08-21-2003 10:33 PM - edited 02-21-2020 12:44 PM
I cannot get this to work. The TAC advised to remove the
"30 match address l2tp"
on the dynamic map, but still doesn't work.
The Win2K config contains a single filter:
source myip/anyport dest any/port 1701
As you can see, the phase 1 completes fine,
and so does phase 2 after the "30 match address al"
is removed, and phase 1 completes either way.
Pix Config is:
access-list al permit udp host outIP eq 1701 any eq 1701
ip local pool pool2 192.168.200.1-192.168.200.254
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set espl2tp esp-des esp-md5-hmac
crypto ipsec transform-set espl2tp mode transport
crypto dynamic-map tr 30 match address al
crypto dynamic-map tr 30 set pfs group2
crypto dynamic-map tr 30 set transform-set espl2tp
crypto map to 30 ipsec-isakmp dynamic tr
crypto map to interface outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp identity address
isakmp client configuration address-pool local pool2 outside
isakmp nat-traversal 20
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 3600
vpdn group 1 accept dialin l2tp
vpdn group 1 ppp authentication chap
vpdn group 1 client configuration address local pool2
vpdn group 1 client configuration dns bbbb
vpdn group 1 client configuration wins gggg
vpdn enable outside
vpdn group 1 client authentication local
vpdn group 1 l2tp tunnel hello 60
vpdn username **** password *********
After removing the mat"30 match address al"
produced:
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 0
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
ISAKMP (0): sending NOTIFY message 24576 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:203.38.156.63/63799 Total VPN Peers:4
VPN Peer: ISAKMP: Peer ip:203.38.156.63/63799 Ref cnt incremented to:1 Total VPN Peers:4
crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3314659496
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xa0
ISAKMP: encaps is 61444
ISAKMP: authenticator is HMAC-MD5
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= outIP, src= 203.38.156.63,
dest_proxy= outIP/255.255.255.255/0/0 (type=1),
src_proxy= 203.38.156.63/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x820
ISAKMP (0): processing KE payload. message ID = 3314659496
ISAKMP (0): processing NONCE payload. message ID = 3314659496
ISAKMP (0): processing ID payload. message ID = 3314659496
ISAKMP (0): unknown src id_type 2
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:203.38.156.63, dest:outIP spt:63799 dpt:4500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
As you can see, it sent a response from the pix, but
it appears it didn't get there, or was ignored.
I have searched everywhere for help on this, but
have been unabvle to find anything that shows what the Win2K filter setup should, and none of hte articles refer to NAT-T.
Any ideas, can anyone help?
08-27-2003 09:08 AM
Hi ,
you can just add "no-config-mode" and check if it works, not sure though...
09-01-2003 11:58 PM
Thak for the idea, but will not work because of the NAT and DHCP assignment by the ISP.
The no-config-mode overrides the mode config feature, to stop the PIX sending an IP address, DNS etc to the remote PC when this has been configured on the map (ie crypto map client configuration address). I need this as the ISP address is bogus, so
I must send an address to the remote client PC.
I have done some more research, and it appears that when Win2K completes phase 1, and starts phase 2 and after validating the pre-shared key, it is sending an ID packet with an id_type of 2 (id_fqdn). ie, instead of sending the IPV4_Address like it did in phase 1, it is sending a name like "myhost.com.au" instead.
As far as I can tell, it shouldn't be doing this. The same problem has been seen by others including Frees/Wan users. It also appears to be contrary to the RFCs.
So, is there some way to stop Win2K doing this, or to tell the PIX to deal with it? Is the PIX wrong or Win2K wrong (guess what my bet is on).
10-13-2003 03:48 AM
I also experienced problems with WinXP/L2TP/IPsec
<-> PIX 501.
The problems seem to be related to the presence
of NAT. Using identical PIX and WinXP
set ups, the IPsec debugging shows a different
behavior when NAT is present between the WinXP
and the PIX, versus the case when there is no
NAT.
In the case that there is no NAT, I see the following:
ISAKMP (0): Creating IPSec SAs
inbound SA from 192.168.1.141 to 172.16.16.16 (proxy 192.168.1.141 to 172.16.16.16)
has spi 3357438334 and conn_id 1 and flags 0
lifetime of 3600 seconds
lifetime of 250000 kilobytes
outbound SA from 172.16.16.16 to 192.168.1.141 (proxy 172.16.16.16 to 192.168.1.141)
has spi 568500390 and conn_id 2 and flags 0
lifetime of 3600 seconds
lifetime of 250000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 172.16.16.16, src= 192.168.1.141,
dest_proxy= 172.16.16.16/0.0.0.0/17/1701 (type=1),
src_proxy= 192.168.1.141/0.0.0.0/17/1701 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 3600s and 250000kb,
spi= 0xc81e717e(3357438334), conn_id= 1, keysize= 0, flags= 0x0
We observe on the PIX (172.16.16.16) that
a tunnel is set up for L2TP traffic *only*,
from 192.168.1.141 (real IP address of the WinXP laptop).
