VPN - IKEv1 - Session is being torn down. Reason: L2TP initiated

Unanswered Question
Dec 11th, 2012

Hi guys,

I am trying to configure my ASA 5520 to allow internal staff to work from remote via VPN. I need them to authenticate via Radius to MYCOMPANY-DC1 and allow them to access only if they are part of the Windows group VPNusers.

Using the VPN wizard I've created the (purged) configuration below. Now when I try to connect, the debug returns the following error.

Dec 12 02:57:28 [IKEv1]: Group = DefaultRAGroup, IP = 120.156.45.246, Session is being torn down. Reason: L2TP initiated

I haven't found where to define the name of the Windows gouup the users have to be part of in order to have the access granted and I guess that this missing configuration is the cause of the problem. Can you please tell me where is the error on my config and where I do have to add the missing configuration?

object-group network DM_INLINE_NETWORK_5

network-object LAN-network 255.255.0.0

access-list INTERNAL_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_5 172.16.4.0 255.255.255.128

aaa-server windows_DC protocol radius

aaa-server windows_DC (INTERNAL) host MYCOMPANY-DC1

timeout 5

key *****

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA

crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map OUTSIDE_map interface OUTSIDE

crypto isakmp enable OUTSIDE

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 172.16.0.4 8.8.8.8

dns-server value 172.16.0.4 8.8.8.8

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

default-domain value mycompanycorp.com.au

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

tunnel-group DefaultRAGroup general-attributes

address-pool VPN_Cisco_Pool

authentication-server-group windows_DC

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

authentication pap

authentication ms-chap-v2

authentication eap-proxy

On the Windows Server side, I have the following event:

User myuser was denied access.

Fully-Qualified-User-Name = myuser

NAS-IP-Address = 172.16.1.1

NAS-Identifier = <not present>

Called-Station-Identifier = <not present>

Calling-Station-Identifier = <not present>

Client-Friendly-Name = ASA5520

Client-IP-Address = 172.16.1.1

NAS-Port-Type = Virtual

NAS-Port = 94208

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = <undetermined>

Authentication-Type = MS-CHAPv2

EAP-Type = <undetermined>

Reason-Code = 48

Reason = The connection attempt did not match any remote access policy.

Thanks,

Dario Vanin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Dario Francesco... Wed, 06/25/2014 - 17:52

Unfortunately I did not manage Windows Server, so I can't help you on that.

The ASA was correctly configured and the problem was on the Windows policies.

Actions

Login or Register to take actions

This Discussion

Posted December 11, 2012 at 7:24 PM
Updated December 11, 2012 at 7:41 PM
Stats:
Replies:3 Overall Rating:
Views:1131 Votes:0
Shares:0

Related Content