2 16:00:33.267 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Session state change from wait-connect to wait-for-service-selection-iccn
Jul  2 16:00:33.275 CEST: uid:25 Tnl/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul  2 16:00:33.275 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Sending send ACCM 0xFFFFFFFF and receive ACCM 0xFFFFFFFF
Jul  2 16:00:33.275 CEST:  Tnl 55994 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
Jul  2 16:00:33.275 CEST:  Tnl 55994 L2TP: Parse SLI
Jul  2 16:00:33.275 CEST:  Tnl 55994 L2TP: Parse  AVP 35, len 16, flag 0x8000 (M)
Jul  2 16:00:33.279 CEST:  Tnl 55994 L2TP: O SLI, flg TLS, ver 2, len 36, tnl 3545, ns 2, nr 4
         C8 02 00 24 0D D9 AA F5 00 02 00 04 80 08 00 00
         00 00 00 10 80 10 00 00 00 23 00 00 FF FF FF FF
         FF FF FF FF
Jul  2 16:00:33.279 CEST:  Tnl 55994 L2TP: Control channel retransmit delay set to 1 seconds
Jul  2 16:00:33.283 CEST: ppp25 PPP: Send Message[Dynamic Bind Response]
Jul  2 16:00:33.283 CEST: ppp25 PPP: Using vpn set call direction
Jul  2 16:00:33.283 CEST: ppp25 PPP: Treating connection as a callin
Jul  2 16:00:33.283 CEST: ppp25 PPP: Session handle[A300003D] Session id[25]
Jul  2 16:00:33.283 CEST: ppp25 PPP: Phase is ESTABLISHING, Passive Open
Jul  2 16:00:33.283 CEST: ppp25 LCP: State is Listen
Jul  2 16:00:33.475 CEST: ppp25 LCP: I CONFREQ [Listen] id 1 len 24
Jul  2 16:00:33.475 CEST: ppp25 LCP:    MRU 1400 (0x01040578)
Jul  2 16:00:33.479 CEST: ppp25 LCP:    ACCM 0x00000000 (0x020600000000)
Jul  2 16:00:33.479 CEST: ppp25 LCP:    MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul  2 16:00:33.479 CEST: ppp25 LCP:    PFC (0x0702)
Jul  2 16:00:33.479 CEST: ppp25 LCP:    ACFC (0x0802)
Jul  2 16:00:33.479 CEST: ppp25 PPP: Authorization required
Jul  2 16:00:33.479 CEST: ppp25 LCP: O CONFREQ [Listen] id 1 len 25
Jul  2 16:00:33.483 CEST: ppp25 LCP:    ACCM 0x000A0000 (0x0206000A0000)
Jul  2 16:00:33.483 CEST: ppp25 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
Jul  2 16:00:33.483 CEST: ppp25 LCP:    MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul  2 16:00:33.483 CEST: ppp25 LCP:    PFC (0x0702)