When I introduce NAT, I get the following:
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90
ISAKMP: encaps is 61444
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 172.16.16.16, src= 62.103.81.153,
dest_proxy= 172.16.16.16/255.255.255.255/0/0 (type=1),
src_proxy= 62.103.81.153/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-3des esp-md5-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x800
IPSEC(validate_transform_proposal): proxy identities not supported
Now the WinXP laptop appears as 62.103.81.153
(translated IP address). However, it negotiates
for tunnelling *all* IP traffic between the
laptop and the PIX... why does WinXP behave
like this?
When I remove the the "crypto dynamic-map l2tp-parent 1 match address l2tp-acl" command
(see my config below), I get the behavior as
you reported it.
But why is the WinXP client changing its behavior when NAT has been detected, maybe this is the
real cause of the problem?
Hope somebody found some clues in the meantime...
Patrick
Used config:
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname shiptrade-bis
domain-name shiptrade.gr
clock timezone EET 2
clock summer-time EET-DST recurring last Sun Mar 2:00 last Sun Oct 2:00
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
access-list SHIPTRADE-OUT permit ip any any
access-list nonat permit ip 192.168.9.0 255.255.155.0 192.168.109.0 255.255.255.0
access-list SHIPTRADE-IN permit ip any any
access-list l2tp-acl permit udp host 172.16.16.16 eq 1701 any eq 1701
pager lines 24
logging on
logging console debugging
logging monitor debugging
icmp permit 192.168.1.0 255.255.255.0 outside
icmp permit 62.103.81.144 255.255.255.240 outside
icmp permit 192.168.9.0 255.255.255.0 inside
mtu outside 1500
mtu inside 1500
ip address outside 172.16.16.16 255.255.255.0
ip address inside 192.168.9.240 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool l2tp-pool 192.168.109.1-192.168.109.254
pdm history enable
arp timeout 14400
global (outside) 1 172.16.16.17
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.9.0 255.255.255.0 0 0
static (inside,outside) 192.168.1.13 192.168.9.1 netmask 255.255.255.255 0 0
access-group SHIPTRADE-IN in interface outside
access-group SHIPTRADE-OUT in interface inside
route outside 0.0.0.0 0.0.0.0 172.16.16.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host 192.168.1.2 mul1tat timeout 5
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-l2tp
crypto ipsec transform-set l2tp esp-3des esp-md5-hmac
crypto ipsec transform-set l2tp mode transport
crypto dynamic-map l2tp-parent 1 match address l2tp-acl
crypto dynamic-map l2tp-parent 1 set transform-set l2tp
crypto map cmapi 50 ipsec-isakmp dynamic l2tp-parent
crypto map cmapi client authentication RADIUS
crypto map cmapi interface outside
isakmp enable outside
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp nat-traversal 20
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 192.168.1.0 255.255.255.0 outside
telnet 192.168.9.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 outside
ssh 62.103.81.144 255.255.255.240 outside
ssh timeout 5
console timeout 0
vpdn group l2tp_vpn accept dialin l2tp
vpdn group l2tp_vpn ppp authentication chap
vpdn group l2tp_vpn ppp authentication mschap
vpdn group l2tp_vpn client configuration address local l2tp-pool
vpdn group l2tp_vpn client configuration dns 192.168.9.1
vpdn group l2tp_vpn client configuration wins 192.168.9.1
vpdn group l2tp_vpn client authentication aaa RADIUS
vpdn group l2tp_vpn client accounting RADIUS
vpdn group l2tp_vpn l2tp tunnel hello 60
vpdn enable outside
username george password 7NdaQ41sKxwJWvC6 encrypted privilege 2
terminal width 80
12-05-2003 01:41 PM
Hey Guys, I have the same issue. http://forums.cisco.com/eforum/servlet/NetProf;jsessionid=xrs36xz771.SJ2B?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.eea5e0e
I've found that XP has a few things it does in regards to IPsec and definately acts different when behind NAT.
Patrick, I got a question on this:
static (inside,outside) 192.168.1.13 192.168.9.1 netmask 255.255.255.255 0 0
Are you doing the static statement for IPsec traffic?(shouldn't it be on 192.168.109.13?)
If not, have you seen examples where you have static statements for IPsec traffic?
IE. static (inside,outside) 192.168.109.0 192.168.9.0 netmask 255.255.255.0 0 0
It seems to me the address being assigned by L2TP isn't being translated to the inside network. I can authencate my L2TP connection and kick on ISAKMP and IPsec and get what looks like a tunnel built. But I can not ping or access internal hosts.
Few things I found with XP is to use IP Security Policy manager to create an IPsec policy to filter for 1701(L2TP) which kicks on 3des-sha for the AH-ESP and PFS. The VPN settings themselves should have L2TP dialin set(not auto), no encryption set what so ever(important) and do not set the shared key in the VPN connection settings or you will have issues for sure.
I know Cisco's examples for XP show them using the shared key setting in the VPN connection but this will cause the crypto settings to be set differently then the ones you assigned via the ip sec pol man.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide