- Cisco Community
- Technology and Support
- Security
- VPN
- Re: L2TP over IPSec
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
L2TP over IPSec
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2002 12:31 PM - edited 02-21-2020 12:11 PM
Hi:
Has anobody a sample configuration to allow Windows L2TP/IPSec clients establish VPN connections to a router?
I'm working on it but I'm getting the following:
"L2TP: Could not find tunnel for tnl 42389, discarding ZLB ns 4 nr 2"
Numbers change from one attemp to another. To configure the router I "translated" the sample pix configuration contained in document "Configuring L2TP Over IPSec Between PIX Firewall and Windows 2000", but it seems something is missing to me. I'm using local authentication.
Help!
- Labels:
-
Other VPN Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2002 12:56 PM
All I can say is that will be ugly. So many problems can be the source of your issue here. Why are you trying to implent this and not us the cvpn 3.x client? I hope its not cause of your company policy. There are service pack issues with your client. You will need specific IOS platform, no mention of which you are using. The router is easy to usually configure, its your pc that has a lengthy configuration that Im not sure anyone will be able to address. Here's a link http://www.cisco.com/warp/public/707/24.html but i'd would suggest that you dont follow this, just that you might find it or someone else might suggest it. Doesnt really show you how to configure your client and the router configs actually need to be combined. Its ugly. I'd suggest you call tac, they have a doc(wish i still had it) that you can follow to make sure you configure your client correctly. Good luck.
Kurtis Durrett
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-20-2002 05:01 PM
Which series router are you using?
Regards
Rob
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2002 03:23 AM
Kurtis: I'm more optimistic about it. I still have problems, but only in L2TP now. ISAKMP and IPSec is negotiated ok between PC and router. However L2TP debug messages don't help me too much in debugging...
Rob: I'm using a 1710 router with image c1710-k9o3sy-mz.12.2-4.YA
The client is a Windows 98 PC with the MS Upgrade to support L2TP/IPSec
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2002 06:54 AM
Ya, there is life out there. The L2TP client is a little better than what I was thinking you was using like the 2000 native client. Do you have any other vpn clients installed? Any firewalls on pc? Is that 98 or 98SE? What version of DUN are you using? There's 1.4. Do you have the L2TP debugs? Can you post them as well. Any new errors on the client side, you should be getting something on a microsoft error. What type of authentication are you using for L2TP? pap, chap,mschap. What type of encrytpion? You encryption capabilities on your client will be based on your IE cipher strength. Did you try with no encryption,pap and no user auth for L2TP? Do you have encrytpion set for required on the router?
Kurtis Durrett
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2002 01:22 PM
Here, I'll answer all your question:
Do you have any other vpn clients installed?
Not any more
Any firewalls on pc?
Never
Is that 98 or 98SE?
98SE
What version of DUN are you using?
L2TP/IPSec MS Client requires IE 5.01 and Dun 1.4. I've IE 5.5 SP1 and Dun 1.4
Do you have the L2TP debugs?
Yes. Look:
VPN:
L2X protocol events debugging is on
L2X protocol errors debugging is on
VPDN events debugging is on
VPDN errors debugging is on
VPDN packet debugging is on
PPP:
PPP authentication debugging is on
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
00:25:28: ISAKMP (0:6): Checking IPSec proposal 2
00:25:28: ISAKMP: transform 1, ESP_DES
00:25:28: ISAKMP: attributes in transform:
00:25:28: ISAKMP: authenticator is HMAC-SHA
00:25:28: ISAKMP: encaps is 2
00:25:28: ISAKMP: SA life type in seconds
00:25:28: ISAKMP: SA life duration (basic) of 3600
00:25:28: ISAKMP: SA life type in kilobytes
00:25:28: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x90 0x0
00:25:28: ISAKMP (0:6): atts are acceptable.
