Re: PIX L2TP/IPSEC VPN

alraycisco · ‎08-08-2008

Hi,

I have configured a PIX, running v803 software, to allow L2TP/IPSEC VPN connections using the Windows VPN client. It was working fine for a while. However, now clients can no longer connect. Now in the debugs I get 'No valid authentication type found for the tunnel group'. If I look on the RADIUS server (Windows Server running IAS) I see no authentication attempts. The output of the debug is attached.

My config is:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map vpnmap_dynmap 40 set transform-set ESP-3DES-SHA

crypto map vpnmap 65535 ipsec-isakmp dynamic vpnmap_dynmap

crypto map vpnmap interface outside2

crypto isakmp identity address

crypto isakmp enable outside2

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

wins-server value 172.22.x.x

dns-server value 172.22.x.x

group-policy DefaultRAGrpup internal

aaa-server AUTHSERVER protocol radius

aaa-server AUTHSERVER host server

key ************

tunnel-group DefaultRAGroup general-attributes

authentication-server-group AUTHSERVER

default-group-policy DefaultRAGroup

dhcp-server dc1

tunnel-group DefaultRAGroup ipsec-attributes

pre-shared-key *

isakmp ikev1-user-authentication (outside2) none

tunnel-group DefaultRAGroup ppp-attributes

no authentication ms-chap-v1

authentication ms-chap-v2

crypto isakmp identity address

crypto isakmp enable outside2

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

crypto isakmp policy 40

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption 3des

hash md5

group 1

lifetime 86400

crypto isakmp policy 80

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal 30

Any help would be greatly appreciated.

Thanks

Marwan ALshawi · ‎08-08-2008

try to add the following command to ur config

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol IPSec l2tp-ipsec

Since the Windows 2000 L2TP/IPsec client uses IPsec transport mode,

set the mode to transport.

The default is tunnel mode

crypto ipsec transform-set ESP-3DES-SHA mode transport

also make sure the configuration of ur client is right

also from ur PIX try to test the authentication with windows IAS

through the command

i am not sure

but shoul be somthing like

test authentication aaa

or test aaa and try with ? to find out the right command

in this case u can make sure u the authentication paasing from the pix to the windows box

good luck

please, if helpful rate

alraycisco · ‎08-08-2008

Hi I have made the changes as above:

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA mode transport

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

vpn-tunnel-protocol IPsec l2tp-ipsec

Also, the aaa-server authentication test came back successful. However, I still have the same problem.

Thanks

Marwan ALshawi · ‎08-08-2008

have a look to this exampe config link should be helpful

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

these config steps also useful

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html

and let me know if worked

please, if helpful rate