LT2P on PIX Version 7

Answered Question
Jun 30th, 2011

Hello

I am trying to set up an L2TP VPN server on my PIX to replace a PPTP server running on a router.

I've followed a few guides (although most seem to be for 6.3.x) and used what limited knowledge I have of VPN config on a PIX but I"m still coming up agains some issues.

I have the debug details which I'm hoping someone can use to point me in the right direction.

Jun 30 11:38:54 [IKEv1]: IP = 84.93.217.110, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 180

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing ke payload

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing ISA_KE payload

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, processing nonce payload

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing ke payload

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing nonce payload

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing Cisco Unity VID payload

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing xauth V6 VID payload

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Send IOS VID

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, constructing VID payload

Jun 30 11:38:54 [IKEv1 DEBUG]: IP = 84.93.217.110, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Can't find a valid tunnel group, aborting...!

Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, IKE MM Responder FSM error history (struct &0x42ed788)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG4, EV_GROUP_LOOKUP-->MM_BLD_MSG4, EV_TEST_CERT-->MM_BLD_MSG4, EV_BLD_MSG4-->MM_BLD_MSG4, EV_TEST_CRACK-->MM_BLD_MSG4, EV_SECRET_KEY_OK-->MM_BLD_MSG4, NullEvent-->MM_BLD_MSG4, EV_GEN_SECRET_KEY

Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, IKE SA MM:87377a60 terminating:  flags 0x01000002, refcnt 0, tuncnt 0

Jun 30 11:38:54 [IKEv1 DEBUG]: Group = 84.93.217.110, IP = 84.93.217.110, sending delete/delete with reason message

Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Removing peer from peer table failed, no match!

Jun 30 11:38:54 [IKEv1]: Group = 84.93.217.110, IP = 84.93.217.110, Error: Unable to remove PeerTblEntry

Here is my config:

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set TUN_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside-dyn-map 20 set transform-set TRANS_ESP_3DES_MD5

crypto dynamic-map outside-dyn-map 30 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside-dyn-map 40 set transform-set TUN_ESP_3DES_SHA

crypto map outside-map 20 ipsec-isakmp dynamic outside-dyn-map

crypto map outside-map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

...

group-policy VPN-Policy internal

group-policy VPN-Policy attributes

wins-server value 10.0.1.250

dns-server value 10.0.1.250

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value xxxx.co.uk

username xxxxxx password xxx nt-encrypted privilege 3

tunnel-group L2TP-VPN type ipsec-ra

tunnel-group L2TP-VPN general-attributes

address-pool (Inside) L2TP-Pool

authentication-server-group (Inside) LOCAL

default-group-policy VPN-Policy

tunnel-group L2TP-VPN ipsec-attributes

pre-shared-key *

tunnel-group L2TP-VPN ppp-attributes

authentication ms-chap-v2

Thanks in advance

Paul

I have this problem too.
0 votes
Correct Answer by luisram2 about 2 years 9 months ago

Hi Paul

I do recomend you to use the dynamic maps the way I was suggesting as this is the right way to configure them on the ASA.

By default Microsoft Windows does not support L2TP connections to servers behind NAT, this is a
Microsoft limitation, not a limitation of the ASA  or any Cisco device. On the following links you can find more information on how to modify the Windows registry for it to connect to a server behind NAT, because changing the registry is dangerous for the computer this has to be done at your own risk:

http://support.microsoft.com/kb/926179
http://support.microsoft.com/kb/818043/

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (1 ratings)
shilgupt Thu, 06/30/2011 - 09:30

Hi Paul,

In case of L2TP over IPSEC , you will not be able to connect to a specific tunnel-group. The connection will automatically fall on DefaultRAGroup.

So make sure that under  DefaultRAGroup,  vpn tunnel protocol,l2tp-ipsec is enabled. Also please find the link below  for reference:-

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml#pix

I hope it helps.

Thanks,

Shilpa

paulhughes5 Thu, 06/30/2011 - 23:19

Just to clarify, I'm not able to put any custom names in, both the tunnel-group and the group-policy need to be defaultRAGroup?

Is the rest of the config in the custom groups ok if I just move it to the default ones?

paulhughes5 Fri, 07/01/2011 - 01:30

This is the revised config.  I havent removed the old group yet.  I have noticed I cant get tunnel-group DefaultRAGroup type ipsec-ra into the config as it says its not a valid command (yet its in the config for the other group)

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 10.0.1.250

dns-server value 10.0.1.250

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value hughesadp.co.uk

group-policy VPN-Policy internal

group-policy VPN-Policy attributes

wins-server value 10.0.1.250

dns-server value 10.0.1.250

vpn-tunnel-protocol IPSec l2tp-ipsec

default-domain value xxxx.co.uk

username xxxx password xxxx== nt-encrypted privilege 3

tunnel-group DefaultRAGroup general-attributes

address-pool (Inside) L2TP-Pool

authentication-server-group (Inside) LOCAL

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

tunnel-group L2TP-VPN type ipsec-ra

tunnel-group L2TP-VPN general-attributes

address-pool (Inside) L2TP-Pool

authentication-server-group (Inside) LOCAL

default-group-policy VPN-Policy

tunnel-group L2TP-VPN ipsec-attributes

pre-shared-key *

tunnel-group L2TP-VPN ppp-attributes

authentication ms-chap-v2

In the log now I get

Jul 01 2011 06:09:27: %PIX-4-713903: Group = DefaultRAGroup, IP = , Freeing previously allocated memory for authorization-dn-attributes