00:25:28: ISAKMP (0:6): processing NONCE payload. message ID = 1082128156
00:25:28: ISAKMP (0:6): processing ID payload. message ID = 1082128156
00:25:28: ISAKMP (0:6): processing ID payload. message ID = 1082128156
00:25:28: ISAKMP (0:6): asking for 1 spis from ipsec
00:25:28: ISAKMP (0:6): Node 1082128156, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
00:25:28: ISAKMP: received ke message (2/1)
00:25:29: ISAKMP (0:6): sending packet to 192.168.213.67 (R) QM_IDLE
00:25:29: ISAKMP (0:6): Node 1082128156, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_RY
Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
00:25:29: ISAKMP (0:6): received packet from 192.168.213.67 (R) QM_IDLE
00:25:29: ISAKMP (0:6): Creating IPSec SAs
00:25:29: inbound SA from 192.168.213.67 to 192.168.213.66
(proxy 192.168.213.67 to 192.168.213.66)
00:25:29: has spi 0x748EF609 and conn_id 200 and flags 0
00:25:29: lifetime of 3600 seconds
00:25:29: lifetime of 102400 kilobytes
00:25:29: outbound SA from 192.168.213.66 to 192.168.213.67 (proxy 20)
00:25:29: has spi 212707478 and conn_id 201 and flags 8
00:25:29: lifetime of 3600 seconds
00:25:29: lifetime of 102400 kilobytes
00:25:29: ISAKMP (0:6): deleting node 1082128156 error FALSE reason "quick mode"
00:25:29: ISAKMP (0:6): Node 1082128156, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
00:29:15: L2TP: I SCCRQ from tnl 7
00:29:15: Tnl39599 L2TP: New tunnel created for remote , address 192.168.213.67
00:29:15: Tnl39599 L2TP: O SCCRP
00:29:15: Tnl39599 L2TP: Control channel retransmit delay set to 1 seconds
00:29:15: Tnl39599 L2TP: Tunnel state change from idle to wait-ctl-reply
00:29:15: Tnl39599 L2TP: I SCCCN from remote tnl 7
00:29:15: Tnl39599 L2TP: Got a Challenge Response in SCCCN from
00:29:15: Tnl39599 L2TP: O StopCCN
00:29:15: Tnl39599 L2TP: Control channel retransmit delay set to 1 seconds
00:29:15: Tnl39599 L2TP: Tunnel state change from wait-ctl-reply to shutting-n
00:29:15: Tnl39599 L2TP: Shutdown tunnel
00:29:15: Tnl39599 L2TP: Tunnel state change from shutting-down to idle
00:29:15: L2TP: Could not find tunnel for tnl 39599, discarding StopCCN ns 3 nr2
00:29:15: L2TP: Could not find tunnel for tnl 39599, discarding ZLB ns 4 nr 2
Any new errors on the client side?
Error 629: (you have been disconnected, blah, blah. Double click to try again.)
What type of authentication are you using for L2TP?
chap,mschap. For ppp in fact.
What type of encrytpion? You encryption capabilities on your client will be based on your IE cipher strength.
DES and SHA. 3Des is also avaible but now I'm just testing.
Did you try with no encryption,pap and no user auth for L2TP? Do you have encrytpion set for required on the router?
I still don't reach the user athentication phase! As far as I see, the client leaves the ISAKMP connection open and the IPSec tunnel open even if L2TP negotiation doesn't succeed. After ISAKMP and IPSec negotiations have finished, every retry on the client only involves an L2TP negotiation in the router.
Here is my current router configuration:
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
aaa new-model
!
!
aaa authentication login autenticacion local
aaa authentication ppp default local
aaa authorization network autorizacion local
aaa session-id common
!
username cisco password 0 cisco
memory-size iomem 15
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
vpdn enable
!
vpdn-group l2tpipsec
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
ip mtu adjust
!
!
crypto isakmp policy 20
authentication pre-share
lifetime 28000
crypto isakmp key octoberdream address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set l2tp esp-des esp-sha-hmac
mode transport
!
crypto dynamic-map elmapa 4
set transform-set l2tp
!
!
crypto map elgranmapa client authentication list autenticacion
crypto map elgranmapa isakmp authorization list autorizacion
crypto map elgranmapa 10 ipsec-isakmp dynamic elmapa
!
!
!
!
interface Ethernet0
ip address 192.168.213.66 255.255.255.240
half-duplex
crypto map elgranmapa
!
interface FastEthernet0
ip address 10.54.34.10 255.255.255.0
speed auto
!
interface Virtual-Template2
ip unnumbered FastEthernet0
ip mroute-cache
peer default ip address pool l2tppool
ppp authentication chap ms-chap
!
ip local pool l2tppool 10.54.34.90 10.54.34.99
ip classless
no ip http server
ip pim bidir-enable
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
no scheduler allocate
end
And that's all.