Jul  2 16:00:33.483 CEST: ppp25 LCP:    ACFC (0x0802)
Jul  2 16:00:33.483 CEST: ppp25 LCP: O CONFNAK [Listen] id 1 len 8
Jul  2 16:00:33.487 CEST: ppp25 LCP:    MRU 1500 (0x010405DC)
Jul  2 16:00:33.635 CEST: ppp25 LCP: I CONFACK [REQsent] id 1 len 25
Jul  2 16:00:33.635 CEST: ppp25 LCP:    ACCM 0x000A0000 (0x0206000A0000)
Jul  2 16:00:33.639 CEST: ppp25 LCP:    AuthProto MS-CHAP-V2 (0x0305C22381)
Jul  2 16:00:33.639 CEST: ppp25 LCP:    MagicNumber 0x1D3AB2DD (0x05061D3AB2DD)
Jul  2 16:00:33.639 CEST: ppp25 LCP:    PFC (0x0702)
Jul  2 16:00:33.639 CEST: ppp25 LCP:    ACFC (0x0802)
Jul  2 16:00:33.647 CEST: ppp25 LCP: I CONFREQ [ACKrcvd] id 2 len 20
Jul  2 16:00:33.647 CEST: ppp25 LCP:    ACCM 0x00000000 (0x020600000000)
Jul  2 16:00:33.647 CEST: ppp25 LCP:    MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul  2 16:00:33.647 CEST: ppp25 LCP:    PFC (0x0702)
Jul  2 16:00:33.647 CEST: ppp25 LCP:    ACFC (0x0802)
Jul  2 16:00:33.651 CEST: ppp25 LCP: O CONFACK [ACKrcvd] id 2 len 20
Jul  2 16:00:33.651 CEST: ppp25 LCP:    ACCM 0x00000000 (0x020600000000)
Jul  2 16:00:33.651 CEST: ppp25 LCP:    MagicNumber 0x81EDA0D1 (0x050681EDA0D1)
Jul  2 16:00:33.651 CEST: ppp25 LCP:    PFC (0x0702)
Jul  2 16:00:33.651 CEST: ppp25 LCP:    ACFC (0x0802)
Jul  2 16:00:33.651 CEST: ppp25 LCP: State is Open
Jul  2 16:00:33.655 CEST: uid:25 Tnl/Sn 55994/18 L2TP: O SLI to anonymous 3545/43765
Jul  2 16:00:33.655 CEST: uid:25 Tnl/Sn 55994/18 L2TP: Sending send ACCM 0x00000000 and receive ACCM 0x000A0000
Jul  2 16:00:33.655 CEST: ppp25 PPP: Phase is AUTHENTICATING, by this end
Jul  2 16:00:33.659 CEST: ppp25 MS-CHAP-V2: O CHALLENGE id 1 len 24 from "IOS"
Jul  2 16:00:33.847 CEST: ppp25 MS-CHAP-V2: I RESPONSE id 1 len 59 from "user"
Jul  2 16:00:33.847 CEST: ppp25 PPP: Phase is FORWARDING, Attempting Forward
Jul  2 16:00:33.851 CEST: ppp25 PPP: Phase is AUTHENTICATING, Unauthenticated User
Jul  2 16:00:33.851 CEST: ppp25 PPP: Sent MSCHAP_V2 LOGIN Request
Jul  2 16:00:33.891 CEST: ppp25 PPP: Received LOGIN Response PASS
Jul  2 16:00:33.891 CEST: ppp25 PPP: Phase is FORWARDING, Attempting Forward
Jul  2 16:00:33.891 CEST: ppp25 PPP: Send Message[Connect Local]
