L2TP+ IPSec in 1811 12.4 - Phase 2 stops...

Unanswered Question
Sep 7th, 2010
User Badges:

Below is the config of my 1811, and the IPSec tunnel works fine, but L2TP gets past Phase 1 and then has an error about the encryption mismatching (sorry didn't grab the exact error). I imagine it is one line or something that is preventing me from success.. let me know...


version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Cisco1811

!

boot-start-marker

boot-end-marker

!

no logging console

!

no aaa new-model

!

resource policy

!

!

!

ip cef

!

!

ip address-pool local

vpdn enable

!

vpdn-group L2TP-LNS

! Default L2TP VPDN group

accept-dialin

  protocol l2tp

  virtual-template 1

no l2tp tunnel authentication

!

!

!

!

username joe password 0 pass1

!

!

!

crypto isakmp policy 100

encr 3des

hash md5

authentication pre-share

group 2

lifetime 7200

crypto isakmp key 6 key123456 address 166.1.2.3 no-xauth

!

!

crypto ipsec transform-set AES-256-SHA esp-aes 256 esp-sha-hmac

mode transport

crypto ipsec transform-set L2TP-LNS esp-3des esp-md5-hmac

mode transport

!

crypto map IPSEC 45 ipsec-isakmp

set peer 166.1.2.3

set security-association lifetime seconds 7200

set transform-set L2TP-LNS

set pfs group2

match address 104

!

!

!

!

!

!

!

interface Loopback0

no ip address

!

interface FastEthernet0

ip address 64.1.2.3 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

crypto map IPSEC

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1

ip unnumbered FastEthernet0

peer default ip address pool L2TP-LNS-IP-POOL

ppp authentication chap ms-chap

!

interface Vlan1

ip address 192.168.111.1 255.255.255.0

!

interface Async1

no ip address

encapsulation slip

!

ip local pool L2TP-LNS-IP-POOL 192.168.1.55 192.168.1.56

no ip classless

ip route 0.0.0.0 0.0.0.0 64.1.2.3

ip route 192.168.17.0 255.255.255.0 166.1.2.3

ip route 192.168.72.0 255.255.255.0 166.1.2.3

!

!

no ip http server

no ip http secure-server

!

access-list 102 permit ip 192.168.111.0 0.0.0.255 192.168.72.0 0.0.0.255

access-list 103 permit ip 192.168.111.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 104 permit ip 192.168.111.0 0.0.0.255 192.168.13.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

line con 0

exec-timeout 90 0

password enable

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

exec-timeout 90 0

password enable

login

transport preferred none

!

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jitendriya Athavale Wed, 09/08/2010 - 07:30
User Badges:
  • Cisco Employee,

i have seen that happen in past on win 7 machines and i changed the phase 2 encryption parameters, try adding aes or des in place of 3 des for phase 2


also remove the pfs configuration, pfs is not supported on l2tp



so try these


remove pfs and try

change encryption in transform set and try



also make sure that the username password that you have are chap. mschap,

b.julin Wed, 09/08/2010 - 08:55
User Badges:
  • Bronze, 100 points or more

I'm not sure much uses md5 anymore that won't do sha1 as well.


crypto ipsec transform-set L2TP-LNS1 esp-3des esp-md5-hmac

crypto ipsec transform-set L2TP-LNS1 mode transport

crypto ipsec transform-set L2TP-LNS2 esp-3des esp-sha-hmac

crypto ipsec transform-set L2TP-LNS2 mode transport

crypto ipsec transform-set L2TP-LNS3 esp-aes esp-sha-hmac

crypto ipsec transform-set L2TP-LNS3 mode transport

crypto ipsec transform-set L2TP-LNS4 esp-aes-256 esp-sha-hmac

crypto ipsec transform-set L2TP-LNS4 mode transport


...

no set transform set L2TP-LNS

set transform-set L2TP-LNS4 L2TP-LNS3 L2TP-LNS2 L2TP-LNS1


... should cover most of the bases

Actions

This Discussion