Windows L2TP to ASA5505 v8.2(3) - no traffic.

Unanswered Question
Aug 26th, 2010
User Badges:

I have been trying to setup a basic L2TP from Windows XP/2003 to an ASA. The basics are IKE:3DES/SHA and 3DES/MD5 Transport. I have a site to site that works just fine. But the remote access does not permit any traffic. I get this in the console log:


<165>:Aug 26 21:04:43 UTC: %ASA-vpn-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 1  Cfg'd: Group 2
<165>:Aug 26 21:04:43 UTC: %ASA-vpn-5-713119: Group = DefaultRAGroup, IP = 192.168.2.12, PHASE 1 COMPLETED
<165>:Aug 26 21:04:43 UTC: %ASA-vpn-5-713049: Group = DefaultRAGroup, IP = 192.168.2.12, Security negotiation complete for User ()  Responder, Inbound SPI = 0x38305055, Outbound SPI = 0x994814f5

<165>:Aug 26 21:04:43 UTC: %ASA-vpn-5-713120: Group = DefaultRAGroup, IP = 192.168.2.12, PHASE 2 COMPLETED (msgid=a8822ce4)
<165>:Aug 26 21:04:43 UTC: %ASA-ipaa-5-737003: IPAA: DHCP configured, no viable servers found for tunnel-group 'DefaultRAGroup'
<164>:Aug 26 21:04:47 UTC: %ASA-vpn-4-402116: IPSEC: Received an ESP packet (SPI= 0x38305055, sequence number= 0x1B) from 192.168.2.12 (user= sean) to 205.170.201.xxx. 
The decapsulated inner packet doesn't match the negotiated policy in the SA. 
The packet specifies its destination as 255.255.255.255, its source as 192.168.2.12, and its protocol as 17.  The SA specifies its local proxy as 205.170.201.xxx/255.255.255.255/17/42246
and its remote_proxy as 192.168.2.12/255.255.255.255/17/42246.


ASA5505(config)# <165>:Aug 26 21:04:51 UTC: %ASA-vpn-5-713041: IP = 63.xxx.xxx.xx, IKE Initiator: New Phase 1, Intf outside, IKE Peer 63.xx.xx.xxx local Proxy Address 192.168.101.0,
remote Proxy Address 0.0.0.0,  Crypto map (OUTSIDE_MAP)
ASA5505(config)#
<164>:Aug 26 21:07:22 UTC: %ASA-vpn-4-402116: IPSEC: Received an ESP packet (SPI= 0x38305055, sequence number= 0x8A) from 192.168.2.12 (user= sean) to 205.170.201.xxx. 
The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 74.125.47.125, its source as 192.168.2.12, and its protocol as 6. 
The SA specifies its local proxy as 205.170.201.187/255.255.255.255/17/42246 and its remote_proxy as 192.168.2.12/255.255.255.255/17/42246.


I have played around trying DES/SHA, DES/MD5, 3DES/SHA, 3DES/MD5, in both tunnel and transport. I have even added the following ACLs at different points.:

access-list REMOTE_SITE extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.192
access-list REMOTE_SITE extended permit ip 192.168.101.0 255.255.255.0 192.168.100.0 255.255.255.192


192.168.100.0 is the internal network, and 192.168.101.0 is the remote access.I think I can assume that the ACL here is not the problem as I have tried either or, and both with no effect.


As for the Windows client, I have tried selecting and de-selecting "use default gateway on remote network" in TCP/IP settings.I have selected and deselected compression and LCP extensions as well. Under the security tab I eventually settled on using Recommended settings with "Require Secure Password" and "Require data encryption" selected. Not much more I can do on the Windows side. Although I did try the advanced selecting different CHAP versions and whether to require encryption or not, etc..


It seems no matter what I try, I just can not get L2TP to work properly. Sure I can connect, but beyond that there is no access. I attached config and log. I should add that I also can not ping from behind the ASA to the remote client as well. Basically it seems no connection is allowed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Thu, 08/26/2010 - 22:41
User Badges:
  • Gold, 750 points or more

can you configure a new ACL for "crypto map OUTSIDE_MAP 20"? Currently, it is using ACL "REMOTE_SITE". But this ACL include your L2TP VPN traffic. "access-list REMOTE_SITE extended permit ip 192.168.100.0 255.255.255.0 192.168.101.0 255.255.255.192". Your new ACL should not have this entry.

Here is the example for L2tp-IPSec VPN.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

Actions

This Discussion