Jul  2 16:00:33.899 CEST: Vi3.1 Tnl/Sn 55994/18 L2TP: Virtual interface created for unknown, bandwidth 100000 Kbps
Jul  2 16:00:33.899 CEST: ppp25 PPP: Bind to [Virtual-Access3.1]
Jul  2 16:00:33.903 CEST: Vi3.1 PPP: Send Message[Static Bind Response]
Jul  2 16:00:33.903 CEST: Vi3.1 Tnl/Sn 55994/18 L2TP: Session state change from wait-for-service-selection-iccn to established
Jul  2 16:00:33.903 CEST: Vi3.1 Tnl/Sn 55994/18 L2TP: VPDN session up
Jul  2 16:00:33.907 CEST: Vi3.1 PPP: Phase is AUTHENTICATING, Authenticated User
Jul  2 16:00:33.911 CEST: Vi3.1 PPP: Sent LCP AUTHOR Request
Jul  2 16:00:33.911 CEST: Vi3.1 PPP: Sent IPCP AUTHOR Request
Jul  2 16:00:33.911 CEST: Vi3.1 LCP: Received AAA AUTHOR Response PASS
Jul  2 16:00:33.915 CEST: Vi3.1 IPCP: Received AAA AUTHOR Response PASS
Jul  2 16:00:33.915 CEST: Vi3.1 MS-CHAP-V2: O SUCCESS id 1 len 46 msg is "S=D216E8EA91BF8126B5CF3D0CAA7AFF2B580216AA"
Jul  2 16:00:33.919 CEST: Vi3.1 PPP: Phase is UP
Jul  2 16:00:33.919 CEST: Vi3.1 IPCP: O CONFREQ [Closed] id 1 len 10
Jul  2 16:00:33.919 CEST: Vi3.1 IPCP:    Address 192.168.0.254 (0x0306AC1000FE)
Jul  2 16:00:33.919 CEST: Vi3.1 PPP: Process pending ncp packets
Jul  2 16:00:34.067 CEST: Vi3.1 CCP: I CONFREQ [Not negotiated] id 1 len 15
Jul  2 16:00:34.067 CEST: Vi3.1 CCP:    Deflate 0x7800 (0x1A047800)
Jul  2 16:00:34.067 CEST: Vi3.1 CCP:    MVRCA 0x7800 (0x18047800)
Jul  2 16:00:34.067 CEST: Vi3.1 CCP:    BSDLZW 47 (0x15032F)
Jul  2 16:00:34.071 CEST: Vi3.1 LCP: O PROTREJ [Open] id 2 len 21 protocol CCP
Jul  2 16:00:34.071 CEST: Vi3.1 LCP:  (0x80FD0101000F1A047800180478001503)
Jul  2 16:00:34.071 CEST: Vi3.1 LCP:  (0x2F)
Jul  2 16:00:34.071 CEST: Vi3.1 IPCP: I CONFREQ [REQsent] id 1 len 28
Jul  2 16:00:34.071 CEST: Vi3.1 IPCP:    CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
Jul  2 16:00:34.075 CEST: Vi3.1 IPCP:    Address 0.0.0.0 (0x030600000000)
Jul  2 16:00:34.075 CEST: Vi3.1 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Jul  2 16:00:34.075 CEST: Vi3.1 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Jul  2 16:00:34.075 CEST: Vi3.1 AAA/AUTHOR/IPCP: Start.  Her address 0.0.0.0, we want 0.0.0.0
Jul  2 16:00:34.075 CEST: Vi3.1 AAA/AUTHOR/IPCP: Done.  Her address 0.0.0.0, we want 0.0.0.0