Jul 01 2011 06:09:27: %PIX-5-713119: Group = DefaultRAGroup, IP = , PHASE 1 COMPLETED

Jul 01 2011 06:09:28: %PIX-3-713902: Group = DefaultRAGroup, IP = , QM FSM error (P2 struct &0x4313538, mess id 0xdaebabdc)!

Jul 01 2011 06:09:28: %PIX-3-713902: Group = DefaultRAGroup, IP = , Removing peer from correlator table failed, no match!

Jul 01 2011 06:09:28: %PIX-4-113019: Group = DefaultRAGroup, Username = , IP = PN-Mac, Session disconnected. Session Type: IPSec, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

Debug seems to have this line in:

[IKEv1]: Group = DefaultRAGroup, IP = 84.93.217.110, peer is not authenticated by xauth - drop connection.

I've tried to follow

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solution21

but I'm not sure its the right thing as its made no difference.

paulhughes5 Fri, 07/01/2011 - 06:18

Found another forum post from an ASA that said enable nat traversal which I've done and it seems to get a bit further.

I can see in the debug phase 2 completes but then I get:

[IKEv1]: Group = DefaultRAGroup, IP = 84.93.217.110, Connection terminated for peer .  Reason: Peer Terminate  Remote Proxy 84.93.217.110, Local Proxy 10.0.21.254

Jul 01 10:55:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 84.93.217.110, Active unit receives a delete event for remote peer PN-Mac.

Jul 01 10:55:34 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 84.93.217.110, IKE Deleting SA: Remote Proxy 84.93.217.110, Local Proxy 10.0.21.254

Any ideas?

luisram2 Fri, 07/01/2011 - 10:09

Hi Paul,

Depending on the client you are using it could be failing because the hash is MD5, you should try to use SHA.

Also the way you have configure you dynamic maps will brake the normal VPN client connection if you using one; you should try to change your dynamic maps to look like this:

crypto dynamic-map outside-dyn-map 10 set transform-set TRANS_ESP_3DES_SHA TUN_ESP_3DES_SHA

Using the two transform sets in the same line will ensure that both types of clients could work on the PIX.

Regards,

Luis Ramirez

paulhughes5 Fri, 07/01/2011 - 12:29

I was trying with a Macbook previously and now with a Windows 7 laptop.

I seem to get a different error with the windows one and it doesn't get past phase 1 this time.

ISAKMP Header
  Initiator COOKIE: e1 85 ab 03 b0 93 87 81
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 384
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 212
    DOI: IPsec
    Situation:(SIT_IDENTITY_ONLY)
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 200
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 5
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 2
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 128
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 40
        Transform #: 3
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: AES-CBC
        Key Length: 256
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 4
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Unknown
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 36
        Transform #: 5
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: SHA1
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 00 70 80
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 24
    Data (In Hex):
      1e 2b 51 69 05 99 1c 7d 7c 96 fc bf b5 87 e4 61
      00 00 00 08
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      fb 1d e3 cd f3 41 b7 ea 16 b7 e5 be 08 55 f1 20
  Payload Vendor ID
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      26 24 4d 38 ed db 61 b3 17 2a 36 e3 d0 cf b8 19
  Payload Vendor ID
    Next Payload: None
    Reserved: 00
    Payload Length: 20
    Data (In Hex):
      e3 a5 96 6a 76 37 9f e7 07 22 82 31 e5 ce 86 52
Jul 01 17:10:15 [IKEv1]: IP = 46.69.90.135, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 384
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing SA payload
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, Oakley proposal is acceptable
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, Received NAT-Traversal RFC VID
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, Received NAT-Traversal ver 02 VID
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, Received Fragmentation VID
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing VID payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, processing IKE SA payload
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1]: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Unknown  Cfg'd: Group 2
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, IKE SA Proposal # 1, Transform # 5 acceptable  Matches global IKE entry # 4
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, constructing ISAKMP SA payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, constructing NAT-Traversal VID ver 02 payload
Jul 01 17:10:15 [IKEv1 DEBUG]: IP = 46.69.90.135, constructing Fragmentation VID + extended capabilities payload
Jul 01 17:10:15 [IKEv1]: IP = 46.69.90.135, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 124

luisram2 Fri, 07/01/2011 - 13:25

Hi Paul

Could you please add your current configuration?

