l2tp-ipsec authenticating but not able to reach remote LAN while Cisco VPN Clients can

Unanswered Question
Sep 3rd, 2010
User Badges:
  • Silver, 250 points or more

I have a strange problem. I have configured the ASA5510 to allow access to lt2p-ipsec clients and cisco vpn clients to the same network after establishing connectivity. Cisco VPN clients are able to hit the remote servers but l2tp-ipsec are not. Both authenticate to the same IAS server.


LT2P commands:

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel


tunnel-group DefaultRAGroup general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2


Cisco VPN Clients

group-policy DMZ-RA-VPN-GROUP internal
group-policy DMZ-RA-VPN-GROUP attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel


tunnel-group DMZ-RA-VPN-GROUP type remote-access
tunnel-group DMZ-RA-VPN-GROUP general-attributes
address-pool CARTVPN
authentication-server-group CART-RADIUS
default-group-policy DMZ-RA-VPN-GROUP
tunnel-group DMZ-RA-VPN-GROUP ipsec-attributes
pre-shared-key *****

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Fri, 09/03/2010 - 08:47
User Badges:
  • Cisco Employee,

remove pfs if configured for l2tp transform set as it does not support pfs

make the transform set as trnasport for l2tp



if the above dont work then try the following too


use aes in phase 1 and phase 2 instead of 3des

Jitendriya Athavale Fri, 09/03/2010 - 08:49
User Badges:
  • Cisco Employee,

forgot to mention one more thing


also please paste your ip pool for l2tp clients and your nat statement, make sur ethat you have your nat exempt right


if possible paste your config

Tshi M Fri, 09/03/2010 - 09:15
User Badges:
  • Silver, 250 points or more

Both share the same ACL and it is exampt...below are the relevant config


object-group network DMZ
network-object 192.168.24.0 255.255.254.0



object-group network RAS_Users
network-object 172.16.10.0 255.255.255.0


access-list RAVPN_Split_Tunnel standard permit 192.168.24.0 255.255.254.0
access-list nonat-traffic extended permit ip object-group DMZ object-group RAS_Users


ip local pool CARTVPN 172.16.10.1-172.16.10.254


nat (inside) 0 access-list nonat-traffic


crypto ipsec transform-set NJ1 esp-3des esp-md5-hmac
crypto ipsec transform-set CART-PPTP esp-3des esp-sha-hmac
crypto ipsec transform-set CART-PPTP mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 20 set transform-set CART-PPTP NJ1


crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400


crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

Tshi M Wed, 09/08/2010 - 06:05
User Badges:
  • Silver, 250 points or more

Manually adding a static route to the workstation (pptp vpn client) allow the user to access to the remote LAN. I don't have to do this with the Cisco VPN Client.

Jitendriya Athavale Wed, 09/08/2010 - 07:10
User Badges:
  • Cisco Employee,

what you need is 

crypto dynamic-map set reverse route


try putting that


crypto dynamic-map dynmap 20 set reverse route

Tshi M Wed, 09/08/2010 - 07:59
User Badges:
  • Silver, 250 points or more

No luck. Below you will find the sh cryp isakmp sa and the sh vpn-sessiondb detail remote. As noted earlier, Cisco VPN Clients are just fine. The problem seems to only be with L2TP clients.


sh crypto isakmp sa


   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1


1   IKE Peer: 63.x.x.x
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_ACTIVE





sh vpn-sessiondb det remote


Session Type: IPsec Detailed


Username     : ciscovpntest           Index        : 273
Assigned IP  : 172.16.10.1            Public IP    : 63.x.x.x
Protocol     : IKE IPsecOverNatT L2TPOverIPsecOverNatT
License      : IPsec
Encryption   : 3DES                   Hashing      : MD5 SHA1
Bytes Tx     : 2519                   Bytes Rx     : 9410
Pkts Tx      : 49                     Pkts Rx      : 92
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : DefaultRAGroup         Tunnel Group : DefaultRAGroup
Login Time   : 10:25:40 EDT Wed Sep 8 2010
Duration     : 0h:28m:54s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none


IKE Tunnels: 1
IPsecOverNatT Tunnels: 1
L2TPOverIPsecOverNatT Tunnels: 1


IKE:
  Tunnel ID    : 273.1
  UDP Src Port : 43484                  UDP Dst Port : 4500
  IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
  Encryption   : 3DES                   Hashing      : MD5
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 27066 Seconds
  D/H Group    : 2
  Filter Name  :


IPsecOverNatT:
  Tunnel ID    : 273.2
  Local Addr   : 208.x.x.x/255.255.255.255/17/1701
  Remote Addr  : 63.x.x.x/255.255.255.255/17/0
  Encryption   : 3DES                   Hashing      : SHA1
  Encapsulation: Transport
  Rekey Int (T): 3600 Seconds           Rekey Left(T): 1862 Seconds
  Rekey Int (D): 250000 K-Bytes         Rekey Left(D): 249991 K-Bytes
  Idle Time Out: 1440 Minutes           Idle TO Left : 1439 Minutes
  Bytes Tx     : 2519                   Bytes Rx     : 9410
  Pkts Tx      : 49                     Pkts Rx      : 92


L2TPOverIPsecOverNatT:
  Tunnel ID    : 273.3
  Username     : ciscovpntest
  Assigned IP  : 172.16.10.1            Public IP    : 63.x.x.x
  Encryption   : none                   Auth Mode    : msCHAPV2
  Idle Time Out: 1440 Minutes           Idle TO Left : 1435 Minutes
  Client OS    : Microsoft
  Client OS Ver: 5.0
  Bytes Tx     : 422                    Bytes Rx     : 6104
  Pkts Tx      : 16                     Pkts Rx      : 56


NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 1740 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :

Jitendriya Athavale Wed, 09/08/2010 - 08:33
User Badges:
  • Cisco Employee,

i can sent the packets sent and rcd please paste the output of sh cry ips sa peer 63.x just to confirm this behaviour


also since u r saying that adding static routes on client fixes the issue please paste route print from cmd prompt from client after connecting

b.julin Wed, 09/08/2010 - 09:38
User Badges:
  • Bronze, 100 points or more

A) You don't have a tunnel-specified statement in the L2TP group.  So the ASA may not push those.

B) L2TP clients will need a dhcp-intercept statement to do that as well.

C) It won't work anyway on Vista,Win7 since Microsoft discontinued supporting pushing routes that way after XP.


The only way to get split tunneling working with a native L2TP client on Vista or Win7 is to have your

pool in the same classful range as the network the hosts which they are trying to reach.


Some details on this mess are here:


http://www.abrij.org/~bri/hw/splitp.html

Tshi M Wed, 09/08/2010 - 10:03
User Badges:
  • Silver, 250 points or more

Hi,


Thanks for the reply.


a) I do have tunnelspecified in the default policy group:



LT2P commands:

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAVPN_Split_Tunnel


I actually thought of putting the pool in the same subnet but was reluctant to do so till i figure this thing out.

b.julin Wed, 09/08/2010 - 10:35
User Badges:
  • Bronze, 100 points or more

Sorry I read that config too fast... but still, try adding dhcp-intercept and test with an XP client.

Actions

This Discussion