Jul  2 16:00:34.079 CEST: Vi3.1 IPCP: Pool returned 172.17.0.1
Jul  2 16:00:34.079 CEST: Vi3.1 IPCP: O CONFREJ [REQsent] id 1 len 10
Jul  2 16:00:34.079 CEST: Vi3.1 IPCP:    CompressType VJ 15 slots CompressSlotID (0x0206002D0F01)
Jul  2 16:00:34.079 CEST: Vi3.1 IPCP: I CONFACK [REQsent] id 1 len 10
Jul  2 16:00:34.079 CEST: Vi3.1 IPCP:    Address 172.16.0.254 (0x0306AC1000FE)
Jul  2 16:00:34.283 CEST: Vi3.1 IPCP: I CONFREQ [ACKrcvd] id 2 len 22
Jul  2 16:00:34.283 CEST: Vi3.1 IPCP:    Address 0.0.0.0 (0x030600000000)
Jul  2 16:00:34.287 CEST: Vi3.1 IPCP:    PrimaryDNS 0.0.0.0 (0x810600000000)
Jul  2 16:00:34.287 CEST: Vi3.1 IPCP:    SecondaryDNS 0.0.0.0 (0x830600000000)
Jul  2 16:00:34.287 CEST: Vi3.1 IPCP: O CONFNAK [ACKrcvd] id 2 len 22
Jul  2 16:00:34.287 CEST: Vi3.1 IPCP:    Address 172.17.0.1 (0x0306AC110001)
Jul  2 16:00:34.287 CEST: Vi3.1 IPCP:    PrimaryDNS 1.1.1.1 (0x8106D918C242)
Jul  2 16:00:34.287 CEST: Vi3.1 IPCP:    SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul  2 16:00:34.291 CEST:  Tnl 55994 L2TP: Added 3 to resendQ, updated nr 4 and sent to peer
Jul  2 16:00:34.295 CEST:  Tnl 55994 L2TP: O SLI, flg TLS, ver 2, len 36, tnl 3545, ns 3, nr 4
         C8 02 00 24 0D D9 AA F5 00 03 00 04 80 08 00 00
         00 00 00 10 80 10 00 00 00 23 00 00 00 00 00 00
         00 0A 00 00
Jul  2 16:00:34.447 CEST: Vi3.1 IPCP: I CONFREQ [ACKrcvd] id 3 len 22
Jul  2 16:00:34.447 CEST: Vi3.1 IPCP:    Address 172.17.0.1 (0x0306AC110001)
Jul  2 16:00:34.447 CEST: Vi3.1 IPCP:    PrimaryDNS 1.1.1.1 (0x8106D918C242)
Jul  2 16:00:34.451 CEST: Vi3.1 IPCP:    SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul  2 16:00:34.451 CEST: Vi3.1 IPCP: O CONFACK [ACKrcvd] id 3 len 22
Jul  2 16:00:34.451 CEST: Vi3.1 IPCP:    Address 172.17.0.1 (0x0306AC110001)
Jul  2 16:00:34.451 CEST: Vi3.1 IPCP:    PrimaryDNS 1.1.1.1 (0x8106D918C242)
Jul  2 16:00:34.451 CEST: Vi3.1 IPCP:    SecondaryDNS 2.2.2.2 (0x83065262438E)
Jul  2 16:00:34.451 CEST: Vi3.1 IPCP: State is Open
Jul  2 16:00:34.459 CEST: Vi3.1 IPCP: Install route to 172.17.0.1
Jul  2 16:00:35.303 CEST:  Tnl 55994 L2TP: Control channel retransmit delay set to 1 seconds