By the way, how do I enable firewalling on the router? If I set the router as the default gateway on my client (internet side) I can reach the private LAN. Should I use inspect commands or NAT?
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-22-2002 11:27 AM
"What type of encrytpion? You encryption capabilities on your client will be based on your IE cipher strength.
DES and SHA. 3Des is also avaible but now I'm just testing."
Sorry, what i meant here is what type of L2TP encryption you are using, whats it set to on your browser? You have 40bit and 128bit encryption for L2TP which on your pc is based on your cipher strength from your IE browser. But I can see from the router that you dont have encryption enabled under your Virtual template. The high encrption pack on some IE version may require that you have to connect with some type of encryption, so this is something you wanna check. But, since you dont have it on your router, turn off chap and ms-chap and just use pap. Take a look:
Interesting that you get a challenge response
00:29:15: Tnl39599 L2TP: Got a Challenge Response in SCCCN from
right after which you fail This is a chap/ms-chap response. Use only pap and test. After you get it working with pap and no L2TP encryption, then you can play with getting it to work with higher lvls.
Kurtis Durrett
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2002 04:58 AM
Sorry for the delay.
The browser shows 128bits encryption. After trying with "ppp encryp mppe auto" and playing with "ppp authentication pap" or "ppp authentication pap callin" the line is always the same:
00:29:15: Tnl39599 L2TP: Got a Challenge Response in SCCCN from
I also tryed chaging connection options in the client, like encryptp password and data, but no change. Any other tip?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2002 06:57 AM
So I'm assuming you did test this without L2TP encrytpion, removed the ppp encrypt mppe auto" and with just the "ppp auth pap". It might be a stretch but i'd remove the callin. Do you by chance have the high encryption pack installed on your pc? If thats the case it will require 128 bit encryption/ms-chap and will not negotiate without it. I know encrytpion with pptp is broken in 12.2.4, but im dont recall if its broken with L2TP which I think it is. We tested this with 12.2.8T and the L2TP client from microsoft on a windows 98 which it worked with and without encryption.
I do not know what "L2TP: Could not find tunnel for tnl 42389, discarding ZLB ns 4 nr 2" error is specifically. I'll have to go back to my original suggestion, will be ugly, that you call TAC to find that information.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-26-2002 02:09 PM
I made an important advance! Help me debug the following ppp errors and it's done!
Here is the new modified configuration:
!
aaa new-model
!
!
aaa authentication login autenticacion local
aaa authentication ppp default if-needed local none
aaa authorization network autorizacion local
aaa session-id common
!
vpdn-group l2tpipsec
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 2
no l2tp tunnel authentication
ip mtu adjust
!
interface Virtual-Template2
ip unnumbered FastEthernet0
ip tcp header-compression passive
ip mroute-cache
peer default ip address pool l2tppool
ppp authentication pap
!
This config is the simplest, with no encryption and pap. I'm getting the following debug from PPP:
Router#
00:57:21: Vi1 PPP: Phase is DOWN, Setup
00:57:21: Vi1 PPP: Outbound context-status packet dropped, line protocol not up
