12-22-2010 07:57 AM - edited 03-11-2019 12:26 PM
Hey, im nearly to gettin crazy.
I'm trying to setup a L2TP VPN Connection on my ASA 5510 to connect with Android/Windows (Native Clients).
I'm using the newest Releases:
Cisco Adaptive Security Appliance Software Version 8.3(2)
Device Manager Version 6.3(5)
My asa config just the interesting part:
crypto ipsec transform-set trans esp-3des esp-sha-hmac
crypto ipsec transform-set trans mode transport
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyno 10 set transform-set trans
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
l2tp tunnel hello 100
group-policy sales_policy internal
group-policy sales_policy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec
tunnel-group DefaultRAGroup general-attributes
address-pool client-pool
default-group-policy sales_policy
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
If i try to connect with a Windows 7 Client (NOT behind NAT) I get the Error 691.
I see that Phase 1/2 are working with debug:
Dec 22 16:32:16 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 1 COMPLETED
Dec 22 16:51:25 [IKEv1]: Group = DefaultRAGroup, IP = XXXXXX, PHASE 2 COMPLETED (msgid=00000001)
Then I see this "Error":
Dec 22 16:51:26 [IKEv1]: Group = DefaultRAGroup, IP = XXXXX, Session is being torn down. Reason: L2TP initiated
I don't understand why it doens't work....
I tried many templates from the net but nothings works.
can someone give me an advice?
12-22-2010 04:43 PM
Seems to be missing the "ppp-attributes" from the configuration. Please kindly add "pap" as the authentication and test again.
I would also turn the NAT-T on: crypto isakmp nat-traversal 20
Here is the sample config for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807213a7.shtml
12-22-2010 11:22 PM
Hey Jennifer
I tried that also before with pap authentication and also the nat-traversal. but it still get the same error:
Dec 23 08:19:25 [IKEv1]: Group = DefaultRAGroup, IP = 87.xxx, Session is being torn down. Reason: L2TP initiated
I reconfigured the whole VPN Stuff from the reference config but without the AAA and nat settings because i use local login and the IP's from the same subnet as attached to the inside interface.
10-17-2011 06:08 PM
Has anyone been able to resolve this? I have the exact same issue with a DroidX client.
Sent from Cisco Technical Support iPad App
10-17-2011 09:43 PM
Yeah i solved it.
The only problem was the wrong parameters for my usernames.
i have had to use nt-encryptet at the end:
username righter password xyyz nt-encrypted.
after that it works.
10-18-2011 06:14 AM
Thanks, I will give this a try later. Dont have access to a Droid right now to test it, but went ahead and setup the user as described.
01-20-2016 07:05 AM
The below change worked for me.
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
authentication ms-chap-v2
And added the user
Username <name> password <passwd> mschap
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: