L2TP/IKE/IPsec Problems

koaps · ‎10-08-2003

Hello All,

I'm having an issue creating an IPsec transport with a Win2k Laptop.

I have gone through all the VPN examples I could find and built a system that is pretty flexible(has sets for ah-sha-hmac esp-3des esp-sha-hmac and esp-des esp-sha-hmac for L2TP vpdn connections.

I'm a little confused by the examples use of language. My impression is that by using L2TP ports to connect to IKE to build the tunnel then it should kick on IPsec.

I seem to be able to build the L2TP transport tunnel to the PIX from my Win2k Laptop, but it doesn't seem to go much further then that and times out with there was no answer.

One Error I do see is the NAT hash's don't match during the ISAKMP connection but it seems to continue on and finish building the tunnel.

Any help would be great.

Here is the config info:

object-group network vpn_pool

description VPN Client IP Pool

network-object host 192.168.1.30

network-object host 192.168.1.31

network-object host 192.168.1.32

network-object host 192.168.1.33

network-object host 192.168.1.34

network-object host 192.168.1.35

access-list vpnbound permit ip 192.168.0.0 255.255.0.0 object-group vpn_pool

access-list vpnbound deny ip any object-group vpn_pool

ip local pool vpn-pool 192.168.1.30-192.168.1.50

nat (inside) 0 access-list vpnbound

sysopt connection permit-ipsec

sysopt connection permit-pptp

sysopt connection permit-l2tp

crypto ipsec transform-set myset1 esp-des esp-sha-hmac

crypto ipsec transform-set myset1 mode transport

crypto ipsec transform-set myset2 ah-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set myset2 mode transport

crypto dynamic-map dynmap 10 set pfs group2

crypto dynamic-map dynmap 10 set transform-set myset1 myset2

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap interface outside

isakmp enable outside

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp client configuration address-pool local vpn-pool outside

isakmp nat-traversal 20

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption des

isakmp policy 2 hash sha

isakmp policy 2 group 1

isakmp policy 2 lifetime 86400

vpdn group l2tp_dialin accept dialin l2tp

vpdn group l2tp_dialin ppp authentication mschap

vpdn group l2tp_dialin client configuration address local vpn-pool

vpdn group l2tp_dialin client authentication local

vpdn group l2tp_dialin l2tp tunnel hello 60

vpdn group pptp_dialin accept dialin pptp

vpdn group pptp_dialin ppp authentication mschap

vpdn group pptp_dialin ppp encryption mppe auto

vpdn group pptp_dialin client configuration address local vpn-pool

vpdn group pptp_dialin pptp echo 60

vpdn group pptp_dialin client authentication local

vpdn username vpdn password *********

vpdn enable outside

Here is the Debug info:

crypto_isakmp_process_block:src:xx.xxx.xxx.93, dest:xx.xxx.xxx.192 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth pre-share

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x0 0x70 0x80

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a MSWIN2K client

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): SA is doing pre-shared key authentication using id type ID_FQDN

ISAKMP (0:0): sending NAT-T vendor ID - rev 2 & 3

ISAKMP (0:0): Detected port floating

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:xx.xxx.xxx.93, dest:xx.xxx.xxx.192 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT match MINE hash

ISAKMP (0:0): Detected NAT-D payload

ISAKMP (0:0): NAT does not match HIS hash

hash received: a2 6c f3 b5 9d 38 a6 e0 a d 86 c8 1 3e b5 13 2d 62 3f e3

his nat hash : 24 b1 7c a0 6e bb 33 c5 7a d7 10 ef 77 6e d4 78 31 17 d8 13

ISAKMP (0:0): constructed HIS NAT-D

ISAKMP (0:0): constructed MINE NAT-D

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:xx.xxx.xxx.93, dest:xx.xxx.xxx.192 spt:64844 dpt:4500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing HASH payload. message ID = 0

ISAKMP (0): SA has been authenticated

ISAKMP: Created a peer struct for xx.xxx.xxx.93, peer port 19709

ISAKMP (0): ID payload

next-payload : 8

type : 2

protocol : 17

port : 0

length : 27

ISAKMP (0): Total payload length: 31

return status is IKMP_NO_ERROR

ISAKMP (0): sending INITIAL_CONTACT notify

ISAKMP (0): sending NOTIFY message 24578 protocol 1

ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify

ISAKMP (0): sending NOTIFY message 24576 protocol 1

VPN Peer: ISAKMP: Added new peer: ip:xx.xxx.xxx.93/64844 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:xx.xxx.xxx.93/64844 Ref cnt incremented to:1 Total VPN Peers:1

koaps · ‎10-11-2003

Does no one know what's going on?

I could really use some help here....

-c

koaps · ‎10-19-2003

looking at some more examples I tried addin in bi-directional static statements.

I'm not sure if the PIX is having issues with the fact that the VPN and inside networks are the same addressing. From the examples I saw and the results I want I built my comfigs but I am not sure if there is some routing or nat issue going on.

I can get past IKE and get SA's

VPN Peer: ISAKMP: Added new peer: ip:*.*.*.51/4500 Total VPN Peers:1

VPN Peer: ISAKMP: Peer ip:*.*.*.51/4500 Ref cnt incremented to:1 Total VPN Peers:1