00:57:21: Vi1 EVT: Setup [19] 0 0x0
00:57:21: Vi1 EVT: Restart CP [19] 0 0x816A9FFC
00:57:21: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
00:57:21: Vi1 EVT: Cstate [19] 4 0x816A7C00
00:57:21: Vi1 PPP: Treating connection as a dedicated line
00:57:21: Vi1 PPP: Phase is ESTABLISHING, Active Open
00:57:21: Vi1 PPP: Authorization NOT required
00:57:21: Vi1 PPP: Preauth Authorization:
00:57:21: Vi1 PPP/AAA: auth-required
00:57:21: Vi1 LCP: O CONFREQ [Closed] id 1 len 14
00:57:21: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:21: Vi1 LCP: MagicNumber 0x0977E31E (0x05060977E31E)
00:57:21: Vi1 EVT: Packet [19] 1 0x8144C6E0
00:57:21: Vi1 LCP: I CONFREQ [REQsent] id 1 len 14
00:57:21: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:21: Vi1 LCP: PFC (0x0702)
00:57:21: Vi1 LCP: ACFC (0x0802)
Router#
00:57:21: Vi1 LCP: O CONFACK [REQsent] id 1 len 14
00:57:21: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:21: Vi1 LCP: PFC (0x0702)
00:57:21: Vi1 LCP: ACFC (0x0802)
Router#
00:57:23: Vi1 LCP: TIMEout: State ACKsent
00:57:23: Vi1 LCP: O CONFREQ [ACKsent] id 2 len 14
00:57:23: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:23: Vi1 LCP: MagicNumber 0x0977E31E (0x05060977E31E)
00:57:23: Vi1 EVT: Packet [19] 1 0x8144C6E0
00:57:23: Vi1 LCP: I CONFACK [ACKsent] id 2 len 14
00:57:23: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:23: Vi1 LCP: MagicNumber 0x0977E31E (0x05060977E31E)
00:57:23: Vi1 LCP: State is Open
00:57:23: Vi1 PPP: Phase is AUTHENTICATING, by this end
00:57:24: Vi1 EVT: Packet [19] 1 0x814D1DBC
00:57:24: Vi1 LCP: I CONFREQ [Open] id 2 len 14
00:57:24: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:24: Vi1 LCP: PFC (0x0702)
00:57:24: Vi1 LCP: ACFC (0x0802)
00:57:24: Vi1 PPP: Phase is TERMINATING
00:57:24: Vi1 PPP: Authorization NOT required
00:57:24: Vi1 PPP: Preauth Authorization:
00:57:24: Vi1 PPP/AAA: auth-required
00:57:24: Vi1 PPP: Phase is ESTABLISHING
00:57:24: Vi1 LCP: O CONFREQ [Open] id 3 len
Router#14
00:57:24: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:24: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
00:57:24: Vi1 LCP: O CONFACK [Open] id 2 len 14
00:57:24: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:24: Vi1 LCP: PFC (0x0702)
00:57:24: Vi1 LCP: ACFC (0x0802)
Router#
00:57:26: Vi1 LCP: TIMEout: State ACKsent
00:57:26: Vi1 LCP: O CONFREQ [ACKsent] id 4 len 14
00:57:26: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:26: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
00:57:27: Vi1 EVT: Packet [19] 1 0x814D1DBC
00:57:27: Vi1 LCP: I CONFREQ [ACKsent] id 3 len 14
00:57:27: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:27: Vi1 LCP: PFC (0x0702)
00:57:27: Vi1 LCP: ACFC (0x0802)
00:57:27: Vi1 LCP: O CONFACK [ACKsent] id 3 len 14
00:57:27: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:27: Vi1 LCP: PFC (0x0702)
00:57:27: Vi1 LCP: ACFC (0x0802)
Router#
00:57:28: Vi1 LCP: TIMEout: State ACKsent
00:57:28: Vi1 LCP: O CONFREQ [ACKsent] id 5 len 14
00:57:28: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:28: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
Router#
00:57:30: Vi1 EVT: Packet [19] 1 0x814D1DBC
00:57:30: Vi1 LCP: I CONFREQ [ACKsent] id 4 len 14
00:57:30: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:30: Vi1 LCP: PFC (0x0702)
00:57:30: Vi1 LCP: ACFC (0x0802)
00:57:30: Vi1 LCP: O CONFACK [ACKsent] id 4 len 14
00:57:30: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:30: Vi1 LCP: PFC (0x0702)
00:57:30: Vi1 LCP: ACFC (0x0802)
00:57:30: Vi1 LCP: TIMEout: State ACKsent
