L2TP IPsec doesn,t work on ASA 5510

sasagcisco · ‎12-22-2010

Hey, im nearly to gettin crazy.

I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).

I'm using the newest Releases:

Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(5)

My asa config just the interesting part:

crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

l2tp tunnel hello 100

group-policy sales_policy internal
group-policy sales_policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes
address-pool client-pool
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****

If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.

I see that Phase 1/2 are working with debug:

Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED

Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)

Then I see this "Error":

Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated

I don't understand why it doens't work....

I tried many templates from the net but nothings works.

can someone give me an advice?

Jennifer Halim · ‎12-22-2010

Seems to be missing the "ppp-attributes" from the configuration. Please kindly add "pap" as the authentication and test again.

I would also turn the NAT-T on: crypto isakmp nat-traversal 20

Here is the sample config for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml

sasagcisco · ‎12-22-2010

Hey Jennifer

I tried that also before with pap authentication and also the nat-traversal. but it still get the same error:

Dec 23 08:19:25 [IKEv1]: Group = DefaultRAGroup, IP = 87.xxx, Session is being torn down. Reason: L2TP initiated

I reconfigured the whole VPN Stuff from the reference config but without the AAA and nat settings because i use local login and the IP's from the same subnet as attached to the inside interface.

tahequivoice · ‎10-17-2011

Has anyone been able to resolve this? I have the exact same issue with a DroidX client.

Sent from Cisco Technical Support iPad App

Michael Richter · ‎10-17-2011

Yeah i solved it.

The only problem was the wrong parameters for my usernames.

i have had to use nt-encryptet at the end:

username righter password xyyz nt-encrypted.

after that it works.

tahequivoice · ‎10-18-2011

Thanks, I will give this a try later. Dont have access to a Droid right now to test it, but went ahead and setup the user as described.

Kias · ‎01-20-2016

The below change worked for me.

tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2

And added the user

Username <name> password <passwd> mschap

Kias
Fonicom Limited
raiseaticket Malta