IOS#ping 172.17.0.1


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 156/160/172 ms
IOS#



Jul  2 16:00:45.547 CEST: Vi3.1 LCP: I TERMREQ [Open] id 3 len 16 (0x557365722072657175657374)
Jul  2 16:00:45.547 CEST: Vi3.1 LCP: O TERMACK [Open] id 3 len 4
Jul  2 16:00:45.547 CEST: Vi3.1 PPP: Sending Acct Event[Down] id[F0D]
Jul  2 16:00:45.547 CEST: Vi3.1 PPP: Phase is TERMINATING
Jul  2 16:00:45.955 CEST:  Tnl 55994 L2TP: Parse  AVP 0, len 8, flag 0x8000 (M)
Jul  2 16:00:45.955 CEST:  Tnl 55994 L2TP: Parse StopCCN
Jul  2 16:00:45.955 CEST:  Tnl 55994 L2TP: Parse  AVP 9, len 8, flag 0x8000 (M)
Jul  2 16:00:45.959 CEST:  Tnl 55994 L2TP: Assigned Tunnel ID 3545
Jul  2 16:00:45.959 CEST:  Tnl 55994 L2TP: Parse  AVP 1, len 8, flag 0x8000 (M)
Jul  2 16:00:45.959 CEST: L2X: Result code(6): 6: Requestor is being shut down
Jul  2 16:00:45.959 CEST:      Error code(0): No error
Jul  2 16:00:45.959 CEST:  Tnl 55994 L2TP: No missing AVPs in StopCCN
Jul  2 16:00:45.959 CEST:  Tnl 55994 L2TP: I StopCCN, flg TLS, ver 2, len 36, tnl 55994, ns 4, nr 4
contiguous pak, size 36
         C8 02 00 24 DA BA 00 00 00 04 00 04 80 08 00 00
         00 00 00 04 80 08 00 00 00 09 0D D9 80 08 00 00
         00 01 00 06
Jul  2 16:00:45.963 CEST:  Tnl 55994 L2TP: O ZLB ctrl ack, flg TLS, ver 2, len 12, tnl 3545, ns 4, nr 5
         C8 02 00 0C 0D D9 00 00 00 04 00 05
Jul  2 16:00:45.967 CEST:  Tnl 55994 L2TP: I StopCCN from anonymous tnl 3545
Jul  2 16:00:45.967 CEST:  Tnl 55994 L2TP: Tunnel state change from established to shutting-down
Jul  2 16:00:45.967 CEST:  Tnl 55994 L2TP: Shutdown tunnel
Jul  2 16:00:45.967 CEST: Vi3.1 Tnl/Sn 55994/18 L2TP: disconnect (L2X) IETF: 9/nas-error Ascend: 65/VPDN Tunnel Down/Setup Fail
Jul  2 16:00:45.967 CEST: Vi3.1 Tnl/Sn 55994/18 L2TP: Destroying session
Jul  2 16:00:45.967 CEST: Vi3.1 Tnl/Sn 55994/18 L2TP: Session state change from established to idle
Jul  2 16:00:45.971 CEST: Vi3.1 Tnl/Sn 55994/18 L2TP: Accounting stop sent
Jul  2 16:00:45.971 CEST: Vi3.1 Tnl/Sn 55994/18 L2TP: Unbinding session from idb
Jul  2 16:00:45.971 CEST: Vi3.1 VPDN: Resetting interface
Jul  2 16:00:45.975 CEST: Vi3.1 PPP: Block vaccess from being freed [0x19]
Jul  2 16:00:45.975 CEST:  Tnl 55994 L2TP: Tunnel state shutting-down while destroying session
Jul  2 16:00:45.975 CEST:  Tnl 55994 L2TP: Tunnel state change from shutting-down to idle
Jul  2 16:00:46.179 CEST: Vi3.1 PPP: Missed link down notification
Jul  2 16:00:46.179 CEST: Vi3.1 LCP: State is Closed
Jul  2 16:00:46.179 CEST: Vi3.1 PPP: Phase is DOWN
Jul  2 16:00:46.179 CEST: Vi3.1 IPCP: State is Closed
Jul  2 16:00:46.183 CEST: Vi3.1 PPP: Unlocked by [0x1] Still Locked by [0x18]
Jul  2 16:00:46.183 CEST: Vi3.1 PPP: Unlocked by [0x10] Still Locked by [0x8]
Jul  2 16:00:46.183 CEST: Vi3.1 PPP: Send Message[Disconnect]
Jul  2 16:00:46.183 CEST: Vi3.1 PPP: Unlocked by [0x8] Still Locked by [0x0]
Jul  2 16:00:46.183 CEST: Vi3.1 PPP: Free previously blocked vaccess
Jul  2 16:00:46.187 CEST: Vi3.1 IPCP: Remove route to 172.17.0.1

Correct Answer by Jason Gervia about 6 years 8 months ago

Harold,


I'd need more debugs to be sure, but it looks like ipsec quick mode is failing (phase 2).  Try changing your transform set to use 'mode transport', as I believe that's required for l2tp/ipsec.


If that doesn't work, we'd need the complete debugs for 'debug crypto isakmp' and 'debug crypto ipsec'.


--Jason

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jason Gervia Fri, 07/02/2010 - 10:05
User Badges:
  • Cisco Employee,

Harold,


I'd need more debugs to be sure, but it looks like ipsec quick mode is failing (phase 2).  Try changing your transform set to use 'mode transport', as I believe that's required for l2tp/ipsec.


If that doesn't work, we'd need the complete debugs for 'debug crypto isakmp' and 'debug crypto ipsec'.


--Jason

cassian.lee Tue, 07/19/2011 - 02:46
User Badges:

Hi Harald,


I have the same problem. May I know the final configuration??