00:57:30: Vi1 LCP: O CONFREQ [ACKsent] id 6 len 14
00:57:30: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:30: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
Router#
00:57:32: Vi1 LCP: TIMEout: State ACKsent
00:57:32: Vi1 LCP: O CONFREQ [ACKsent] id 7 len 14
00:57:32: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:32: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
00:57:33: Vi1 EVT: Packet [19] 1 0x814D1DBC
00:57:33: Vi1 LCP: I CONFREQ [ACKsent] id 5 len 14
00:57:33: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:33: Vi1 LCP: PFC (0x0702)
00:57:33: Vi1 LCP: ACFC (0x0802)
00:57:33: Vi1 LCP: O CONFACK [ACKsent] id 5 len 14
00:57:33: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:33: Vi1 LCP: PFC (0x0702)
00:57:33: Vi1 LCP: ACFC (0x0802)
Router#
00:57:34: Vi1 LCP: TIMEout: State ACKsent
00:57:34: Vi1 LCP: O CONFREQ [ACKsent] id 8 len 14
00:57:34: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:34: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
Router#
00:57:36: Vi1 EVT: Packet [19] 1 0x81542D88
00:57:36: Vi1 LCP: I CONFREQ [ACKsent] id 6 len 14
00:57:36: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:36: Vi1 LCP: PFC (0x0702)
00:57:36: Vi1 LCP: ACFC (0x0802)
00:57:36: Vi1 LCP: O CONFACK [ACKsent] id 6 len 14
00:57:36: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:36: Vi1 LCP: PFC (0x0702)
00:57:36: Vi1 LCP: ACFC (0x0802)
00:57:36: Vi1 LCP: TIMEout: State ACKsent
00:57:36: Vi1 LCP: O CONFREQ [ACKsent] id 9 len 14
00:57:36: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:36: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
Router#
00:57:38: Vi1 LCP: TIMEout: State ACKsent
00:57:38: Vi1 LCP: O CONFREQ [ACKsent] id 10 len 14
00:57:38: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:38: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
00:57:39: Vi1 EVT: Packet [19] 1 0x81542D88
00:57:39: Vi1 LCP: I CONFREQ [ACKsent] id 7 len 14
00:57:39: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:39: Vi1 LCP: PFC (0x0702)
00:57:39: Vi1 LCP: ACFC (0x0802)
00:57:39: Vi1 LCP: O CONFACK [ACKsent] id 7 len 14
00:57:39: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:39: Vi1 LCP: PFC (0x0702)
00:57:39: Vi1 LCP: ACFC (0x0802)
Router#
00:57:40: Vi1 LCP: TIMEout: State ACKsent
00:57:40: Vi1 LCP: O CONFREQ [ACKsent] id 11 len 14
00:57:40: Vi1 LCP: AuthProto PAP (0x0304C023)
00:57:40: Vi1 LCP: MagicNumber 0x0977EF03 (0x05060977EF03)
Router#
00:57:42: Vi1 EVT: Packet [19] 1 0x81542D88
00:57:42: Vi1 LCP: I CONFREQ [ACKsent] id 8 len 14
00:57:42: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:42: Vi1 LCP: PFC (0x0702)
00:57:42: Vi1 LCP: ACFC (0x0802)
00:57:42: Vi1 LCP: O CONFACK [ACKsent] id 8 len 14
00:57:42: Vi1 LCP: MagicNumber 0x00A85206 (0x050600A85206)
00:57:42: Vi1 LCP: PFC (0x0702)
00:57:42: Vi1 LCP: ACFC (0x0802)
00:57:42: Vi1 LCP: TIMEout: State ACKsent
00:57:42: Vi1 LCP: State is Listen
00:57:42: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
Router#
00:57:42: Vi1 PPP: Authorization NOT required
00:57:42: Vi1 PPP: Preauth Authorization:
00:57:42: Vi1 PPP/AAA: auth-required
00:57:42: Vi1 EVT: Cstate [20] 0 0x816A7C00
00:57:42: Vi1 LCP: State is Closed
00:57:42: Vi1 PPP: Phase is DOWN
00:57:42: Vi1 EVT: Restart CP [20] 0 0x816A9FFC
If I change the client to encrypt traffic and passwords and update the router config to the following:
!
interface Virtual-Template2
ip unnumbered FastEthernet0
ip tcp header-compression passive
ip mroute-cache
peer default ip address pool l2tppool
ppp encrypt mppe auto
ppp authentication ms-chap
!