Regards,

Luis Ramirez

paulhughes5 Fri, 07/01/2011 - 13:33

Sure:

interface Ethernet0

nameif Outside

security-level 0

ip address 10.0.21.254 255.255.255.0

!

interface Ethernet1

nameif Inside

security-level 100

ip address 10.0.1.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet5

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

dns domain-lookup Inside

dns server-group DefaultDNS

name-server Hermes

object-group network PN-Allowed

network-object host PN-Linux

network-object host PN-Mac

access-list acl-inside-in extended permit ip any any

access-list acl-outside-in remark *Allow 21 Network*

access-list acl-outside-in extended permit ip host Gateway any

access-list acl-outside-in remark *Allow Access to Hermes Services*

access-list acl-outside-in extended permit tcp any host Hermes eq www

access-list acl-outside-in extended permit tcp any host Hermes eq https

access-list acl-outside-in extended permit tcp object-group PN-Allowed host Hermes eq 3389

access-list acl-outside-in extended permit tcp any host Hermes eq ftp

access-list acl-outside-in extended permit tcp any host Hermes eq 4158

access-list acl-outside-in extended permit icmp any any echo-reply

access-list acl-outside-in extended permit icmp any any traceroute

access-list acl-outside-in extended permit icmp any any unreachable

access-list acl-outside-in remark *Deny All*

access-list acl-outside-in extended deny ip any any log

pager lines 24

logging enable

logging timestamp

logging buffered notifications

logging trap notifications

logging host Inside Hermes

mtu Outside 1500

mtu Inside 1500

ip local pool L2TP-Pool 10.0.1.48-10.0.1.63 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit host Gateway Outside

icmp permit any Inside

no asdm history enable

arp timeout 14400

static (Outside,Inside) 10.0.21.0 10.0.21.0 netmask 255.255.255.0

static (Inside,Outside) 10.0.1.0 10.0.1.0 netmask 255.255.255.0

no threat-detection statistics tcp-intercept

access-group acl-outside-in in interface Outside

access-group acl-inside-in in interface Inside

route Outside 0.0.0.0 0.0.0.0 Gateway 1

!

router rip

network 10.0.0.0

redistribute connected

version 2

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set TUN_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside-dyn-map 20 set transform-set TRANS_ESP_3DES_MD5

crypto dynamic-map outside-dyn-map 30 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside-dyn-map 40 set transform-set TUN_ESP_3DES_SHA

crypto map outside-map 20 ipsec-isakmp dynamic outside-dyn-map

crypto map outside-map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp nat-traversal  20

telnet timeout 5

ssh PN-Mac 255.255.255.255 Outside

ssh 10.0.1.0 255.255.255.0 Inside

ssh timeout 60

console timeout 0

ntp server 212.159.13.49 source Inside prefer

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 10.0.1.250

dns-server value 10.0.1.250

vpn-tunnel-protocol IPSec l2tp-ipsec

username xxxxx password xxxxx encrypted

username xxxxx attributes

vpn-tunnel-protocol l2tp-ipsec

username xxxxxx password xxxxx encrypted privilege 15

username xxxxxx password xxxxx nt-encrypted privilege 3

username xxxxxx attributes

vpn-tunnel-protocol l2tp-ipsec

tunnel-group DefaultRAGroup general-attributes

address-pool (Inside) L2TP-Pool

authentication-server-group (Inside) LOCAL

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

tunnel-group DefaultRAGroup ppp-attributes

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 620

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

luisram2 Fri, 07/01/2011 - 13:49

Hi Paul

Thanks for the configuration; I can see you did not apply the changes I suggested but I can also see that your PIX is behind a Nat device as it has a privated IP address on the outside. due to a Microsoft limitation the L2TP connection will not work.

There is a bug for this issue you can find more information on this link:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCse50772

paulhughes5 Fri, 07/01/2011 - 13:57

Hi.

Sorry I did apply the changes you suggested but it didn't make any difference so I reverted back just to be sure that wasn't the cause of the different message I was seeing on Windows vs Mac.

The bug says fixed in 7.2(2) and I'm running 7.2(4), should this not be sorted in that release or is it not something easily fixed?

Id like to hope there is a version where it functions as removing the NAT isn't something I'm going to be able to do unless I can get additional IPs from the ISP (which I doubt).

Correct Answer
luisram2 Fri, 07/01/2011 - 14:18

Hi Paul

I do recomend you to use the dynamic maps the way I was suggesting as this is the right way to configure them on the ASA.

By default Microsoft Windows does not support L2TP connections to servers behind NAT, this is a
Microsoft limitation, not a limitation of the ASA  or any Cisco device. On the following links you can find more information on how to modify the Windows registry for it to connect to a server behind NAT, because changing the registry is dangerous for the computer this has to be done at your own risk:

http://support.microsoft.com/kb/926179
http://support.microsoft.com/kb/818043/

paulhughes5 Sat, 07/02/2011 - 13:33

Ah right.  Good old MS.

Thanks for your help.  I'll have to come up with another solution, even if the reg edit works its a bit of a pain to do it on every PC I need to VPN in from.

Actions

Login or Register to take actions

This Discussion

Posted June 30, 2011 at 7:36 AM
Stats:
Replies:12 Avg. Rating:
Views:1944 Votes:0
Shares:0
Tags: ipsec, pix_7.x, l2tp
+

Related Content

Discussions Leaderboard