Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4453
Views
5
Helpful
3
Replies

Remote access VPN over UDP transport

Go to solution
philipplant
Level 1
Level 1

‎01-20-2010 10:56 AM - edited ‎03-11-2019 09:59 AM 

Hi folks,

I have a Cisco ASA-5505 running 8.2(1), and I'm trying to configure it for remote access VPN
connections using L2TP over IPsec.  It completes Phase 1 with no problem.  Then it picks up
the correct dynamic crypto-map, but fails to negotiate an IPsec SA:

Jan 20 18:29:38 [IKEv1]: Group = DefaultRAGroup, IP = x, PHASE 1 COMPLETED
Jan 20 18:29:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = x, processing IPSec SA payload
Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, IKE Remote Peer configured for crypto map: x-VPN
Jan 20 18:29:39 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: Transport
Jan 20 18:29:39 [IKEv1]: Phase 2 failure:  Mismatched attribute types for class Encapsulation Mode:  Rcv'd: UDP Transport  Cfg'd: Transport
Jan 20 18:29:39 [IKEv1]: Group = DefaultRAGroup, IP = x, All IPSec SA proposals found unacceptable!

So the problem seems to be that the VPN client is requesting UDP transport, but the ASA will not accept it.

Please would someone have a look at these snippets of config and tell me if there's something
I've missed?

crypto isakmp policy 119
 authentication pre-share
 encryption 3des
 hash sha     
 group 2
 lifetime 86400

crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANSPORT_ESP_3DES_SHA mode transport

crypto dynamic-map x-VPN 10 set transform-set TRANSPORT_ESP_3DES_SHA
crypto dynamic-map x-VPN 10 set nat-t-disable

crypto map IPSECMap 103 ipsec-isakmp dynamic x-VPN

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 wins-server value 172.20.0.1
 dns-server value 172.20.0.1
 vpn-tunnel-protocol IPSec l2tp-ipsec 
 ipsec-udp enable
 default-domain value x.local

tunnel-group DefaultRAGroup general-attributes
 address-pool clientVPNpool
 authentication-server-group x
 default-group-policy DefaultRAGroup

Thanks,

Philip
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-20-2010 11:18 AM

Missing transform-set.

-KS

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-20-2010 11:18 AM

Missing transform-set.

-KS

0 Helpful

Go to solution
philipplant
Level 1
Level 1
In response to Kureli Sankar

‎01-20-2010 11:24 AM 

Missed that from my config snips above, added now.  Any other thoughts please?

Thanks,

Philip
0 Helpful

Go to solution
philipplant
Level 1
Level 1
In response to philipplant

‎01-20-2010 11:34 AM

Oh.  It was that nat-t-disable option that was screwing things up, it didn't need to be there :-)

Still, job done - and thanks for the reply.

Philip

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card