I get:
01:01:11: Vi1 PPP: Phase is DOWN, Setup
01:01:11: Vi1 PPP: Outbound context-status packet dropped, line protocol not up
01:01:11: Vi1 EVT: Setup [20] 0 0x0
01:01:11: Vi1 EVT: Restart CP [20] 0 0x816A9FFC
01:01:11: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
01:01:11: Vi1 EVT: Cstate [20] 4 0x816A7C00
01:01:11: Vi1 PPP: Treating connection as a dedicated line
01:01:11: Vi1 PPP: Phase is ESTABLISHING, Active Open
01:01:11: Vi1 PPP: Authorization NOT required
01:01:11: Vi1 PPP: Preauth Authorization:
01:01:11: Vi1 PPP/AAA: auth-required
01:01:11: Vi1 LCP: O CONFREQ [Closed] id 1 len 15
01:01:11: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:11: Vi1 LCP: MagicNumber 0x097B67C6 (0x0506097B67C6)
01:01:11: Vi1 EVT: Packet [20] 1 0x814D1DBC
01:01:11: Vi1 LCP: I CONFREQ [REQsent] id 1 len 14
01:01:11: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:11: Vi1 LCP: PFC (0x0702)
01:01:11: Vi1 LCP: ACFC (0x0802)
Router#
01:01:11: Vi1 LCP: O CONFACK [REQsent] id 1 len 14
01:01:11: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:11: Vi1 LCP: PFC (0x0702)
01:01:11: Vi1 LCP: ACFC (0x0802)
Router#
01:01:13: Vi1 LCP: TIMEout: State ACKsent
01:01:13: Vi1 LCP: O CONFREQ [ACKsent] id 2 len 15
01:01:13: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:13: Vi1 LCP: MagicNumber 0x097B67C6 (0x0506097B67C6)
01:01:13: Vi1 EVT: Packet [20] 1 0x814D1DBC
01:01:13: Vi1 LCP: I CONFACK [ACKsent] id 2 len 15
01:01:13: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:13: Vi1 LCP: MagicNumber 0x097B67C6 (0x0506097B67C6)
01:01:13: Vi1 LCP: State is Open
01:01:13: Vi1 PPP: Phase is AUTHENTICATING, by this end
01:01:13: Vi1 MS-CHAP: O CHALLENGE id 1 len 21 from "Router "
01:01:14: Vi1 EVT: Packet [20] 1 0x814D1DBC
01:01:14: Vi1 LCP: I CONFREQ [Open] id 2 len 14
01:01:14: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:14: Vi1 LCP: PFC (0x0702)
01:01:14: Vi1 LCP: ACFC (0x0802)
01:01:14: Vi1 CCP: State is Closed
01:01:14: Vi1 PPP: Outbound context-status packet dropped, line protocol not up
01:01:14: Vi1 PPP: Phase is TERMINATING
01:01:14: Vi1 PPP: Autho
Router#rization NOT required
01:01:14: Vi1 PPP: Preauth Authorization:
01:01:14: Vi1 PPP/AAA: auth-required
01:01:14: Vi1 PPP: Phase is ESTABLISHING
01:01:14: Vi1 LCP: O CONFREQ [Open] id 3 len 15
01:01:14: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:14: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
01:01:14: Vi1 LCP: O CONFACK [Open] id 2 len 14
01:01:14: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:14: Vi1 LCP: PFC (0x0702)
01:01:14: Vi1 LCP: ACFC (0x0802)
Router#
01:01:16: Vi1 LCP: TIMEout: State ACKsent
01:01:16: Vi1 LCP: O CONFREQ [ACKsent] id 4 len 15
01:01:16: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:16: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
Router#
01:01:17: Vi1 EVT: Packet [20] 1 0x814D1DBC
01:01:17: Vi1 LCP: I CONFREQ [ACKsent] id 3 len 14
01:01:17: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:17: Vi1 LCP: PFC (0x0702)
01:01:17: Vi1 LCP: ACFC (0x0802)
01:01:17: Vi1 LCP: O CONFACK [ACKsent] id 3 len 14
01:01:17: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:17: Vi1 LCP: PFC (0x0702)
01:01:17: Vi1 LCP: ACFC (0x0802)
Router#
01:01:18: Vi1 LCP: TIMEout: State ACKsent
01:01:18: Vi1 LCP: O CONFREQ [ACKsent] id 5 len 15
01:01:18: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:18: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
Router#
01:01:20: Vi1 EVT: Packet [20] 1 0x814D1DBC
01:01:20: Vi1 LCP: I CONFREQ [ACKsent] id 4 len 14
01:01:20: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:20: Vi1 LCP: PFC (0x0702)
01:01:20: Vi1 LCP: ACFC (0x0802)
01:01:20: Vi1 LCP: O CONFACK [ACKsent] id 4 len 14
01:01:20: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:20: Vi1 LCP: PFC (0x0702)
01:01:20: Vi1 LCP: ACFC (0x0802)
01:01:21: Vi1 LCP: TIMEout: State ACKsent
01:01:21: Vi1 LCP: O CONFREQ [ACKsent] id 6 len 15
