Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote access VPN over UDP transport

Hi folks,

I have a Cisco ASA-5505 running 8.2(1), and I'm trying to configure it for remote access VPN
connections using L2TP over IPsec.  It completes Phase 1 with no problem.  Then it picks up
the correct dynamic crypto-map, but fails to negotiate an IPsec SA:

Jan 20 18:29:38 [IKEv1]: Group = DefaultRAGroup, IP = x, PHASE 1 COMPLETED
Jan 20 18:29:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x, processing IPSec SA payload
Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, IKE Remote Peer configured for crypto map: x-VPN
Jan 20 18:29:39 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: Transport
Jan 20 18:29:39 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: Transport
Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, All IPSec SA proposals found unacceptable!

So the problem seems to be that the VPN client is requesting UDP transport, but the ASA will not accept it.

Please would someone have a look at these snippets of config and tell me if there's something
I've missed?

crypto isakmp policy 119
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400

crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport

crypto dynamic-map x-VPN 10 set transform-set TRANSPORT_ESP_3DES_SHA
crypto dynamic-map x-VPN 10 set nat-t-disable

crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 172.20.0.1
 dns-server value 172.20.0.1
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 ipsec-udp enable
 default-domain value x.local

tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group x
 default-group-policy DefaultRAGroup

Thanks,

Philip
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Remote access VPN over UDP transport

Missing transform-set.

-KS

3 REPLIES
Cisco Employee

Re: Remote access VPN over UDP transport

Missing transform-set.

-KS

New Member

Re: Remote access VPN over UDP transport

Missed that from my config snips above, added now.  Any other thoughts please?

Thanks,

Philip
New Member

Re: Remote access VPN over UDP transport

Oh.  It was that nat-t-disable option that was screwing things up, it didn't need to be there :-)

Still, job done - and thanks for the reply.

Philip

3534
Views
5
Helpful
3
Replies