Cassian

Harald Singer Tue, 07/19/2011 - 03:12
User Badges:

Hi Cassian,


i hope i didn't miss anything, :


!---------------------------------------------------

vpdn enable
!
vpdn-group l2tpvpn
! Default L2TP VPDN group
accept-dialin
  protocol l2tp
  virtual-template 1
no l2tp tunnel authentication
!

username user privilege 15 password secret

!

crypto keyring l2tpvpn
  pre-shared-key address 0.0.0.0 0.0.0.0 key test
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600


crypto isakmp key test address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set L2TP-TS esp-3des esp-sha-hmac

mode transport

!

crypto dynamic-map dynvpn 1

set nat demux

set transform-set L2TP-TS



crypto map CRYPTOMAP 20 ipsec-isakmp dynamic dynvpn


interface Virtual-Template1

ip unnumbered Ethernet0

peer default ip address pool VPN

keepalive 5

ppp authentication ms-chap-v2



interface BVI1
ip address 212.xxx.xxx.xxx 255.255.255.0
ip nat outside
ip virtual-reassembly
ipv6 address autoconfig default
ipv6 enable
crypto map CRYPTOMAP
!
ip local pool VPN 172.17.0.1 172.17.0.10


!---------------------------------------------------



Harald

David Marquez Sat, 11/30/2013 - 17:23
User Badges:

   Hi !!! 

   Im new in ccna security and i would like to know if you need to install an app to android ?? like AnyConnect ??  or you just use the the VPN settings ??  my  android version is 2.3 and i want to connect to my cisco router 2800 with the option Add L2TP/IPSec PSK VPN  ... and im comfused   i dont know what to do, to make it run...


     Does anyone can help me ???

Harald Singer Sun, 12/01/2013 - 05:56
User Badges:

Hi David,


you don't need an app. It just works with the bulid-in VPN settings.


Best regards


Harald

David Marquez Sun, 12/01/2013 - 22:03
User Badges:

Hi again..  Im using your guide and also this cisco guide ( http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/guide_c07-677829.html

)  to try to implement vpn remote access to my mobile android v2.3 without install AnyConnect app ,

   but I didn´t put some steps.. here is my configuration. by the way  right now I don´t have a router to implement it. I will run this on gns3  but i have some trouble with my laptop, if anyone can do this I´ll  appreciate you ... here is my configuration...





config ter

hostname Router_VPN

line con 0

logg syn

   exit


! Step 1 - L2TP Settings


vpdn enable

vpdn-group test

accept-dialin

protocol l2tp

virtual-template 10


   exit

   exit


   ! Step 2 - ISAKMP Policy


crypto isakmp enable

crypto isakmp policy 10

authentication pre-share

encryption 3des

group 2

lifetime 86400

  exit

crypto isakmp key 0 jajaja address 0.0.0.0 0.0.0.0


    ! Step 3 - Pool Address to client


ip local pool L2TP_test 172.16.1.1  172.16.1.20


     ! Step 4 - Username and Password for L2TP USER


username dav secret cisco


     ! Step 5 - Define Transform Set


crypto ipsec transform-set vpn_l2tp esp-3des esp-sha-hmac

mode transport

   exit


     ! Step 6 - IPsec profile


crypto map vpn_l2tp 10 ipsec-isakmp profile test

  set transform-set vpn_l2tp

   exit


     ! Step 7 - Virtual Template


interface virtual-template 10

ip unnumbered fastethernet 0/0

peer default ip address pool L2TP_test

ppp mtu adaptive

ppp authentication pap chap


interface fastethernet 0/0

no ip dhcp client request tftp-server-address

no shutdown

ip address dhcp

speed auto

duplex auto

crypto map vpn_l2tp

exit






Some Question..

1. Why do you use ?:  --  no l2tp tunnel authentication  -- 


  2. Why do you use ?:  --

           crypto keyring l2tpvpn

           pre-shared-key address 0.0.0.0 0.0.0.0 key test


  2.1. If you have this

             crypto isakmp key test address 0.0.0.0 0.0.0.0


   3. What is it ??

   set nat demux

4. My config it´s good or it need something else ???




       Thanks for reading this ...

Actions

This Discussion

Related Content