01:01:21: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:21: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
Router#
01:01:23: Vi1 LCP: TIMEout: State ACKsent
01:01:23: Vi1 LCP: O CONFREQ [ACKsent] id 7 len 15
01:01:23: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:23: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
01:01:23: Vi1 EVT: Packet [20] 1 0x814D1DBC
01:01:23: Vi1 LCP: I CONFREQ [ACKsent] id 5 len 14
01:01:23: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:23: Vi1 LCP: PFC (0x0702)
01:01:23: Vi1 LCP: ACFC (0x0802)
01:01:23: Vi1 LCP: O CONFACK [ACKsent] id 5 len 14
01:01:23: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:23: Vi1 LCP: PFC (0x0702)
01:01:23: Vi1 LCP: ACFC (0x0802)
Router#
01:01:25: Vi1 LCP: TIMEout: State ACKsent
01:01:25: Vi1 LCP: O CONFREQ [ACKsent] id 8 len 15
01:01:25: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:25: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
Router#
01:01:26: Vi1 EVT: Packet [20] 1 0x8144C6E0
01:01:26: Vi1 LCP: I CONFREQ [ACKsent] id 6 len 14
01:01:26: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:26: Vi1 LCP: PFC (0x0702)
01:01:26: Vi1 LCP: ACFC (0x0802)
01:01:26: Vi1 LCP: O CONFACK [ACKsent] id 6 len 14
01:01:26: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:26: Vi1 LCP: PFC (0x0702)
01:01:26: Vi1 LCP: ACFC (0x0802)
01:01:27: Vi1 LCP: TIMEout: State ACKsent
01:01:27: Vi1 LCP: O CONFREQ [ACKsent] id 9 len 15
01:01:27: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:27: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
Router#
01:01:29: Vi1 LCP: TIMEout: State ACKsent
01:01:29: Vi1 LCP: O CONFREQ [ACKsent] id 10 len 15
01:01:29: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:29: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
01:01:29: Vi1 EVT: Packet [20] 1 0x8144C6E0
01:01:29: Vi1 LCP: I CONFREQ [ACKsent] id 7 len 14
01:01:29: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:29: Vi1 LCP: PFC (0x0702)
01:01:29: Vi1 LCP: ACFC (0x0802)
01:01:29: Vi1 LCP: O CONFACK [ACKsent] id 7 len 14
01:01:29: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:29: Vi1 LCP: PFC (0x0702)
01:01:29: Vi1 LCP: ACFC (0x0802)
Router#
01:01:31: Vi1 LCP: TIMEout: State ACKsent
01:01:31: Vi1 LCP: O CONFREQ [ACKsent] id 11 len 15
01:01:31: Vi1 LCP: AuthProto MS-CHAP (0x0305C22380)
01:01:31: Vi1 LCP: MagicNumber 0x097B73B4 (0x0506097B73B4)
Router#
01:01:32: Vi1 EVT: Packet [20] 1 0x8144C6E0
01:01:32: Vi1 LCP: I CONFREQ [ACKsent] id 8 len 14
01:01:32: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:32: Vi1 LCP: PFC (0x0702)
01:01:32: Vi1 LCP: ACFC (0x0802)
01:01:32: Vi1 LCP: O CONFACK [ACKsent] id 8 len 14
01:01:32: Vi1 LCP: MagicNumber 0x00ABD5E0 (0x050600ABD5E0)
01:01:32: Vi1 LCP: PFC (0x0702)
01:01:32: Vi1 LCP: ACFC (0x0802)
01:01:33: Vi1 LCP: TIMEout: State ACKsent
01:01:33: Vi1 LCP: State is Listen
01:01:33: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to down
Router#
01:01:33: Vi1 PPP: Authorization NOT required
01:01:33: Vi1 PPP: Preauth Authorization:
01:01:33: Vi1 PPP/AAA: auth-required
01:01:33: Vi1 EVT: Cstate [21] 0 0x816A7C00
01:01:33: Vi1 LCP: State is Closed
01:01:33: Vi1 PPP: Phase is DOWN
01:01:33: Vi1 EVT: Restart CP [21] 0 0x816A9FFC
Any ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-27-2002 07:19 AM
When using either pap or ms chap, whats happening here is that its trying to authenticate a user. The router is sending a request and is in the state of listening, or waiting for a response from the client. I'd suspect its something with the aaa but its not my fortee. Would be helpful to turn on some aaa debugs like:
debug aaa authentication
debug aaa authorization
debug vpdn errors
debug vpdn events
debug vpdn packets
The router appears to be responding correctly, just waiting for more information from client. Try it without the aaa.
Kurtis
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: