cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4049
Views
0
Helpful
6
Replies

L2TP IPsec doesn,t work on ASA 5510

sasagcisco
Level 1
Level 1

Hey, im nearly to gettin crazy.

I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).

I'm using the newest Releases:

Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(5)

My asa config just the interesting part:


crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal


l2tp tunnel hello 100


group-policy sales_policy internal
group-policy sales_policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec


tunnel-group DefaultRAGroup general-attributes
address-pool client-pool
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****

If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.

I see that Phase 1/2 are working with debug:

Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED

Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)

Then I see this "Error":

Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated

I don't understand why it doens't work....

I tried many templates from the net but nothings works.

can someone give me an advice?

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

Seems to be missing the "ppp-attributes" from the configuration. Please kindly add "pap" as the authentication and test again.

I would also turn the NAT-T on: crypto isakmp nat-traversal 20

Here is the sample config for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

Hey Jennifer

I tried that also before with pap authentication and also the nat-traversal. but it still get the same error:

Dec 23 08:19:25 [IKEv1]: Group = DefaultRAGroup, IP = 87.xxx, Session is being torn down. Reason: L2TP initiated

I reconfigured the whole VPN Stuff from the reference config but without the AAA and nat settings because i use local login and the IP's from the same subnet as attached to the inside interface.

Has anyone been able to resolve this? I have the exact same issue with a DroidX client.

Sent from Cisco Technical Support iPad App

Yeah i solved it.

The only problem was the wrong parameters for my usernames.

i have had to use nt-encryptet at the end:

username righter password xyyz nt-encrypted.

after that it works.

Thanks, I will give this a try later. Dont have access to a Droid right now to test it, but went ahead and setup the user as described. 

Kias
Level 1
Level 1

The below change worked for me.

tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2

And added the user 

Username <name> password <passwd> mschap

Kias
Fonicom Limited
raiseaticket Malta
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: