L2TP IPsec doesn,t work on ASA 5510

Unanswered Question
Dec 22nd, 2010
User Badges:

Hey, im nearly to gettin crazy.

I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).

I'm using the newest Releases:

Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(5)

My asa config just the interesting part:

crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

l2tp tunnel hello 100

group-policy sales_policy internal
group-policy sales_policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes
address-pool client-pool
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****

If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.

I see that Phase 1/2 are working with debug:

Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED

Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)

Then I see this "Error":

Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated

I don't understand why it doens't work....

I tried many templates from the net but nothings works.

can someone give me an advice?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sasagcisco Wed, 12/22/2010 - 23:22
User Badges:

Hey Jennifer

I tried that also before with pap authentication and also the nat-traversal. but it still get the same error:

Dec 23 08:19:25 [IKEv1]: Group = DefaultRAGroup, IP = 87.xxx, Session is being torn down. Reason: L2TP initiated

I reconfigured the whole VPN Stuff from the reference config but without the AAA and nat settings because i use local login and the IP's from the same subnet as attached to the inside interface.

tahequivoice Mon, 10/17/2011 - 18:08
User Badges:

Has anyone been able to resolve this? I have the exact same issue with a DroidX client.

Sent from Cisco Technical Support iPad App

Michael Richter Mon, 10/17/2011 - 21:43
User Badges:

Yeah i solved it.

The only problem was the wrong parameters for my usernames.

i have had to use nt-encryptet at the end:

username righter password xyyz nt-encrypted.

after that it works.

tahequivoice Tue, 10/18/2011 - 06:14
User Badges:

Thanks, I will give this a try later. Dont have access to a Droid right now to test it, but went ahead and setup the user as described. 

Mouhamad Kias Wed, 01/20/2016 - 07:05
User Badges:

The below change worked for me.

tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2

And added the user 

Username <name> password <passwd> mschap


This Discussion