L2TP IPsec doesn,t work on ASA 5510

Unanswered Question
Dec 22nd, 2010

Hey, im nearly to gettin crazy.

I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).

I'm using the newest Releases:

Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(5)

My asa config just the interesting part:


crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal


l2tp tunnel hello 100


group-policy sales_policy internal
group-policy sales_policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec


tunnel-group DefaultRAGroup general-attributes
address-pool client-pool
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****

If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.

I see that Phase 1/2 are working with debug:

Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED

Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)

Then I see this "Error":

Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated

I don't understand why it doens't work....

I tried many templates from the net but nothings works.

can someone give me an advice?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
sasagcisco Wed, 12/22/2010 - 23:22

Hey Jennifer

I tried that also before with pap authentication and also the nat-traversal. but it still get the same error:

Dec 23 08:19:25 [IKEv1]: Group = DefaultRAGroup, IP = 87.xxx, Session is being torn down. Reason: L2TP initiated

I reconfigured the whole VPN Stuff from the reference config but without the AAA and nat settings because i use local login and the IP's from the same subnet as attached to the inside interface.

tahequivoice Mon, 10/17/2011 - 18:08

Has anyone been able to resolve this? I have the exact same issue with a DroidX client.

Sent from Cisco Technical Support iPad App

righter_ch Mon, 10/17/2011 - 21:43

Yeah i solved it.

The only problem was the wrong parameters for my usernames.

i have had to use nt-encryptet at the end:

username righter password xyyz nt-encrypted.

after that it works.

tahequivoice Tue, 10/18/2011 - 06:14

Thanks, I will give this a try later. Dont have access to a Droid right now to test it, but went ahead and setup the user as described. 

Actions

Login or Register to take actions

This Discussion

Posted December 22, 2010 at 7:57 AM
Stats:
Replies:5 Avg. Rating:
Views:2218 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446